Merge branch 'main' into add-elastic-new-intro-section

Author: lcawl

manage-data/data-store/data-streams.md

@@ -13,7 +13,7 @@ products:
 
 # Data streams [data-streams]
 
-A data stream lets you store append-only time series data across multiple indices while giving you a single named resource for requests. Data streams are well-suited for logs, events, metrics, and other continuously generated data.
+A data stream acts as a layer of abstraction over a set of indices that are optimized for storing append-only time series data. It stores data across multiple backing indices while giving you a single named resource to use for requests. Data streams are well-suited for logs, events, metrics, and other continuously generated data.
 
 You can submit indexing and search requests directly to a data stream. The stream automatically routes the request to backing indices that store the stream’s data. You can use [{{ilm}} ({{ilm-init}})](../lifecycle/index-lifecycle-management.md) to automate the management of these backing indices. For example, you can use {{ilm-init}} to automatically move older backing indices to less expensive hardware and delete unneeded indices. {{ilm-init}} can help you reduce costs and overhead as your data grows.
 
@@ -39,7 +39,7 @@ A data stream consists of one or more [hidden](elasticsearch://reference/elastic
 :alt: data streams diagram
 :::
 
-A data stream requires a matching [index template](templates.md). The template contains the mappings and settings used to configure the stream’s backing indices.
+A data stream requires a matching [index template](templates.md). The template contains the mappings and settings used to configure the stream’s backing indices and defines the {{ilm-init}} policy that the data stream uses.
 
 Every document indexed to a data stream must contain a `@timestamp` field, mapped as a [`date`](elasticsearch://reference/elasticsearch/mapping-reference/date.md) or [`date_nanos`](elasticsearch://reference/elasticsearch/mapping-reference/date_nanos.md) field type. If the index template doesn’t specify a mapping for the `@timestamp` field, {{es}} maps `@timestamp` as a `date` field with default options.
 

manage-data/lifecycle/data-stream.md

@@ -10,7 +10,7 @@ products:
 
 # Data stream lifecycle [data-stream-lifecycle]
 
-A data stream lifecycle is the built-in mechanism data streams use to manage their lifecycle. It enables you to easily automate the management of your data streams according to your retention requirements. For example, you could configure the lifecycle to:
+A data stream lifecycle is the built-in mechanism [data streams](/manage-data/data-store/data-streams.md) use to manage their lifecycle. It enables you to easily automate the management of your data streams according to your retention requirements. For example, you could configure the lifecycle to:
 
 * Ensure that data indexed in the data stream will be kept at least for the retention time you defined.
 * Ensure that data older than the retention period will be deleted automatically by {{es}} at a later time.
@@ -22,6 +22,13 @@ To achieve that, it supports:
 
 A data stream lifecycle also supports downsampling the data stream backing indices. See [the downsampling example](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-indices-put-data-lifecycle) for more details.
 
+## Data stream lifecycle availability
+
+Note the availability of data stream lifecycle to ensure that it's applicable for your use case:
+
+* Data stream lifecycle is supported only for data streams and cannot be used with individual indices.
+
+* Data stream lifecycle is supported for all deployment types on the versioned {{stack}} as well as for {{es-serverless}}.
 
 ## How does it work? [data-streams-lifecycle-how-it-works]
 

manage-data/lifecycle/index-lifecycle-management.md

@@ -7,35 +7,42 @@ mapped_pages:
   - https://www.elastic.co/guide/en/cloud/current/ec-configure-index-management.html
 applies_to:
   stack: ga
+  serverless: unavailable
 products:
   - id: elasticsearch
 ---
 
