diff --git a/reference/glossary/index.md b/reference/glossary/index.md
index 0d86a06ee7..4d49480a7a 100644
--- a/reference/glossary/index.md
+++ b/reference/glossary/index.md
@@ -20,7 +20,7 @@ $$$glossary-metadata$$$ @metadata
$$$glossary-action$$$ action
: 1. The rule-specific response that occurs when an alerting rule fires. A rule can have multiple actions. See [Connectors and actions](kibana://reference/connectors-kibana.md).
-2. In {{elastic-sec}}, actions send notifications via other systems when a detection alert is created, such as email, Slack, PagerDuty, and {{webhook}}.
+2. In {{elastic-sec}}, actions send notifications through other systems when a detection alert is created, such as email, Slack, PagerDuty, and {{webhook}}.
$$$glossary-admin-console$$$ administration console
@@ -281,7 +281,7 @@ $$$glossary-eql$$$ Event Query Language (EQL)
: [Query](/reference/glossary/index.md#glossary-query) language for event-based time series data, such as logs, metrics, and traces. EQL supports matching for event sequences. See [EQL](/explore-analyze/query-filter/languages/eql.md).
$$$glossary-event$$$ event
-: A single unit of information, containing a timestamp plus additional data. An event arrives via an input, and is subsequently parsed, timestamped, and passed through the {{ls}} [pipeline](/reference/glossary/index.md#glossary-pipeline).
+: A single unit of information, containing a timestamp plus additional data. An event arrives through an input, and is subsequently parsed, timestamped, and passed through the {{ls}} [pipeline](/reference/glossary/index.md#glossary-pipeline).
$$$glossary-exception$$$ exception
: In {{elastic-sec}}, exceptions are added to rules to prevent specific source event field values from generating alerts.
@@ -313,7 +313,7 @@ $$$glossary-field$$$ field
$$$glossary-filter-plugin$$$ filter plugin
-: A {{ls}} [plugin](/reference/glossary/index.md#glossary-plugin) that performs intermediary processing on an [event](/reference/glossary/index.md#glossary-event). Typically, filters act upon event data after it has been ingested via inputs, by mutating, enriching, and/or modifying the data according to configuration rules. Filters are often applied conditionally depending on the characteristics of the event. Popular filter plugins include grok, mutate, drop, clone, and geoip. Filter stages are optional.
+: A {{ls}} [plugin](/reference/glossary/index.md#glossary-plugin) that performs intermediary processing on an [event](/reference/glossary/index.md#glossary-event). Typically, filters act upon event data after it has been ingested through inputs, by mutating, enriching, or modifying the data according to configuration rules. Filters are often applied conditionally depending on the characteristics of the event. Popular filter plugins include grok, mutate, drop, clone, and geoip. Filter stages are optional.
$$$glossary-filter$$$ filter
: [Query](/reference/glossary/index.md#glossary-query) that does not score matching documents. See [filter context](/explore-analyze/query-filter/languages/querydsl.md).
@@ -453,7 +453,7 @@ $$$glossary-integration-policy$$$ integration policy
: An instance of an [integration](/reference/glossary/index.md#glossary-integration) that is configured for a specific use case, such as collecting logs from a specific file.
$$$glossary-integration$$$ integration
-: An easy way for external systems to connect to the {{stack}}. Whether it's collecting data or protecting systems from security threats, integrations provide out-of-the-box assets to make setup easy—many with just a single click.
+: An easy way for external systems to connect to the {{stack}}. Whether it's collecting data or protecting systems from security threats, integrations provide out-of-the-box assets to make setup easy—many with only a single click.
## J [j-glos]
@@ -582,7 +582,7 @@ $$$glossary-plan$$$ plan
: Specifies the configuration and topology of an {{es}} or {{kib}} cluster, such as capacity, availability, and {{es}} version, for example. When changing a plan, the [constructor](/reference/glossary/index.md#glossary-constructor) determines how to transform the existing cluster into the pending plan.
$$$glossary-plugin-manager$$$ plugin manager
-: Accessed via the `bin/logstash-plugin` script, the plugin manager enables you to manage the lifecycle of [plugins](/reference/glossary/index.md#glossary-plugin) in your {{ls}} deployment. You can install, remove, and upgrade plugins by using the plugin manager Command Line Interface (CLI).
