Merge branch 'main' into remove-endpoint-terminology

Author: alaudazzi

solutions/observability/apps/transaction-sampling.md

@@ -198,7 +198,7 @@ Enable tail-based sampling with [Enable tail-based sampling](../../../solutions/
 Trace events are matched to policies in the order specified. Each policy list must conclude with a default policy — one that only specifies a sample rate. This default policy is used to catch remaining trace events that don’t match a stricter policy. Requiring this default policy ensures that traces are only dropped intentionally. If you enable tail-based sampling and send a transaction that does not match any of the policies, APM Server will reject the transaction with the error `no matching policy`.
 
 ::::{important}
-Please note that from version `8.3.1` APM Server implements a default storage limit of 3GB, but, due to how the limit is calculated and enforced the actual disk space may still grow slightly over the limit.
+Please note that from version `9.0.0` APM Server has an unlimited storage limit, but will stop writing when the disk where the database resides reaches 80% usage. Due to how the limit is calculated and enforced, the actual disk space may still grow slightly over this disk usage based limit, or any configured storage limit.
 ::::
 
 

solutions/security/cloud/cloud-native-vulnerability-management.md

@@ -20,15 +20,11 @@ CNVM currently only supports AWS EC2 Linux workloads.
 
 
 ::::{admonition} Requirements
-* CNVM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing).
-* Requires {{stack}} and {{agent}} version 8.8 or higher.
+* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing).
 * CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
-* To view vulnerability scan findings, you need at least `read` privileges for the following indices:
-
-    * `logs-cloud_security_posture.vulnerabilities-*`
-    * `logs-cloud_security_posture.vulnerabilities_latest-*`
-
-
+* CNVM can only be deployed on ARM-based VMs.
+* You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances.
+* Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md).
 ::::
 
 

solutions/security/cloud/cnvm-privilege-requirements.md

@@ -0,0 +1,59 @@
+---
+applies_to:
+  stack: all
+  serverless:
+    security: all
+---
+
+# CNVM privilege requirements [cnvm-required-permissions]
+
+This page lists required privileges for {{elastic-sec}}'s CNVM features. There are three access levels: `read`, `write`, and `manage`. Each access level and its requirements are described below.
+
+## Read
+
+Users with these minimum permissions can view data on the **Findings** page.
+
+### {{es}} index privileges
+
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: Read`
+
+## Write
+
+Users with these minimum permissions can view data on the **Findings** page and create detection rules from the findings details flyout.
+
+### {{es}} index privileges
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: All`
+
+
+## Manage
+
+Users with these minimum permissions can view data on the **Findings** page, create detection rules from the findings details flyout, and install, update, or uninstall integrations and assets.
+
+### {{es}} index privileges
+
+`Read` privileges for the following {{es}} indices:
+
+* `logs-cloud_security_posture.vulnerabilities_latest-default`
+* `logs-cloud_security_posture.scores-default`
+
+### {{kib}} privileges
+
+* `Security: All`
+* `Spaces: All`
+* `Fleet: All`
+* `Integrations: All`
+

solutions/security/cloud/get-started-with-cnvm.md

@@ -14,17 +14,11 @@ applies_to:
 This page explains how to set up Cloud Native Vulnerability Management (CNVM).
 
 ::::{admonition} Requirements
-* CNVM is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing).
-* Requires {{stack}} and {{agent}} version 8.8 or higher.
-* Only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
+* {{stack}} users: {{stack}} version 8.8 or higher and an [Enterprise subscription](https://www.elastic.co/pricing).
+* CNVM only works in the `Default` {{kib}} space. Installing the CNVM integration on a different {{kib}} space will not work.
 * CNVM can only be deployed on ARM-based VMs.
-* To view vulnerability scan findings, you need at least `read` privileges for the following indices:
-
-    * `logs-cloud_security_posture.vulnerabilities-*`
-    * `logs-cloud_security_posture.vulnerabilities_latest-*`
-
 * You need an AWS user account with permissions to perform the following actions: run CloudFormation templates, create IAM Roles and InstanceProfiles, and create EC2 SecurityGroups and Instances.
-
+* Depending on whether you want to `read`, `write`, or `manage` CNVM data, you need [specific privileges](/solutions/security/cloud/cnvm-privilege-requirements.md).
 ::::
 
 

solutions/toc.yml

@@ -573,6 +573,7 @@ toc:
           - file: security/cloud/cloud-native-vulnerability-management.md
             children:
               - file: security/cloud/get-started-with-cnvm.md
+              - file: security/cloud/cnvm-privilege-requirements.md
               - file: security/cloud/findings-page-3.md
               - file: security/dashboards/cloud-native-vulnerability-management-dashboard.md
               - file: security/cloud/cnvm-frequently-asked-questions-faq.md