Merge branch 'main' into leemthompo/move-syntax-guide

Author: leemthompo

deploy-manage/monitor/orchestrators/ece-monitoring-ece-set-retention.md

@@ -20,7 +20,7 @@ You might need to adjust the retention period for one of the following reasons:
 To customize the retention period, set up a custom lifecycle policy for logs and metrics indices:
 
 1. [Create a new index lifecycle management (ILM) policy](../../../manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) in the logging and metrics cluster.
-2. Create a new, legacy-style, index template that matches the data view (formerly *index pattern*) that you want to customize the lifecycle for.
-3. Specify a lifecycle policy in the index template settings.
-4. Choose a higher `order` for the template so the specified lifecycle policy will be used instead of the default.
+2. Create a new composable index template that matches the data view (formerly *index pattern*) for the data stream you want to customize the lifecycle for.
+3. Specify a custom lifecycle policy in the index template settings.
+4. Choose a higher `priority` for the template so the specified lifecycle policy will be used instead of the default.
 

deploy-manage/tools/snapshot-and-restore/ece-restore-snapshots-into-new-deployment.md

@@ -16,6 +16,10 @@ products:
 1. First, [create a new deployment](../../deploy/cloud-enterprise/create-deployment.md) and select **Restore snapshot data**. Select the deployment that you want to restore a snapshot *from*. If you don’t know the exact name, you can enter a few characters and then select from the list of matching deployments.
 2. Select the snapshot that you want to restore from. If none is chosen, the latest successful snapshot from the cluster you selected is restored on the new cluster when you create it.
 
+    :::{important}
+    Note that only snapshots from the `found-snapshots` repository are accepted. Snapshots from a custom repository are not allowed.
+    :::
+
     ![Restoring from a snapshot](/deploy-manage/images/cloud-enterprise-restore-from-snapshot.png "")
 
 3. Manually recreate users using the X-Pack security features or using Shield on the new cluster. User information is not included when you restore across clusters.

manage-data/ingest/ingesting-data-from-applications/ingest-logs-from-nodejs-web-application-using-filebeat.md

@@ -34,7 +34,7 @@ The following table describes the integrations you can use instead of {{auditbea
 | {{fleet}} [system](integration-docs://reference/system/index.md) integration | Collect login events for Windows through the [Security event log](integration-docs://reference/system/index.md#security). |
 | [System.package](beats://reference/auditbeat/auditbeat-dataset-system-package.md) dataset | [System Audit](integration-docs://reference/system_audit/index.md) integration | This integration is a direct replacement of the System Package dataset. Starting in {{stack}} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br> |
 | [Osquery](integration-docs://reference/osquery/index.md) or [Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Schedule collection of information like:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br>* [apps](https://www.osquery.io/schema/5.1.0/#apps) (MacOS)<br>* [programs](https://www.osquery.io/schema/5.1.0/#programs) (Windows)<br>* [npm_packages](https://www.osquery.io/schema/5.1.0/#npm_packages)<br>* [atom_packages](https://www.osquery.io/schema/5.1.0/#atom_packages)<br>* [chocolatey_packages](https://www.osquery.io/schema/5.1.0/#chocolatey_packages)<br>* [portage_packages](https://www.osquery.io/schema/5.1.0/#portage_packages)<br>* [python_packages](https://www.osquery.io/schema/5.1.0/#python_packages)<br> |
-| [System.process](beats://reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](integration-docs://reference/index.md) format and has excellentintegration in [Kibana](/get-started/the-stack.md). |
+| [System.process](beats://reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](integration-docs://reference/index.md) format and has excellent integration in {{kib}}. |
 | [Custom Windows event log](integration-docs://reference/winlog/index.md) and [Sysmon](integration-docs://reference/sysmon_linux/index.md) integrations | Provide process data. |
 | [Osquery](integration-docs://reference/osquery/index.md) or[Osquery Manager](integration-docs://reference/osquery_manager/index.md) integration | Collect data from the [process](https://www.osquery.io/schema/5.1.0/#process) table on some OSeswithout polling. |
 | [System.socket](beats://reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). |

reference/fleet/migrate-auditbeat-to-agent.md

@@ -21,7 +21,8 @@ You’ll need:
 * **{{es}}** for storing and indexing data.
 * **{{kib}}** for visualizing with the Applications UI.
 