+: Accessed through the `bin/logstash-plugin` script, the plugin manager enables you to manage the lifecycle of [plugins](/reference/glossary/index.md#glossary-plugin) in your {{ls}} deployment. You can install, remove, and upgrade plugins by using the plugin manager Command Line Interface (CLI).
$$$glossary-plugin$$$ plugin
: A self-contained software package that implements one of the stages in the {{ls}} event processing [pipeline](/reference/glossary/index.md#glossary-pipeline). The list of available plugins includes [input plugins](/reference/glossary/index.md#glossary-input-plugin), [output plugins](/reference/glossary/index.md#glossary-output-plugin), [codec plugins](/reference/glossary/index.md#glossary-codec-plugin), and [filter plugins](/reference/glossary/index.md#glossary-filter-plugin). The plugins are implemented as Ruby [gems](/reference/glossary/index.md#glossary-gem) and hosted on [RubyGems.org](https://rubygems.org). You define the stages of an event processing [pipeline](/reference/glossary/index.md#glossary-pipeline) by configuring plugins.
@@ -791,7 +791,7 @@ $$$glossary-upgrade-assistant$$$ Upgrade Assistant
: A tool that helps you prepare for an upgrade to the next major version of {{es}}. The assistant identifies the deprecated settings in your cluster and indices and guides you through resolving issues, including reindexing. See [Upgrade Assistant](/deploy-manage/upgrade/prepare-to-upgrade/upgrade-assistant.md).
$$$glossary-uptime$$$ Uptime
-: A metric of system reliability used to monitor the status of network endpoints via HTTP/S, TCP, and ICMP.
+: A metric of system reliability used to monitor the status of network endpoints through HTTP/S, TCP, and ICMP.
## V [v-glos]
@@ -806,7 +806,7 @@ $$$glossary-vega$$$ Vega
: A declarative language used to create interactive visualizations. See [Vega](/explore-analyze/dashboards.md).
$$$glossary-visualization$$$ visualization
-: A graphical representation of query results in {{kib}} (e.g., a histogram, line graph, pie chart, or heat map).
+: A graphical representation of query results in {{kib}} (for example, a histogram, line graph, pie chart, or heat map).
## W [w-glos]
diff --git a/reference/machine-learning/ml-metric-functions.md b/reference/machine-learning/ml-metric-functions.md
index 28336f7161..b6a11db582 100644
--- a/reference/machine-learning/ml-metric-functions.md
+++ b/reference/machine-learning/ml-metric-functions.md
@@ -7,7 +7,7 @@ products:
# Metric functions [ml-metric-functions]
-The metric functions include functions such as mean, min and max. These values are calculated for each bucket. Field values that cannot be converted to double precision floating point numbers are ignored.
+The metric functions include functions such as mean, min, and max. These values are calculated for each bucket. Field values that cannot be converted to double precision floating point numbers are ignored.
The {{ml-features}} include the following metric functions:
@@ -97,7 +97,7 @@ The `median` function detects anomalies in the statistical median of a value. Th
If you want to monitor unusually high median values, use the `high_median` function.
-If you are just interested in unusually low median values, use the `low_median` function.
+If you are only interested in unusually low median values, use the `low_median` function.
These functions support the following properties:
@@ -125,7 +125,7 @@ The `mean` function detects anomalies in the arithmetic mean of a value. The mea
If you want to monitor unusually high average values, use the `high_mean` function.
-If you are just interested in unusually low average values, use the `low_mean` function.
+If you are only interested in unusually low average values, use the `low_mean` function.
These functions support the following properties:
@@ -199,7 +199,7 @@ The `varp` function detects anomalies in the variance of a value which is a meas
If you want to monitor unusually high variance, use the `high_varp` function.
-If you are just interested in unusually low variance, use the `low_varp` function.
+If you are only interested in unusually low variance, use the `low_varp` function.
These functions support the following properties:
diff --git a/reference/machine-learning/ootb-ml-jobs-apache.md b/reference/machine-learning/ootb-ml-jobs-apache.md
index ae1d0b74ca..0cbb4140d4 100644
--- a/reference/machine-learning/ootb-ml-jobs-apache.md
+++ b/reference/machine-learning/ootb-ml-jobs-apache.md
@@ -14,7 +14,7 @@ These {{anomaly-job}} wizards appear in {{kib}} if you use the Apache integratio
These {{anomaly-jobs}} find unusual activity in HTTP access logs.