 # Index lifecycle management
 
-{{ilm-cap}} ({{ilm-init}}) provides an integrated and streamlined way to manage time-based data such as logs and metrics, making it easier to follow best practices for managing your indices.
-
-You can configure {{ilm-init}} policies to automatically manage indices according to your performance, resiliency, and retention requirements. For example, you could use {{ilm-init}} to:
+{{ilm-cap}} ({{ilm-init}}) provides an integrated and streamlined way to manage your time series data. You can configure {{ilm-init}} policies to automatically manage indices according to your performance, resiliency, and retention requirements. For example, you could use {{ilm-init}} to:
 
 * Spin up a new index when an index reaches a certain size or number of documents
 * Create a new index each day, week, or month and archive previous ones
 * Delete stale indices to enforce data retention standards
 
-::::{tip}
-{{ilm-init}} is not available on {{es-serverless}}.
-
-:::{dropdown} Why?
-In an {{ecloud}} or self-managed environment, ILM lets you automatically transition indices through data tiers according to your performance needs and retention requirements. This allows you to balance hardware costs with performance. {{es-serverless}} eliminates this complexity by optimizing your cluster performance for you.
-
-Data stream lifecycle is an optimized lifecycle tool that lets you focus on the most common lifecycle management needs, without unnecessary hardware-centric concepts like data tiers.
-:::
-::::
-
 ::::{important}
 To use {{ilm-init}}, all nodes in a cluster must run the same version. Although it might be possible to create and apply policies in a mixed-version cluster, there is no guarantee they will work as intended. Attempting to use a policy that contains actions that aren’t supported on all nodes in a cluster will cause errors.
 ::::
 
-## Actions
+## {{ilm-init}} availability
+
+Note the availability of {{ilm-init}} to ensure that it's applicable for your use case.
+
+* You can use {{ilm-init}} to manage indices and data streams:
+
+    * **Indices:** You use {{ilm-init}} to manage a specific index or set of indices by defining a lifecycle policy and applying it to the indices or an index alias. Each index is then evaluated against its policy and transitions through phases (`hot`, `warm`, `cold`, `frozen`, `delete`) based on pre-defined conditions. This approach allows for more granular control over each index but requires considerably more effort compared to using a data stream, which is our recommended option.
+
+    * **Data streams:** A [data stream](/manage-data/data-store/data-streams.md) acts as a layer of abstraction over a set of indices that contain append-only, time series data. You can configure {{ilm-init}} using a data stream as a single named resource, so that rollover and any other configured actions are performed on the data stream's backing indices automatically.
+
+* {{ilm-init}} is available for all deployment types on the versioned {{stack}} but is not available for {{es-serverless}}. In a {{serverless-short}} environment, [data stream lifecycle](/manage-data/lifecycle/data-stream.md) is available as a data lifecycle option.
+
+    :::{admonition} Simpler lifecycle management in Serverless environments
+    {{ilm-init}} lets you automatically transition indices through data tiers according to your performance needs and retention requirements. This allows you to balance hardware costs with performance. {{ilm-init}} is not available in {{serverless-short}} because in that environment your cluster performance is optimized for you. Instead, data stream lifecycle is available as a data management option.
+
+    Data stream lifecycle is a simpler lifecycle management tool optimized for the most common lifecycle management needs. It enables you to configure the retention duration for your data and to optimize how the data is stored, without hardware-centric concepts like data tiers. For a detailed comparison of {{ilm-init}} and data stream lifecycle refer to [Data lifecycle](/manage-data/lifecycle.md).
+    :::
+
+## Index lifecycle actions
 
 {{ilm-init}} policies can trigger actions like:
 

solutions/images/ai-assistant-shared-status-badge.png

@@ -112,28 +112,266 @@ Be sure to specify which language you’d like AI Assistant to use when writing
 AI Assistant can remember particular information you tell it to remember. For example, you could tell it: "When anwering any question about srv-win-s1-rsa or an alert that references it, mention that this host is in the New York data center". This will cause it to remember the detail you highlighted.
 ::::
 
