Merge branch 'main' into typo-stack-monitoring

Author: mdbirnstiehl

solutions/observability/streams/management/extract.md

@@ -26,7 +26,7 @@ Streams supports the following processors:
 
 - [**Date**](./extract/date.md): Converts date strings into timestamps, with options for timezone, locale, and output formatting.
 - [**Dissect**](./extract/dissect.md): Extracts fields from structured log messages using defined delimiters instead of patterns, making it faster than Grok and ideal for consistently formatted logs.
-- [**Grok**](./extract/grok.md): Extracts fields from unstructured log messages using predefined or custom patterns, supports multiple match attempts in sequence, and can automatically generate patterns with an LLM connector.
+- [**Grok**](./extract/grok.md): Extracts fields from unstructured log messages using predefined or custom patterns, supports multiple match attempts in sequence, and can automatically generate patterns with an [LLM connector](../../../security/ai/set-up-connectors-for-large-language-models-llm.md).
 - [**Set**](./extract/set.md): Assigns a specific value to a field, creating the field if it doesn’t exist or overwriting its value if it does.
 - [**Rename**](./extract/rename.md): Changes the name of a field, moving its value to a new field name and removing the original.
 - [**Append**](./extract/append.md): Adds a value to an existing array field, or creates the field as an array if it doesn’t exist.

solutions/observability/streams/management/extract/grok.md

@@ -39,7 +39,7 @@ The previous pattern can then be used in the processor.
 
 ## Generate patterns [streams-grok-patterns]
 :::{note}
-Requires an LLM Connector to be configured.
+This feature requires an [LLM connector](../../../../security/ai/set-up-connectors-for-large-language-models-llm.md).
 :::
 
 Instead of writing the Grok patterns by hand, you can use the **Generate Patterns** button to generate the patterns for you.

solutions/observability/streams/management/significant-events.md

@@ -10,5 +10,5 @@ Significant Events periodically runs a query on your stream to find important ev
 
 To define significant events, either:
 
-- **Generate significant events with AI:** If you don't know what you're looking for, let AI suggest queries based on your data. This works by using the previously identified [features](./advanced.md#streams-advanced-features) in your Stream to create specific queries based on the data you have in your Stream. Then, select the suggestions that make sense to you.
+- **Generate significant events with AI:** (requires an [LLM connector](../../../security/ai/set-up-connectors-for-large-language-models-llm.md)) If you don't know what you're looking for, let AI suggest queries based on your data. This works by using the previously identified [features](./advanced.md#streams-advanced-features) in your Stream to create specific queries based on the data you have in your Stream. Then, select the suggestions that make sense to you.
 - **Create significant events from a query:** If you know what you're looking for, write your own query to find important events.

solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md

@@ -238,8 +238,11 @@ stack: ga 9.2
 serverless: ga
 ```
 
+Device control helps protect your Linux and Mac endpoints from data loss, malware, and unauthorized access by managing which devices can connect to your computers. Specifically, it restricts which external USB storage devices can connect to hosts that have {{elastic-defend}} installed. 
 
-Device control helps protect your organization from data loss, malware, and unauthorized access by managing which devices can connect to your computers. Specifically, it restricts which external USB storage devices can connect to hosts that have {{elastic-defend}} installed. 
+::::{important}
+Device control only affects external USB storage devices. It does not affect other peripherals such as Yubikeys, webcams, or keyboards.
+::::
 
 To configure device control for one or more hosts, edit the {{elastic-defend}} policy that affects those hosts. Your policy specifies which operations these devices are allowed to take on a host. You can create [trusted devices](/solutions/security/manage-elastic-defend/trusted-devices.md) to define exceptions to your policy for specific devices. 
 

solutions/security/manage-elastic-defend/trusted-devices.md

@@ -12,6 +12,11 @@ products:
 
 By default, {{elastic-defend}} policies have [device control](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#device-control) enabled, with access level set to block all operations. This prevents external storage devices from connecting to protected hosts.
 
+::::{important}
+- Device control only affects external USB storage devices. It does not affect other peripherals such as Yubikeys, webcams, or keyboards.
+- Device control only supports Windows and Mac endpoints. 
+::::
+
 Trusted devices are specific external devices that are allowed to connect to your protected hosts regardless of device control settings. Create trusted devices to avoid interfering with expected workflows that involve known hardware. 
 
 By default, a trusted device is recognized globally across all hosts running {{elastic-defend}}. You can also assign a trusted device to a specific {{elastic-defend}} integration policy, enabling the device to be trusted by only the hosts assigned to that policy.