-We recommend you use the same version of {{es}}, {{kib}}, and APM Server. See [Installing the {{stack}}](/get-started/the-stack.md) for more information about installing these products.
+We recommend you use the same version of {{es}}, {{kib}}, and APM Server.
+For more information about installing these products, refer to [](/deploy-manage/deploy.md).
 
 :::{image} /solutions/images/observability-apm-architecture-diy.png
 :alt: Install Elastic APM yourself
@@ -30,7 +31,8 @@ We recommend you use the same version of {{es}}, {{kib}}, and APM Server. See [I
 ## Step 1: Install [apm-installing]
 
 ::::{note}
-**Before you begin**: If you haven’t installed the {{stack}}, do that now. See [Learn how to install the {{stack}} on your own hardware](/get-started/the-stack.md).
+**Before you begin**: If you haven’t installed the {{stack}}, do that now.
+Refer to [](/deploy-manage/deploy.md).
 ::::
 
 To download and install APM Server, use the commands below that work with your system. If you use `apt` or `yum`, you can [install APM Server from our repositories](#apm-setup-repositories) to update to the newest version more easily.

solutions/images/security-hosts-hr-level.png

@@ -22,7 +22,7 @@ This guide will explain how to set up and configure a Fleet-managed APM Server.
 
 You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it. When setting these components up, you need:
 
-* {{es}} cluster and {{kib}} (version 9.0) with a basic license or higher. [Learn how to install the {{stack}} on your own hardware](/get-started/the-stack.md).
+* {{es}} cluster and {{kib}} (version 9.0) with a basic license or higher. Refer to [](/deploy-manage/deploy.md).
 * Secure, encrypted connection between {{kib}} and {{es}}. For more information, refer to [](/deploy-manage/security/self-setup.md).
 * Internet connection for {{kib}} to download integration packages from the {{package-registry}}. Make sure the {{kib}} server can connect to `https://epr.elastic.co` on port `443`. If your environment has network traffic restrictions, there are ways to work around this requirement. See [Air-gapped environments](/reference/fleet/air-gapped.md) for more information.
 * {{kib}} user with `All` privileges on {{fleet}} and {{integrations}}. Since many Integrations assets are shared across spaces, users need the {{kib}} privileges in all spaces.

solutions/observability/apm/apm-server/binary.md

@@ -33,10 +33,10 @@ Models from third-party LLM providers.
 | Amazon Bedrock | **Claude Sonnet 3.7** | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent |
 | Amazon Bedrock | **Claude Sonnet 4**   | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Excellent |
 | Amazon Bedrock | **Claude Sonnet 4.5**   | Excellent | Excellent | Excellent | Excellent | Excellent | Excellent | Good | Excellent |
-| OpenAI    | **GPT-4.1**           | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Good | Excellent |
 | Google Gemini    | **Gemini 2.0 Flash**    | Excellent | Good | Excellent | Excellent | Excellent | Good | Good | Excellent |
 | Google Gemini    | **Gemini 2.5 Flash**    | Excellent | Good | Excellent | Excellent | Excellent | Great | Good | Excellent |
 | Google Gemini    | **Gemini 2.5 Pro**    | Excellent | Great | Excellent | Excellent | Excellent | Great | Good | Excellent |
+| OpenAI    | **GPT-4.1**           | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Good | Excellent |
 
 
 ## Open-source models [_open_source_models]
@@ -50,6 +50,7 @@ Models you can [deploy and manage yourself](/solutions/observability/connect-to-
 
 | Provider | Model | **Alert questions** | **APM questions** | **Contextual insights** | **Documentation retrieval** | **Elasticsearch operations** | **{{esql}} generation** | **Execute connector** | **Knowledge retrieval** |
 | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
+| DeepSeek | **DeepSeek-V3.1** | Excellent | Excellent | Excellent | Excellent | Excellent | Great | Great | Excellent |
 | Meta | **Llama-3.3-70B-Instruct** | Excellent | Good | Great | Excellent | Excellent | Good | Good | Excellent |
 | Mistral | **Mistral-Small-3.2-24B-Instruct-2506** | Excellent | Poor | Great | Great | Excellent | Good | Good | Excellent |
 | Alibaba Cloud | **Qwen2.5-72b-Instruct** | Excellent | Good | Great | Excellent | Excellent | Good | Good | Excellent |