+## Share conversations
+
+```{applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+Conversations that you start with AI Assistant are private by default and not visible to other members of your team. You have two ways to share conversations - either with selected members or more broadly to everyone with access to the space.
+
+To share a conversation, do one of the following:
+
+- Click the **Private** / **Shared** / **Restricted** badge next to the conversation's title. Use the dropdown menu to define the chat's visibility. If you select **Restricted**, a modal appears where you can select which users have access.
+  ::::{image} /solutions/images/ai-assistant-shared-status-badge.png
+  :alt: AI Assistant chat with the sharing status dropdown open
+  :screenshot:
+  ::::
+- Go to **AI Assistant settings -> Conversations** to view all conversations you've started. Update their visibility as desired.
+
+
+Once a conversation is shared, you can copy its URL to easily link it to your team:
+
+- Open an AI Assistant chat, open the **Conversation settings** menu and select **Copy URL**.
+- Open the **Conversations** tab of the AI Assistant settings page, then select the one you want to share and click **Copy URL**.
+
+When someone shares a chat with you, you can review it but can't continue the conversation, since it is owned by another user. However, you can duplicate a shared conversation and continue where your colleague left off. To duplicate a shared conversation:
+
+- Open an AI Assistant chat, open the **Conversation settings** menu and select **Duplicate**.
+- Open the **Conversations** tab of the AI Assistant settings page, then select the one you want to duplicate and click **Duplicate**.
+
+There are several [audit events](kibana://reference/kibana-audit-events.md) related to conversation sharing. Click each title to show an example:
+
+:::{dropdown} 1. security_assistant_conversation_shared
+```
+{
+  "event": {
+    "action": "security_assistant_conversation_shared",
+    "category": [
+      "database"
+    ],
+    "type": [
+      "change"
+    ],
+    "outcome": "success"
+  },
+  "user": {
+    "id": "u_xSVO6jcSCvoEcle7e3XVVfBU4Swm1R8-x7pi5bxrSvU_0",
+    "name": "test_daija_glover",
+    "roles": [
+      "superuser"
+    ]
+  },
+  "kibana": {
+    "space_id": "default",
+    "session_id": "1AZ8kfSYHzVO5ZMZ97DrNi1wjN6BFKHTw75KH8WiF7w="
+  },
+  "trace": {
+    "id": "7e080b32-41b4-453b-80fe-b9c1e12a1c57"
+  },
+  "client": {
+    "ip": "127.0.0.1"
+  },
+  "http": {
+    "request": {
+      "headers": {
+        "x-forwarded-for": "127.0.0.1"
+      }
+    }
+  },
+  "service": {
+    "node": {
+      "roles": [
+        "background_tasks",
+        "ui"
+      ]
+    }
+  },
+  "ecs": {
+    "version": "9.0.0"
+  },
+  "@timestamp": "2025-08-26T13:16:10.422-06:00",
+  "message": "User has shared conversation [id=b873b917-2fd0-4452-98e8-8c359f6acbfa, title=\"Getting Started with Elastic Security\"] to all users in the space",
