elastic · natasha-moore-elastic · Mar 31, 2025 · Mar 31, 2025 · Mar 31, 2025 · Mar 31, 2025
@@ -37,12 +37,12 @@ The non-ECS fields listed below are beta and subject to change.
 | [`client.*`](ecs://reference/ecs-client.md) | ECS `client.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`cloud.*`](ecs://reference/ecs-cloud.md) | ECS `cloud.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`container.*`](ecs://reference/ecs-container.md) | ECS `container.* fields` copied from the source document, if present, for custom query and indicator match rules. |
-| [`data_stream.*`](ecs://reference/ecs-data_stream.md) | ECS `data_stream.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>NOTE: These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords. |
+| [`data_stream.*`](ecs://reference/ecs-data_stream.md) | ECS `data_stream.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>**Note:** These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords. |
 | [`destination.*`](ecs://reference/ecs-destination.md) | ECS `destination.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`dll.*`](ecs://reference/ecs-dll.md) | ECS `dll.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`dns.*`](ecs://reference/ecs-dns.md) | ECS `dns.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`error.*`](ecs://reference/ecs-error.md) | ECS `error.*` fields copied from the source document, if present, for custom query and indicator match rules. |
-| [`event.*`](ecs://reference/ecs-event.md) | ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>NOTE: categorization fields above (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately above. |
+| [`event.*`](ecs://reference/ecs-event.md) | ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>**Note:** categorization fields above (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately above. |
 | [`file.*`](ecs://reference/ecs-file.md) | ECS `file.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`group.*`](ecs://reference/ecs-group.md) | ECS `group.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`host.*`](ecs://reference/ecs-host.md) | ECS `host.*` fields copied from the source document, if present, for custom query and indicator match rules. |
@@ -56,7 +56,7 @@ The non-ECS fields listed below are beta and subject to change.
 | [`process.*`](ecs://reference/ecs-process.md) | ECS `process.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`registry.*`](ecs://reference/ecs-registry.md) | ECS `registry.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`related.*`](ecs://reference/ecs-related.md) | ECS `related.*` fields copied from the source document, if present, for custom query and indicator match rules. |
-| [`rule.*`](ecs://reference/ecs-rule.md) | ECS `rule.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>NOTE: These fields are not related to the detection rule that generated the alert. |
+| [`rule.*`](ecs://reference/ecs-rule.md) | ECS `rule.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>**Note:** These fields are not related to the detection rule that generated the alert. |
 | [`server.*`](ecs://reference/ecs-server.md) | ECS `server.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`service.*`](ecs://reference/ecs-service.md) | ECS `service.*` fields copied from the source document, if present, for custom query and indicator match rules. |
 | [`source.*`](ecs://reference/ecs-source.md) | ECS `source.*` fields copied from the source document, if present, for custom query and indicator match rules. |
@@ -136,7 +136,7 @@ The non-ECS fields listed below are beta and subject to change.
 | `kibana.alert.suppression.start` | The timestamp of the first document in the suppression group.<br>Type: date |
 | `kibana.alert.suppression.end` | The timestamp of the last document in the suppression group.<br>Type: date |
 | `kibana.alert.suppression.docs_count` | The number of suppressed alerts.<br>Type: long |
-| `kibana.alert.url` | The shareable URL for the alert.<br>NOTE: This field appears only if you’ve set the [`server.publicBaseUrl`](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) configuration setting in the `kibana.yml` file.<br>Type: long |
+| `kibana.alert.url` | The shareable URL for the alert.<br>**Note:** This field appears only if you’ve set the [`server.publicBaseUrl`](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) configuration setting in the `kibana.yml` file.<br>Type: long |
 | `kibana.alert.workflow_tags` | List of tags added to an alert.<br><br>This field can contain an array of values, for example: `["False Positive", "production"]`<br><br>Type: keyword<br> |