-For more details, see the {{dfeed}} and job definitions in [GitHub](https://github.com/elastic/integrations/blob/main/packages/apache/kibana/ml_module/apache-Logs-ml.json). Note that these jobs are available in {{kib}} only if data exists that matches the query specified in the [manifest file](https://github.com/elastic/integrations/blob/main/packages/apache/kibana/ml_module/apache-Logs-ml.json#L11).
+For more details, see the {{dfeed}} and job definitions in [GitHub](https://github.com/elastic/integrations/blob/main/packages/apache/kibana/ml_module/apache-Logs-ml.json). These jobs are available in {{kib}} only if data exists that matches the query specified in the [manifest file](https://github.com/elastic/integrations/blob/main/packages/apache/kibana/ml_module/apache-Logs-ml.json#L11).
| Name | Description | Job (JSON) | Datafeed |
| --- | --- | --- | --- |
diff --git a/reference/machine-learning/ootb-ml-jobs-logs-ui.md b/reference/machine-learning/ootb-ml-jobs-logs-ui.md
index c8106ab71f..e4c13d72ea 100644
--- a/reference/machine-learning/ootb-ml-jobs-logs-ui.md
+++ b/reference/machine-learning/ootb-ml-jobs-logs-ui.md
@@ -12,7 +12,7 @@ These {{anomaly-jobs}} appear by default in the [{{logs-app}}](/solutions/observ
## Log analysis [logs-ui-analysis]
-Detect anomalies in log entries via the Logs UI.
+Detect anomalies in log entries through the Logs UI.
| Name | Description | Job (JSON) | Datafeed |
| --- | --- | --- | --- |
diff --git a/reference/machine-learning/ootb-ml-jobs-siem.md b/reference/machine-learning/ootb-ml-jobs-siem.md
index 0d96ad1fbf..912c4e6d52 100644
--- a/reference/machine-learning/ootb-ml-jobs-siem.md
+++ b/reference/machine-learning/ootb-ml-jobs-siem.md
@@ -31,8 +31,8 @@ By default, when you create these job in the {{security-app}}, it uses a {{data-
| auth_high_count_logon_events | Looks for an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration, or brute force activity. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events.json) | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat/), [Windows](https://www.elastic.co/docs/reference/integrations/windows) | windows |
| auth_high_count_logon_events_for_a_source_ip | Looks for an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_events_for_a_source_ip.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_events_for_a_source_ip.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat), [Windows](https://www.elastic.co/docs/reference/integrations/windows) | windows |
| auth_high_count_logon_fails | Looks for an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration, or brute force activity and may be a precursor to account takeover or credentialed access. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_high_count_logon_fails.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_high_count_logon_fails.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
-| auth_rare_hour_for_a_user | Looks for a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
-| auth_rare_source_ip_for_a_user | Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
+| auth_rare_hour_for_a_user | Looks for a user logging in at a time of day that is unusual for the user. This can be due to credentialed access through a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_hour_for_a_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_hour_for_a_user.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
+| auth_rare_source_ip_for_a_user | Looks for a user logging in from an IP address that is unusual for the user. This can be due to credentialed access through a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_source_ip_for_a_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_source_ip_for_a_user.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
| auth_rare_user | Looks for an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. A user account that is normally inactive, because the user has left the organization, which becomes active, may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/auth_rare_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_auth_rare_user.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
| suspicious_login_activity | Detect unusually high number of authentication attempts. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager) | windows, linux |
@@ -83,7 +83,7 @@ In the {{ml-app}} app, these configurations are available only when data exists
| v3_linux_rare_metadata_process | Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_process.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_process.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
| v3_linux_rare_metadata_user | Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_metadata_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_metadata_user.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
| v3_linux_rare_sudo_user | Looks for sudo activity from an unusual user context. Unusual user context changes can be due to privilege escalation. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_sudo_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/securiity_linux/ml/datafeed_v3_linux_rare_sudo_user.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
-| v3_linux_rare_user_compiler | Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
+| v3_linux_rare_user_compiler | Looks for compiler activity by a user context which does not normally run compilers. This can be ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation through locally run exploits or malware activity. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_rare_user_compiler.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_rare_user_compiler.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
| v3_linux_system_information_discovery | Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery to gather detailed information about system configuration and software versions. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_information_discovery.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_information_discovery.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