+  "log": {
+    "level": "INFO",
+    "logger": "plugins.security.audit.ecs"
+  },
+  "process": {
+    "pid": 61536,
+    "uptime": 65.705743792
+  },
+  "span": {
+    "id": "8364fa9bf07311d6"
+  }
+}
+```
+:::
+
+:::{dropdown} 2. security_assistant_conversation_private
+```
+{
+  "event": {
+    "action": "security_assistant_conversation_private",
+    "category": [
+      "database"
+    ],
+    "type": [
+      "change"
+    ],
+    "outcome": "success"
+  },
+  "user": {
+    "id": "u_xSVO6jcSCvoEcle7e3XVVfBU4Swm1R8-x7pi5bxrSvU_0",
+    "name": "test_daija_glover",
+    "roles": [
+      "superuser"
+    ]
+  },
+  "kibana": {
+    "space_id": "default",
+    "session_id": "1AZ8kfSYHzVO5ZMZ97DrNi1wjN6BFKHTw75KH8WiF7w="
+  },
+  "trace": {
+    "id": "ae998403-8453-44ae-a9b8-ac8002c3bf28"
+  },
+  "client": {
+    "ip": "127.0.0.1"
+  },
+  "http": {
+    "request": {
+      "headers": {
+        "x-forwarded-for": "127.0.0.1"
+      }
+    }
+  },
+  "service": {
+    "node": {
+      "roles": [
+        "background_tasks",
+        "ui"
+      ]
+    }
+  },
+  "ecs": {
+    "version": "9.0.0"
+  },
+  "@timestamp": "2025-08-26T13:15:46.300-06:00",
+  "message": "User has made private conversation [id=b873b917-2fd0-4452-98e8-8c359f6acbfa, title=\"Getting Started with Elastic Security\"]",
+  "log": {
+    "level": "INFO",
+    "logger": "plugins.security.audit.ecs"
+  },
+  "process": {
+    "pid": 61536,
+    "uptime": 41.582780958
+  },
+  "span": {
+    "id": "68a0d5f52faa17d4"
+  }
+}
+```
+:::
+
+:::{dropdown} 3. security_assistant_conversation_restricted
+```
+{
+  "event": {
+    "action": "security_assistant_conversation_restricted",
+    "category": [
+      "database"
+    ],
+    "type": [
+      "change"
+    ],
+    "outcome": "success"
+  },
+  "user": {
+    "id": "u_xSVO6jcSCvoEcle7e3XVVfBU4Swm1R8-x7pi5bxrSvU_0",
+    "name": "test_daija_glover",
+    "roles": [
+      "superuser"
+    ]
+  },
+  "kibana": {
+    "space_id": "default",
+    "session_id": "1AZ8kfSYHzVO5ZMZ97DrNi1wjN6BFKHTw75KH8WiF7w="
+  },
+  "trace": {
+    "id": "b59f9790-87ff-45f0-b28e-1d9ffa6cfb09"
+  },
+  "client": {
+    "ip": "127.0.0.1"
+  },
+  "http": {
+    "request": {
+      "headers": {
+        "x-forwarded-for": "127.0.0.1"
+      }
+    }
+  },
+  "service": {
+    "node": {
+      "roles": [
+        "background_tasks",
+        "ui"
+      ]
+    }
+  },
+  "ecs": {
+    "version": "9.0.0"
+  },
+  "@timestamp": "2025-08-26T14:40:59.897-06:00",
+  "message": "User has restricted conversation [id=b873b917-2fd0-4452-98e8-8c359f6acbfa, title=\"Getting Started with Elastic Security\"] to user ([id=u_LdnmWaOWbWS1ObwqRW2MLWMkWtxCSyiElishzEpew0g_0, name=test_dina_bahringer])",
+  "log": {
+    "level": "INFO",
+    "logger": "plugins.security.audit.ecs"
+  },
+  "process": {
+    "pid": 77921,
+    "uptime": 29.727069625
+  },
+  "span": {
+    "id": "80e57252aceea924"
+  }
+}
+```
+:::
+
 ## Configure AI Assistant [configure-ai-assistant]
 
