Merge branch 'main' into 34-Elastic-Connectors-in-Security

benironside · web-flow · commit bb5900f680ad · 2025-07-31T09:06:33.000-07:00
diff --git a/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md b/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md
@@ -110,7 +110,7 @@ This table compares Observability capabilities between {{ech}} deployments and S
 | **APM integration** | ✅ | ✅ | Use **Managed Intake Service** (supports Elastic APM and OTLP protocols) |
 | [**APM Agent Central Configuration**](/solutions/observability/apm/apm-agent-central-configuration.md) | ✅ | ❌ | Not available in Serverless |
 | [**APM Tail-based sampling**](/solutions/observability/apm/transaction-sampling.md#apm-tail-based-sampling) | ✅ | ❌ | - Not available in Serverless <br>- Consider **OpenTelemetry** tail sampling processor as an alternative |
-| [**Android agent/SDK instrumentation**](opentelemetry://reference/edot-sdks/android/index.md) | ✅ | ❌ | Not available in Serverless |
+| [**Android agent/SDK instrumentation**](opentelemetry://reference/edot-sdks/android/index.md) | ✅ | ✅ | |
 | [**AWS Firehose integration**](/solutions/observability/cloud/monitor-amazon-web-services-aws-with-amazon-data-firehose.md) | ✅ | ✅ | |
 | **Custom roles for Kibana Spaces** | ✅ | **Planned** | Anticipated in a future release |
 | [**Data stream lifecycle**](/manage-data/lifecycle/data-stream.md) | ✅ | ✅ | Primary lifecycle management method in Serverless |
@@ -119,7 +119,7 @@ This table compares Observability capabilities between {{ech}} deployments and S
 | **[Fleet Agent policies](/reference/fleet/agent-policy.md)** | ✅ | ✅ | |
 | **[Fleet server](/reference/fleet/fleet-server.md)** | - Self-hosted <br>- Hosted | ✅ | Fully managed by Elastic |
 | [**Index lifecycle management**](/manage-data/lifecycle/index-lifecycle-management.md) | ✅ | ❌ | Use [**Data stream lifecycle**](/manage-data/lifecycle/data-stream.md) instead |
-| **[iOS agent/SDK instrumentation](opentelemetry://reference/edot-sdks/ios/index.md)** | ✅ | ❌ | Not available in Serverless |
+| **[iOS agent/SDK instrumentation](opentelemetry://reference/edot-sdks/ios/index.md)** | ✅ | ✅ | |
 | **[Kibana Alerts](/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md)** | ✅ | ✅ | |
 | **[LogsDB index mode](/manage-data/data-store/data-streams/logs-data-stream.md)** | ✅ | ✅ | - Reduces storage footprint <br> - Enabled by default <br>- Cannot be disabled |
 | **[Logs management](/solutions/observability/logs.md)** | ✅ | ✅ | |
diff --git a/docset.yml b/docset.yml
@@ -278,6 +278,7 @@ subs:
   agent-pull:   "https://github.com/elastic/elastic-agent/pull/"
   fleet-server-issue:   "https://github.com/elastic/fleet-server/issues/"
   fleet-server-pull:   "https://github.com/elastic/fleet-server/pull/"
+  es-pull:   "https://github.com/elastic/elasticsearch/pull/"
   kib-pull:   "https://github.com/elastic/kibana/pull/"
   eck_helm_minimum_version: "3.2.0"
   eck_resources_list: "Elasticsearch, Kibana, APM Server, Beats, Elastic Agent, Elastic Maps Server, and Logstash"
diff --git a/reference/security/defend-advanced-settings.md b/reference/security/defend-advanced-settings.md
diff --git a/release-notes/elastic-cloud-serverless/breaking-changes.md b/release-notes/elastic-cloud-serverless/breaking-changes.md
@@ -0,0 +1,11 @@
+---
+navigation_title: Breaking changes
+products:
+  - id: cloud-serverless
+---
+
+# {{serverless-full}} breaking changes [elastic-cloud-serverless-breaking-changes]
+
+## June 23, 2025 [serverless-changelog-06232025]
+
+* {{esql}}: Disallows mixed quoted/unquoted patterns in `FROM` commands [#127636]({{es-pull}}127636)
diff --git a/release-notes/elastic-cloud-serverless/toc.yml b/release-notes/elastic-cloud-serverless/toc.yml
@@ -1,4 +1,5 @@
 toc:
   - file: index.md
+  - file: breaking-changes.md
   - file: known-issues.md
   - file: deprecations.md
diff --git a/solutions/observability/logs/log-data-sources.md b/solutions/observability/logs/log-data-sources.md
@@ -0,0 +1,35 @@
+---
+applies_to:
+  stack: ga
+  serverless: ga
+products:
+  - id: observability
+---
+
+# Configure log data sources
+
+The `observability:logSources` {{kib}} advanced setting defines which index patterns your deployment or project uses to store and query log data.
+
+Configure this setting at **Stack Management** → **Advanced Settings** or by searching for `Advanced Settings` in the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+
+
+::::{note}
+Adding indices to the `observability:logSources` setting that don't contain log data may cause degraded functionality. Changes to this setting can also impact the sources queried by log threshold rules.
+::::
+
+## Configure log data sources using the `saved_objects` API
+
+::::{important}
+Using the `saved_objects` API to import log data sources has the following limitations:
+
+* To import the log data source, you need to import the entire **Advanced Settings** saved object. This overwrites any other changes that you've made to your **Advanced Settings** in the target cluster, not just `observability:logSources`.
+* This approach is backward compatible, but not forward compatible. You cannot import the settings from an older version to a newer version.
+::::
+
+To configure log data sources using the `saved_objects` API and the **Advanced Settings** saved object:
+
+1. Go to **Stack Management** → **Advanced Settings** from the navigation menu or use the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+1. Configure your custom log sources in `observability:logSources`.
+1. Go to **Stack Management** → **Saved Objects** from the navigation or use the [global search field](../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+1. [Export](/explore-analyze/find-and-organize/saved-objects.md#saved-objects-import-and-export) the **Advanced Settings** saved object.
+1. Import the saved object to your target cluster using the [import saved objects API]({{kib-apis}}/operation/operation-importsavedobjectsdefault).
diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md
@@ -23,12 +23,19 @@ If you’re experiencing performance degradation, you can [exclude cold and froz
 