| v3_linux_system_process_discovery | Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system process discovery to increase their understanding of software applications running on a target host or network. This may be a precursor to the selection of a persistence mechanism or a method of privilege elevation. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_process_discovery.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_process_discovery.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
| v3_linux_system_user_discovery | Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping, or privilege elevation activity. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/v3_linux_system_user_discovery.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_linux/ml/datafeed_v3_linux_system_user_discovery.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | linux |
@@ -143,7 +143,7 @@ If there are additional requirements such as installing the Windows System Monit
| v3_windows_rare_metadata_user | Looks for anomalous access to the metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_metadata_user.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_metadata_user.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Windows](https://www.elastic.co/docs/reference/integrations/windows), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat) |windows |
| v3_windows_rare_user_runas_event | Unusual user context switches can be due to privilege escalation. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_runas_event.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_runas_event.json)| [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Windows](https://www.elastic.co/docs/reference/integrations/windows), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat) |windows |
| v3_windows_rare_user_type10_remote_login | Unusual RDP (remote desktop protocol) user logins can indicate account takeover or credentialed access. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_user_type10_remote_login.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_user_type10_remote_login.json)| [Windows](https://www.elastic.co/docs/reference/integrations/windows), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat) |windows |
-| v3_windows_rare_script | Looks for rare powershell scripts that may indicate execution of malware, or persistence mechanisms via hash. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script.json)| [Windows](https://www.elastic.co/docs/reference/integrations/windows), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat) |windows |
+| v3_windows_rare_script | Looks for rare powershell scripts that may indicate execution of malware, or persistence mechanisms using hash. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/v3_windows_rare_script.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_windows/ml/datafeed_v3_windows_rare_script.json)| [Windows](https://www.elastic.co/docs/reference/integrations/windows), [Winlogbeat](https://www.elastic.co/docs/reference/beats/winlogbeat) |windows |
## Security: Elastic Integrations [security-integrations-jobs]
@@ -200,7 +200,7 @@ To download, refer to the [documentation](integration-docs://reference/ded/index
| ded_high_sent_bytes_destination_region_name | Detects data exfiltration to an unusual geo-location (by region name). | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Network Packet Capture](https://www.elastic.co/docs/reference/integrations/network_traffic), [Packetbeat](https://www.elastic.co/docs/reference/beats/packetbeat) | windows, linux |
| ded_high_bytes_written_to_external_device | Detects data exfiltration activity by identifying high bytes written to an external device. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint)| windows |
| ded_rare_process_writing_to_external_device | Detects data exfiltration activity by identifying a file write started by a rare process to an external device. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | windows |
-| ded_high_bytes_written_to_external_device_airdrop | Detects data exfiltration activity by identifying high bytes written to an external device via Airdrop. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | macOS |
+| ded_high_bytes_written_to_external_device_airdrop | Detects data exfiltration activity by identifying high bytes written to an external device using Airdrop. | [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint) | macOS |
The job configurations and datafeeds can be found [here](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json).
diff --git a/reference/observability/fields-and-object-schemas.md b/reference/observability/fields-and-object-schemas.md
index 1eeeba21ce..8b8457e563 100644
--- a/reference/observability/fields-and-object-schemas.md
+++ b/reference/observability/fields-and-object-schemas.md
@@ -24,7 +24,7 @@ This reference covers {{infrastructure-app}} fields.
## Infrastructure app fields [metrics-app-fields]
-This section lists the required fields the {{infrastructure-app}} uses to display data. Note that some of the fields listed are not [ECS fields](ecs://reference/index.md#_what_is_ecs).
+This section lists the required fields the {{infrastructure-app}} uses to display data. Some of the fields listed are not [ECS fields](ecs://reference/index.md#_what_is_ecs).
### Additional field details [_additional_field_details]
diff --git a/reference/observability/observability-host-metrics.md b/reference/observability/observability-host-metrics.md
index 374ee22621..d6e7abc436 100644
--- a/reference/observability/observability-host-metrics.md
+++ b/reference/observability/observability-host-metrics.md
@@ -93,9 +93,9 @@ Refer to the following sections for host metrics and field calculation formulas
### Legacy metrics [legacy-metrics]
-Over time, we may change the formula used to calculate a specific metric. To avoid affecting your existing rules, instead of changing the actual metric definition, we create a new metric and refer to the old one as "legacy."