solutions/observability/apm/apm-server/fleet-managed.md

@@ -40,12 +40,13 @@ Most MCP clients (such as Claude Desktop, Cursor, VS Code, etc.) have similar co
       ],
       "env": {
         "KIBANA_URL": "${KIBANA_URL}",
-        "AUTH_HEADER": "ApiKey ${API_KEY}"
+        "AUTH_HEADER": "ApiKey ${API_KEY}" <1>
       }
     }
   }
 }
 ```
+1. Refer to [](#api-key-application-privileges)
 
 :::{note}
 Set the following environment variables:
@@ -57,5 +58,63 @@ export API_KEY="your-api-key"
 
 For information on generating API keys, refer to [API keys](https://www.elastic.co/docs/solutions/search/search-connection-details).
 
-Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server.
+Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. To learn more, refer to [](#api-key-application-privileges).
 :::
+
+## API key application privileges
+
+To access the MCP server endpoint, your API key must include {{kib}} application privileges. 
+
+### Development and testing
+
+For development and testing purposes, you can create an unrestricted API key with full access:
+
+```json
+POST /_security/api_key
+{
+  "name": "my-mcp-api-key",
+  "expiration": "1d",
+  "role_descriptors": {
+    "unrestricted": {
+      "cluster": ["all"],
+      "indices": [
+        {
+          "names": ["*"],
+          "privileges": ["all"]
+        }
+      ]
+    }
+  }
+}
+```
+
+### Production
+
+For production environments, use a restricted API key with specific application privileges:
+
+```json
+POST /_security/api_key
+{
+  "name": "my-mcp-api-key",
+  "expiration": "1d",   
+  "role_descriptors": { 
+    "mcp-access": {
+      "cluster": ["all"],
+      "indices": [
+        {
+          "names": ["*"],
+          "privileges": ["read", "view_index_metadata"]
+        }
+      ],
+      "applications": [
+        {
+          "application": "kibana-.kibana",
+          "privileges": ["read_onechat", "space_read"], <1>
+          "resources": ["space:default"]
+        }
+      ]
+    }
+  }
+}
+```
+1. The `read_onechat` and `space_read` application privileges are required to authorize access to the MCP endpoint. Without these privileges, you'll receive a 403 Forbidden error.

solutions/observability/llm-performance-matrix.md

@@ -27,6 +27,16 @@ This tutorial uses the `elasticsearch` service for demonstration, which is creat
 
 The mapping of the destination index - the index that contains the embeddings that the inference endpoint will generate based on your input text - must be created. The destination index must have a field with the [`semantic_text`](elasticsearch://reference/elasticsearch/mapping-reference/semantic-text.md) field type to index the output of the used inference endpoint.
 
+You can run {{infer}} either using the [Elastic {{infer-cap}} Service](/explore-analyze/elastic-inference/eis.md) or on your own ML-nodes. The following examples show you both scenarios.
+
+:::::::{tab-set}
+
+::::::{tab-item} Using EIS on Serverless
+
+```{applies_to}
+serverless: ga
+```
+
 ```console
 PUT semantic-embeddings
 {
@@ -41,7 +51,61 @@ PUT semantic-embeddings
 ```
 
 1. The name of the field to contain the generated embeddings.
-2. The field to contain the embeddings is a `semantic_text` field. Since no `inference_id` is provided, the default endpoint `.elser-2-elasticsearch` for the `elasticsearch` service is used. To use a different {{infer}} service, you must create an {{infer}} endpoint first using the [Create {{infer}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-inference-put) and then specify it in the `semantic_text` field mapping using the `inference_id` parameter.
+2. The field to contain the embeddings is a `semantic_text` field. Since no `inference_id` is provided, the default endpoint `.elser-v2-elastic` for the `elasticsearch` service is used. This {{infer}} endpoint uses the [Elastic {{infer-cap}} Service (EIS)](/explore-analyze/elastic-inference/eis.md).
+
+::::::
+