 ## Find events to analyze [find-events-analyze]
 
-You can only visualize events triggered by hosts configured with the {{elastic-defend}} integration or any `sysmon` data from `winlogbeat`.
+You can visualize events from the following sources:
 
-In KQL, this translates to any event with the `agent.type` set to either:
+* {{elastic-defend}} integration
+* Sysmon data collected through {{winlogbeat}}
+* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) (Falcon logs collected through Event Stream or FDR)
+* [SentinelOne Cloud Funnel integration](integration-docs://reference/sentinel_one_cloud_funnel.md)
+
+In KQL, this translates to any event with the `agent.type` set to:
 
 * `endpoint`
 * `winlogbeat` with `event.module` set to `sysmon`
+* `filebeat` with `event.module` set to `crowdstrike`
+* `filebeat` with `event.module` set to `sentinel_one_cloud_funnel`
 
 To find events that can be visually analyzed:
 
@@ -37,13 +44,12 @@ To find events that can be visually analyzed:
     * Find **Hosts** in the main menu, or search for `Security/Explore/Hosts` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page.
     * Find **Alerts** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then scroll down to the Alerts table.
 
-2. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting **Enter**:
+2. Filter events that can be visually analyzed by entering one of the following queries in the KQL search bar, then selecting **Enter**:
 
     * `agent.type:"endpoint" and process.entity_id :*`
-
-        Or
-
     * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
+    * `agent.type:"filebeat" and event.module: "crowdstrike" and process.entity_id : *`
+    * `agent.type:"filebeat" and event.module: "sentinel_one_cloud_funnel" and process.entity_id : *`
 
 3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout.
 
@@ -75,7 +81,7 @@ Within the visual analyzer, each cube represents a process, such as an executabl
 
 To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are:
 
-* `SOURCE`: Can be either `endpoint` or `winlogbeat`
+* `SOURCE`: Indicates the data source—for example, `endpoint` or `winlogbeat`
 * `ID`: Event field that uniquely identifies a node
 * `EDGE`: Event field which indicates the relationship between two nodes
 