+Over time, we may change the formula used to calculate a specific metric. To avoid affecting your existing rules, instead of changing the actual metric definition, we create a new metric and refer to the old one as "legacy".
-The UI and any new rules you create will use the new metric definition. However, any alerts that use the old definition will refer to the metric as "legacy."
+The UI and any new rules you create will use the new metric definition. However, any alerts that use the old definition will refer to the metric as "legacy".
| Metric | Description |
| --- | --- |
diff --git a/reference/security/fields-and-object-schemas/index.md b/reference/security/fields-and-object-schemas/index.md
index fc658c7315..dbdf846d92 100644
--- a/reference/security/fields-and-object-schemas/index.md
+++ b/reference/security/fields-and-object-schemas/index.md
@@ -14,7 +14,7 @@ products:
This reference section provides details on the fields {{elastic-sec}} uses to display data in the UI and {{elastic-sec}} JSON object schemas:
-* [ECS fields required and/or used to analyze and display data](/reference/security/fields-and-object-schemas/siem-field-reference.md)
+* [ECS fields required or used to analyze and display data](/reference/security/fields-and-object-schemas/siem-field-reference.md)
* [Timeline object schema](/reference/security/fields-and-object-schemas/timeline-object-schema.md)
* [Alert schema](/reference/security/fields-and-object-schemas/alert-schema.md)
diff --git a/release-notes/elastic-cloud-serverless/index.md b/release-notes/elastic-cloud-serverless/index.md
index 37c98fe200..9cb6ee9772 100644
--- a/release-notes/elastic-cloud-serverless/index.md
+++ b/release-notes/elastic-cloud-serverless/index.md
@@ -143,7 +143,7 @@ Review the changes, fixes, and more to {{serverless-full}}.
* Uses `runWithCache` for bulk {{fleet}} operations [#238326]({{kib-pull}}238326)
* Fixes error when Observability AI Assistant was disabled [#238811]({{kib-pull}}238811)
* Removes unecessary `_source` field from queries [#239205]({{kib-pull}}239205)
-* Makes the rule condition chart parser replace metric names inside filter values (e.g., A in "Accounts") [#238849]({{kib-pull}}238849)
+* Makes the rule condition chart parser replace metric names inside filter values (for example, A in "Accounts") [#238849]({{kib-pull}}238849)
* Fixes recover alert while monitor is down [#237479]({{kib-pull}}237479)
* Fixes layout of SLO management page combo box filter [#239418]({{kib-pull}}239418)
* Adds missing aria-label to BetaBadge component [#239400]({{kib-pull}}239400)
@@ -277,9 +277,9 @@ Review the changes, fixes, and more to {{serverless-full}}.
* Fixes integrations RAG [#234211]({{kib-pull}}234211)
* Ensures the data view picker icon is always vertically centered [#236379]({{kib-pull}}236379)
* Fixes browser fields cache [#234381]({{kib-pull}}234381)
-* Fixes the URL passed to detection rule actions via the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067)
+* Fixes the URL passed to detection rule actions using the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067)
* Refactors `nav_control_popover` [#235780]({{kib-pull}}235780)
-* Allows `xpack.spaces.defaultSolution` to be configured via docker [#236570]({{kib-pull}}236570)
+* Allows `xpack.spaces.defaultSolution` to be configured using docker [#236570]({{kib-pull}}236570)
* Fixes the Job details fly-out on the Analytics Map page [#236131]({{kib-pull}}236131)
* Limits `msearch` usage for log rate analysis [#235611]({{kib-pull}}235611)
* Fixes display of alerts from anomaly detection rules in [#236289]({{kib-pull}}236289)
@@ -590,7 +590,7 @@ Review the changes, fixes, and more to {{serverless-full}}.