+::::::{tab-item} Using EIS in Cloud
+
+```{applies_to}
+stack: ga
+deployment:
+  self: unavailable
+```
+
+```console
+PUT semantic-embeddings
+{
+  "mappings": {
+    "properties": {
+      "content": { <1>
+        "type": "semantic_text", <2>
+        "inference_id": ".elser-v2-elastic" <3>
+      }
+    }
+  }
+}
+```
+
+1. The name of the field to contain the generated embeddings.
+2. The field to contain the embeddings is a `semantic_text` field.
+3. The `.elser-v2-elastic` preconfigured {{infer}} endpoint for the `elasticsearch` service is used. This {{infer}} endpoint uses the [Elastic {{infer-cap}} Service (EIS)](/explore-analyze/elastic-inference/eis.md).
+
+::::::
+
+::::::{tab-item} Using ML-nodes
+
+```console
+PUT semantic-embeddings
+{
+  "mappings": {
+    "properties": {
+      "content": { <1>
+        "type": "semantic_text", <2>
+        "inference_id": ".elser-2-elasticsearch" <3>
+      }
+    }
+  }
+}
+```
+
+1. The name of the field to contain the generated embeddings.
+2. The field to contain the embeddings is a `semantic_text` field.
+3. The `.elser-2-elasticsearch` preconfigured {{infer}} endpoint for the `elasticsearch` service is used. To use a different {{infer}} service, you must create an {{infer}} endpoint first using the [Create {{infer}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-inference-put) and then specify it in the `semantic_text` field mapping using the `inference_id` parameter.
+
+::::::
+
+:::::::
 
 To try the ELSER model on the Elastic Inference Service, explicitly set the `inference_id` to `.elser-2-elastic`. For instructions, refer to [Using `semantic_text` with ELSER on EIS](https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/semantic-text#using-elser-on-eis). 
 
@@ -50,8 +114,6 @@ If you’re using web crawlers or connectors to generate indices, you have to [u
 
 ::::
 
-
-
 ## Load data [semantic-text-load-data]
 
 In this step, you load the data that you later use to create embeddings from it.
@@ -60,7 +122,6 @@ Use the `msmarco-passagetest2019-top1000` data set, which is a subset of the MS
 
 Download the file and upload it to your cluster using the [Data Visualizer](../../../manage-data/ingest/upload-data-files.md) in the {{ml-app}} UI. After your data is analyzed, click **Override settings**. Under **Edit field names**, assign `id` to the first column and `content` to the second. Click **Apply**, then **Import**. Name the index `test-data`, and click **Import**. After the upload is complete, you will see an index named `test-data` with 182,469 documents.
 
-
 ## Reindex the data [semantic-text-reindex-data]
 
 Create the embeddings from the text by reindexing the data from the `test-data` index to the `semantic-embeddings` index. The data in the `content` field will be reindexed into the `content` semantic text field of the destination index. The reindexed data will be processed by the {{infer}} endpoint associated with the `content` semantic text field.
@@ -70,7 +131,6 @@ This step uses the reindex API to simulate data ingestion. If you are working wi
 
 ::::
 
-
 ```console
 POST _reindex?wait_for_completion=false
 {
@@ -86,7 +146,6 @@ POST _reindex?wait_for_completion=false
 
 1. The default batch size for reindexing is 1000. Reducing size to a smaller number makes the update of the reindexing process quicker which enables you to follow the progress closely and detect errors early.
 
-
 The call returns a task ID to monitor the progress:
 
 ```console
@@ -99,7 +158,6 @@ Reindexing large datasets can take a long time. You can test this workflow using
 POST _tasks/<task_id>/_cancel
 ```
 
-
 ## Semantic search [semantic-text-semantic-search]
 
 After the data has been indexed with the embeddings, you can query the data using semantic search. Choose between [Query DSL](/explore-analyze/query-filter/languages/querydsl.md) or [{{esql}}](elasticsearch://reference/query-languages/esql.md) syntax to execute the query.