diff --git a/solutions/toc.yml b/solutions/toc.yml
@@ -407,6 +407,7 @@ toc:
               - file: observability/logs/categorize-log-entries.md
               - file: observability/logs/inspect-log-anomalies.md
           - file: observability/logs/run-pattern-analysis-on-log-data.md
+          - file: observability/logs/log-data-sources.md
           - file: observability/logs/add-service-name-to-logs.md
           - file: observability/logs/logs-index-template-reference.md
           - file: observability/logs/streams/streams.md
diff --git a/troubleshoot/ingest/opentelemetry/contact-support.md b/troubleshoot/ingest/opentelemetry/contact-support.md
@@ -0,0 +1,125 @@
+---
+navigation_title: Contact support
+description: Learn how to contact Elastic Support and what information to include to help resolve issues faster.
+applies_to:
+  stack:
+  serverless:
+    observability:
+  product:
+    edot_collector: ga
+products:
+  - id: cloud-serverless
+  - id: observability
+  - id: edot-collector
+---
+
+# Contact support
+
+In some cases, you may unable to resolve an issue with the Elastic Distributions of OpenTelemetry (EDOT) using the troubleshooting guides.
+
+If you have an [Elastic subscription](https://www.elastic.co/pricing), you can contact Elastic support for assistance. You can reach us in the following ways:
+
+* **Through the [Elastic Support Portal](https://support.elastic.co/):** The Elastic Support Portal is the central place where you can access all of your cases, subscriptions, and licenses.
+
+* **By email:** [support@elastic.co](mailto:support@elastic.co)
+
+  :::{tip}
+  If you contact us by email, use the email address you registered with so we can help you more quickly. If your registered email is a distribution list, you can register a second email address with us. Just open a case to let us know the name and email address you want to add.
+  :::
+
+  :::{warning}
+  All cases opened by email default to a normal severity level. For incidents, open a case through the [Elastic Support Portal](https://support.elastic.co/) and select the [appropriate severity](https://www.elastic.co/support/welcome#what-to-say-in-a-case).
+  :::
+
+Providing a clear description of your issue and relevant technical context helps our support engineers respond more quickly and effectively.
+
+## What to include in your support request
+
+To help Elastic Support investigate the problem efficiently, please include the following details whenever possible:
+
+### Basic information
+
+* A brief description of the issue
+* When the issue started and whether it is intermittent or consistent
+* Affected environments (dev, staging, production)
+* Whether you’re using Elastic Cloud or self-managed deployments
+* The version of the Elastic Stack you're using
+* Any additional context to help support understand the full data flow (from the instrumented applications at the edge to {{es}})
+
+### Deployment context
+
+* Are you using a [standalone EDOT Collector](opentelemetry://reference/edot-collector/config/default-config-standalone.md) or [Kubernetes](opentelemetry://reference/edot-collector/config/default-config-k8s.md)?
+* If applicable, include:
+  * Helm chart version and values (for Kubernetes)
+  * Container image version
+
+### Configuration
+
+* Your full or partial EDOT Collector configuration file or files, redacted as needed
+* Environment variables that may affect telemetry
+* Any overrides or runtime flags, such as `--log-level=debug` or `--config` path
+* To enable debug logging in Kubernetes environments using the Helm chart, set the log level explicitly with:
+
+  ```yaml
+  collector:
+    args:
+      - "--config=/etc/otel/config.yaml"
+      - "--log-level=debug"
+  ```
+
+  In Kubernetes environments with multiple EDOT Collector pods, be sure to collect logs and configuration from all instances. You can use `kubectl` to list and inspect each:
+
+  ```sh
+  kubectl get pods -l app=edot-collector
+  kubectl logs <pod-name> --container edot-collector
+  ```
+  Repeat for each Collector pod to provide complete context for support.
+
+### Logs and diagnostics
+
+* Recent Collector logs with relevant errors or warning messages
+* Output from:
+
+  ```bash
+  edot-collector --config=/path/to/config.yaml --dry-run
+  ```
+* Output from:
+
+  ```bash
+  lsof -i :4317
+  kubectl logs <collector-pod>
+  ```
+
+### Data and UI symptoms
+
+* Are traces, metrics, or logs missing from the UI?
+* Are you using the [Elastic Managed OTLP endpoint](https://www.elastic.co/docs/observability/apm/otel/managed-otel-ingest/)?
+* If data is missing or incomplete, consider enabling the [debug exporter](https://github.com/open-telemetry/opentelemetry-collector/blob/main/exporter/debugexporter/README.md) to inspect the raw signal data emitted by the Collector. 
+
+  You can use it for specific signals (logs, metrics, or traces) by adding a pipeline like:
+
+  ```yaml
+  exporters:
+    debug:
+      verbosity: detailed  # options: normal, detailed
+
+  service:
+    pipelines:
+      traces:
+        receivers: [otlp]
+        processors: [batch]
+        exporters: [debug]
+  ```
+
+  This helps verify whether the Collector is receiving and processing telemetry as expected before it's sent to Elasticsearch.
+
+## Next steps
+
+When you’ve gathered the information above relevant to your case:
+
+1. Log in to the [Elastic Support portal](https://support.elastic.co/)
+2. Open a new case and fill in the form.
+3. Attach your logs, configs, or example files. Redact sensitive data.
+
+Our support team will review your request and get back to you as soon as possible.
+
diff --git a/troubleshoot/ingest/opentelemetry/toc.yml b/troubleshoot/ingest/opentelemetry/toc.yml
@@ -15,4 +15,5 @@ toc:
           - file: edot-sdks/java/proxy-issues.md
       - file: edot-sdks/nodejs/index.md
       - file: edot-sdks/php/index.md
-      - file: edot-sdks/python/index.md
+      - file: edot-sdks/python/index.md
+  - file: contact-support.md