* Displays function license availability in Discover inline docs [#229961]({{kib-pull}}229961)
* Fixes incorrect filtering logic when removing a comment field in Discover [#230116]({{kib-pull}}230116)
* Modifies title generation to be scope-aware in Elastic Observability Serverless [#227434]({{kib-pull}}227434)
-* Prevents destructive actions via the Elasticsearch tool in Elastic Observability Serverless [#229497]({{kib-pull}}229497)
+* Prevents destructive actions using the Elasticsearch tool in Elastic Observability Serverless [#229497]({{kib-pull}}229497)
* Replaces `EuiErrorBoundary` with `KibanaErrorBoundary` in Elastic Observability Serverless [#229710]({{kib-pull}}229710)
* Fixes keyboard accessibility for the Waterfall flyout in Elastic Observability Serverless [#229926]({{kib-pull}}229926)
* Allows knowledge base UI to work offline in Elastic Observability Serverless [#229874]({{kib-pull}}229874)
@@ -925,7 +925,7 @@ Review the changes, fixes, and more to {{serverless-full}}.
* Updates time based charts to use the multi-layer time axis by default, providing a better time window context and improved label positioning. [#210579]({{kib-pull}}210579).
* Adds an integration flyout to Agent policy details in {{fleet}} [#220229]({{kib-pull}}220229).
* Enables the `enableSyncIntegrationsOnRemote` feature flag in {{fleet}} [#220215]({{kib-pull}}220215).
-* Enables migration of a single agent to another cluster via the actions menu in {{fleet}}. [#222111]({{kib-pull}}222111).
+* Enables migration of a single agent to another cluster using the actions menu in {{fleet}}. [#222111]({{kib-pull}}222111).
* Adds a button allowing users to skip to the next section in the fields list in **Discover** [#221792]({{kib-pull}}221792).
* Adds the **SLO Management** page to {{obs-serverless}}, allowing users to view definitions, delete SLOs, and purge SLI data without having to consider instances [#222238]({{kib-pull}}222238).
* Adds a new APM dashboard for the Golang OpenTelemetry runtime metrics in {{obs-serverless}} [#220242]({{kib-pull}}220242).
@@ -1040,7 +1040,7 @@ Review the changes, fixes, and more to {{serverless-full}}.
* Allows specifying an embedding model during onboarding for the Elastic Observability Serverless Knowledge Base [#218448]({{kib-pull}}218448)
* Enables click actions for **Stacktrace** and **Degraded Fields** in **Discover** for Elastic Observability Serverless [#214413]({{kib-pull}}214413)
* Shows **ELSER** in **EIS** only when available in Elastic Observability Serverless [#220096]({{kib-pull}}220096)
-* Adds the ability to create alert rules from **ES|QL** dashboard visualizations via context menu or right-clicking a data point [#217719]({{kib-pull}}217719)
+* Adds the ability to create alert rules from **ES|QL** dashboard visualizations through context menu or right-clicking a data point [#217719]({{kib-pull}}217719)
* Enables the `enableAutomaticAgentUpgrades` feature flag for Fleet [#219932]({{kib-pull}}219932)
* Adds Cloud Connectors support to Fleet for **CSPM** [#212200]({{kib-pull}}212200)
* Ensures alerts created within **Maintenance Windows** trigger actions after the window expires [#219797]({{kib-pull}}219797)
@@ -1369,7 +1369,7 @@ Review the changes, fixes, and more to {{serverless-full}}.
* Adds context-aware logic to Logs view in Discover [#211176]({{kib-pull}}211176)
* Replaces the Alerts status filter with filter controls [#198495]({{kib-pull}}198495)
* Adds SSL fields to agent binary source settings [#213211]({{kib-pull}}213211)
-* Allows users to create a snooze schedule for rules via API [#210584]({{kib-pull}}210584)
+* Allows users to create a snooze schedule for rules using API [#210584]({{kib-pull}}210584)
* Splits up the top dependencies API for improved speed and response size [#211441]({{kib-pull}}211441)
* Adds working default metrics dashboard for Python OTel [#213599]({{kib-pull}}213599)
* Includes spaceID in SLI documents [#214278]({{kib-pull}}214278)
diff --git a/release-notes/elastic-observability/index.md b/release-notes/elastic-observability/index.md
index 3934cb2fa0..ee4763adbc 100644
--- a/release-notes/elastic-observability/index.md
+++ b/release-notes/elastic-observability/index.md
@@ -74,7 +74,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
* Disables add-to-case functionality when all selected alerts are already added to a case [#231877]({{kib-pull}}231877).