-To adjust AI Assistant's settings from the chat window, click the **More** (three dots) button in the upper-right.
+To adjust general AI Assistant settings from the chat window, click the **Assistant settings menu** button in the upper-right. 
 
-::::{image} /solutions/images/security-attack-discovery-more-popover.png
-:alt: AI Assistant's more options popover
+::::{image} /solutions/images/security-ai-assistant-settings-menu.png
+:alt: AI Assistant's settings popover
 :screenshot:
 ::::
 
-The first three options (**AI Assistant settings**, **Knowledge Base**, and **Anonymization**) open the corresponding tabs of the **Security AI settings** page. The **Chat options** affect display-only user settings: whether to show or hide anonymized values, and whether to include citations. When citations are enabled, AI Assistant will refer you to information sources including data you've shared with it, information you've added to the [knowledge base](/solutions/security/ai/ai-assistant-knowledge-base.md), and content from Elastic's Security Labs and [product documentation](/solutions/security/ai/ai-assistant-knowledge-base.md#elastic-docs).
+The first three options (**AI Assistant settings**, **Knowledge Base**, and **Anonymization**) open the corresponding tabs of the **Security AI settings** page. The **Alerts to analyze** button allows you to adjust how many alerts to include as context for your conversation.
 
 The **Security AI settings** page provides a range of configuration options for AI Assistant. To access it directly, use the global search field to search for "AI Assistant for Security".
 
 It has the following tabs:
 
-* **Conversations:** When you open AI Assistant from certain pages, such as **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
+* **Conversations:** The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. After the streaming setting is a list of all saved conversations. From here you can change their visibility, system prompt, and connector.
 * **Connectors:** Manage all LLM connectors.
 * **System Prompts:** Edit existing System Prompts or create new ones. To create a new System Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the System Prompt’s text. Under **Contexts**, select where the System Prompt should appear.
 * **Quick Prompts:** Modify existing Quick Prompts or create new ones. To create a new Quick Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the Quick Prompt’s text.
 * **Anonymization:** Select fields to include as plaintext, to obfuscate, and to not send when you provide events to AI Assistant as context. [Learn more](/solutions/security/ai/ai-assistant.md#ai-assistant-anonymization).
 * **Knowledge base:** Provide additional context to AI Assistant. [Learn more](/solutions/security/ai/ai-assistant-knowledge-base.md).
 
+
+To adjust the settings for a specific chat, click the **Conversation settings** button in the upper-right of its chat window. 
+
+::::{image} /solutions/images/security-ai-assistant-chat-options-menu.png
+:alt: AI Assistant's chat options menu
+:screenshot:
+::::
+
+The **Copy URL** and **Duplicate** options allow you to share conversations (by sending their URL) and to continue conversations that were shared with you (by duplicating them). The **Delete** option appears for the conversation owner only and allows you to remove a saved conversation.
+
+Settings in the **Chat options** section affect display-only user settings: whether to show or hide anonymized values, and whether to include citations. When citations are enabled, AI Assistant will refer you to information sources including data you've shared with it, information you've added to the [knowledge base](/solutions/security/ai/ai-assistant-knowledge-base.md), and content from Elastic's Security Labs and [product documentation](/solutions/security/ai/ai-assistant-knowledge-base.md#elastic-docs).
+
 ### Anonymization [ai-assistant-anonymization]
 
 ::::{admonition} Requirements

solutions/images/security-ai-assistant-chat-options-menu.png

@@ -37,7 +37,7 @@ Refer to the following table to find the MITRE ATT&CK® version that's mapped to
 | MITRE ATT\&CK® version | {{elastic-sec}} version |
 | :---- | :---- |
 | [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • 9.0.0-9.0.6 <br> • 9.1.0-9.1.3|
-| [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) | • {applies_to}`stack: ga 9.2.0` <br> • {{serverless-short}} |
+| [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) | • 9.0.7 <br> • 9.1.4 <br> • {applies_to}`stack: ga 9.2.0` <br> • {{serverless-short}} |
 
 
 ## Filter rules [security-rules-coverage-filter-rules]

solutions/images/security-ai-assistant-settings-menu.png

@@ -30,6 +30,7 @@ If you're using {{ech}}, you can use AutoOps to monitor your cluster. AutoOps si
 * [](/troubleshoot/elasticsearch/increase-shard-limit.md)
 * [](/troubleshoot/elasticsearch/increase-cluster-shard-limit.md)
 * [](/troubleshoot/elasticsearch/corruption-troubleshooting.md)
+* [](/troubleshoot/elasticsearch/troubleshoot-ingest-pipelines.md)
 
 ## Management [troubleshooting-management]