* Allows users to paste screenshots into markdown comment fields for cases [#226077]({{kib-pull}}226077).
* Extracts case observables automatically when attaching alerts to a case [#233027]({{kib-pull}}233027).
-* Allows attaching any event to a case, not just alert events [#230970]({{kib-pull}}230970).
+* Allows attaching any event to a case, not only alert events [#230970]({{kib-pull}}230970).
* Adds `opamp_polling_interval` and `sampling_rate` to central config for EDOT application agents [#231835]({{kib-pull}}231835).
* Adds `kibana.alert.grouping` field to Synthetics monitor status rule [#230513]({{kib-pull}}230513).
* Adds a public endpoint for manually testing synthetic monitors [#227760]({{kib-pull}}227760).
diff --git a/release-notes/elastic-observability/known-issues.md b/release-notes/elastic-observability/known-issues.md
index b412488683..6789a7e26e 100644
--- a/release-notes/elastic-observability/known-issues.md
+++ b/release-notes/elastic-observability/known-issues.md
@@ -91,7 +91,7 @@ The migration script does not handle this scenario and will indefinitely update
Because the document update involves semantic_text an ML node is kept warm further increasing the costs.
-The issue involves semantic_text field type (and thus the semantic_text migration which is causing this issue), introduced in the knowledge base feature in 8.17.
+The issue involves semantic_text field type (and the semantic_text migration which is causing this issue), introduced in the knowledge base feature in 8.17.
**Workaround**
diff --git a/release-notes/elastic-security/index.md b/release-notes/elastic-security/index.md
index 5c144365ee..3306a13902 100644
--- a/release-notes/elastic-security/index.md
+++ b/release-notes/elastic-security/index.md
@@ -94,7 +94,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
* Adds architecture of PE file in Windows malware alerts to {{elastic-defend}}.
* Adds the `Endpoint.state.orphaned` indicator to {{elastic-defend}} policy response.
* Adds {{elastic-defend}} support for cluster migration.
-* Adds firewall anti-tamper plug-in to protect {{elastic-endpoint}} processes against network blocking via Windows Firewall.
+* Adds firewall anti-tamper plug-in to protect {{elastic-endpoint}} processes against network blocking through Windows Firewall.
* Includes `origin_url`, `origin_referrer_url`, and `Ext.windows.zone_identifier` fields to {{elastic-defend}} by default to Windows image load and process events, if the information can be retrieved.
* Improves {{elastic-defend}} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Ldap-Client) to create new event types that prebuilt endpoint rules can use to detect malicious LDAP activity.
* Improves reporting reliability and accuracy of {{elastic-defend}}'s {{es}} connection.
@@ -124,7 +124,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
* Simplifies the Cloud Security Posture Misconfigurations data view by removing redundancy in the index pattern definition [#227995]({{kib-pull}}227995).
* Fixes an issue causing "missing authentication credentials" warnings in `TelemetryConfigWatcher` and `PolicyWatcher`, reducing unnecessary warning log entries in the `securitySolution` plugin.
* Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within Malware Protections to avoid invalid watchdog firings.
-* Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
+* Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on busy Windows systems.
* Adds support in {{elastic-defend}} for installing eBPF event probes on Linux endpoints when cgroup2 is mounted in a non-standard location or not mounted at all.
* Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
* Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.
@@ -156,7 +156,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
* Fixes multiple issues searching installed rules by allowing partial matches on rule name and improving special character support [#237496]({{kib-pull}}237496).
* Fixes an issue where rule exception operators could not be cleared when editing a rule exception [#236051]({{kib-pull}}236051).
* Fixes an {{elastic-defend}} issue on Linux by preventing unnecessary locking within malware protection to avoid invalid watchdog firings.
-* Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on very busy Windows systems.
+* Fixes issues that could sometimes cause crashes of the {{elastic-defend}} user-mode process on busy Windows systems.
* Fixes multiple {{elastic-defend}} issues in malware protection for Linux where a deadlock could sometimes occur when containers and autofs were both active.
* Fixes CVE-2025-37735 ([ESA-2025-23](https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa-2025-23/383272)) in {{elastic-defend}} on Windows which could allow a low-privilege attacker to delete arbitrary files on the system and potentially escalate privileges to SYSTEM. Windows 11 24H2 includes changes which make this issue harder to exploit.
* Fixes an {{elastic-defend}} bug in Linux event collection where some long-running processes were not enriched.
@@ -184,7 +184,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
### Fixes [elastic-security-9.1.5-fixes]
* Fixes browser fields caching to use the `dataView` ID instead of the index pattern [#234381]({{kib-pull}}234381).
* Removes `null` in confirmation dialog when bulk editing index patterns for rules [#236572]({{kib-pull}}236572).
-* Fixes the URL passed to detection rule actions via the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067).
+* Fixes the URL passed to detection rule actions using the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067).
* Fixes system prompt updates from the Conversations tab in AI Assistant [#234812]({{kib-pull}}234812).
* Fixes an issue in the Highlighted fields table in the alert details flyout [#234222]({{kib-pull}}234222).
* Fixes an issue in rule exceptions to include the `matches` operator only for supported fields [#233127]({{kib-pull}}233127).
@@ -276,7 +276,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
* Updates the asset criticality status color map to match the new design [#222024]({{kib-pull}}222024).
* Updates the highlighted fields button styling in the alert details flyout [#221862]({{kib-pull}}221862).
* Adds support for content connectors in {{elastic-sec}} and {{observability}} [#221856]({{kib-pull}}221856).
-* Expands CVE ID search to all search parameters, not just names [#221099]({{kib-pull}}221099).
+* Expands CVE ID search to all search parameters, not only names [#221099]({{kib-pull}}221099).
* Improves alert searching and filtering by including additional ECS data stream fields [#220447]({{kib-pull}}220447).
* Updates default model IDs for Amazon Bedrock and OpenAI connectors [#220146]({{kib-pull}}220146).
* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers [#219984]({{kib-pull}}219984).
@@ -345,7 +345,7 @@ To check for security updates, go to [Security announcements for the Elastic sta
### Fixes [elastic-security-9.0.8-fixes]
* Removes `null` in confirmation dialog when bulk editing index patterns for rules [#236572]({{kib-pull}}236572).
-* Fixes the URL passed to detection rule actions via the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067).
+* Fixes the URL passed to detection rule actions using the `{{context.results_link}}` placeholder [#236067]({{kib-pull}}236067).
* Adds support in {{elastic-defend}} for installing eBPF probes on Linux endpoints when taskstats is compiled out of the kernel.
* Fixes an issue in {{elastic-defend}} where Linux network events could have source and destination bytes swapped.
* Removes `.process.thread.capabilities.permitted` and `.process.thread.capabilities.effective` from Linux network events in {{elastic-defend}}.
diff --git a/release-notes/elastic-security/known-issues.md b/release-notes/elastic-security/known-issues.md
index b18636b847..36bdb09cad 100644
--- a/release-notes/elastic-security/known-issues.md
+++ b/release-notes/elastic-security/known-issues.md
@@ -274,7 +274,7 @@ Resolved in {{elastic-defend}} 9.0.1
Applies to: {{elastic-defend}} 9.0.0
-An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
+An unbounded kernel non-paged memory growth issue in {{elastic-defend}}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on busy Windows Server systems running {{elastic-defend}} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0
**Workaround**
@@ -283,7 +283,7 @@ If you can't upgrade, turn off the relevant event source at the kernel level usi
* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`.
* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`.
-Note that clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
+Clearing the corresponding checkbox under [event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection) is insufficient, as {{elastic-defend}} may still process these event sources internally to support other features.
**Resolved**
diff --git a/release-notes/intro/index.md b/release-notes/intro/index.md
index a43870d301..8eda057d67 100644
--- a/release-notes/intro/index.md
+++ b/release-notes/intro/index.md
@@ -16,7 +16,7 @@ Release notes cover all the latest Elastic product changes, including the follow
* {{stack}} {{version.stack.base}} and later, including the most recent {{version.stack}} release
* {{serverless-full}}, including updates to {{es}}, and {{observability}} and {{elastic-sec}} solutions
-## What's new in the latest Elastic release?
+## What's new in the latest Elastic release
Elastic Stack {{version.stack}} includes new features, enhancements, and critical fixes across {{es}}, {{observability}}, {{elastic-sec}}, {{kib}}, and more. To view detailed release notes, select a product.