 | `kibana.alert.workflow_assignee_ids` | List of users assigned to an alert.<br><br>An array of unique identifiers (UIDs) for user profiles, for example: `["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]`<br><br>UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings.<br><br>Type: string[]<br> |
 | `kibana.alert.intended_timestamp` | Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:<br><br>- **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created.<br>- **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range.<br><br>Type: date<br> |

@@ -42,22 +42,22 @@ This screenshot maps the Timeline UI components to their JSON objects:
 | `createdBy` | String | The user who created the Timeline. |
 | $$$timeline-object-dropzone$$$`dataProviders` | [dataProviders[]](#dataProvider-obj) | Object containing dropzone queryclauses. |
 | $$$timeline-object-dataViewId$$$`dataViewId` | String | ID of the Timeline’s Data View, for example: `"dataViewId":"security-solution-default"`. |
-| $$$timeline-object-daterange$$$`dateRange` | dateRange | The Timeline’s search period:<br><br>* `end`: The time up to which events are searched, using a 13-digit Epoch timestamp.<br>* `start`: The time from which events are searched, using a 13-digit Epoch timestamp.<br> |
+| $$$timeline-object-daterange$$$`dateRange` | dateRange | The Timeline’s search period:<br><br>- `end`: The time up to which events are searched, using a 13-digit Epoch timestamp.<br>- `start`: The time from which events are searched, using a 13-digit Epoch timestamp.<br> |
 | `description` | String | The Timeline’s description. |
 | $$$timeline-object-event-notes$$$`eventNotes` | [eventNotes[]](#eventNotes-obj) | Notes added to specific events in the Timeline. |
-| `eventType` | String | Event types displayed in the Timeline, which can be:<br><br>* `All data sources`<br>* `Events`: Event sources only<br>* `Detection Alerts`: Detection alerts only<br> |
+| `eventType` | String | Event types displayed in the Timeline, which can be:<br><br>- `All data sources`<br>- `Events`: Event sources only<br>- `Detection Alerts`: Detection alerts only<br> |
 | `favorite` | [favorite[]](#favorite-obj) | Indicates when and who marked aTimeline as a favorite. |
 | $$$timeline-object-filters$$$`filters` | [filters[]](#filters-obj) | Filters usedin addition to the dropzone query. |
 | $$$timeline-object-global-notes$$$`globalNotes` | [globalNotes[]](#globalNotes-obj) | Global notes added to the Timeline. |
-| $$$timeline-object-kqlmode$$$`kqlMode` | String | Indicates whether the KQL bar filters the dropzone query results or searches for additional results, where:<br><br>* `filter`: filters dropzone query results<br>* `search`: displays additional search results<br> |
+| $$$timeline-object-kqlmode$$$`kqlMode` | String | Indicates whether the KQL bar filters the dropzone query results or searches for additional results, where:<br><br>- `filter`: filters dropzone query results<br>- `search`: displays additional search results<br> |
 | $$$timeline-object-kqlquery$$$`kqlQuery` | [kqlQuery](#kqlQuery-obj) | KQL barquery. |
 | `pinnedEventIds` | pinnedEventIds[] | IDs of events pinned to the Timeline’ssearch results. |
 | `savedObjectId` | String | The Timeline’s saved object ID. |
 | `savedQueryId` | String | If used, the saved query ID used to filter or searchdropzone query results. |
-| `sort` | sort | Object indicating how rows are sorted in the Timeline’s grid:<br><br>* `columnId` (string): The ID of the column used to sort results.<br>* `sortDirection` (string): The sort direction, which can be either `desc` or `asc`.<br> |
+| `sort` | sort | Object indicating how rows are sorted in the Timeline’s grid:<br><br>- `columnId` (string): The ID of the column used to sort results.<br>- `sortDirection` (string): The sort direction, which can be either `desc` or `asc`.<br> |
 | `templateTimelineId` | String | A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.<br> |
 | `templateTimelineVersion` | Integer | Timeline template version number. ForTimelines, the value is `null`. |
-| $$$timeline-object-typeField$$$`timelineType` | String | Indicates whether the Timeline is a template or not, where:<br><br>* `default`: Indicates a Timeline used to actively investigate events.<br>* `template`: Indicates a Timeline template used when detection rule alerts are investigated in Timeline.<br> |
+| $$$timeline-object-typeField$$$`timelineType` | String | Indicates whether the Timeline is a template or not, where:<br><br>- `default`: Indicates a Timeline used to actively investigate events.<br>- `template`: Indicates a Timeline template used when detection rule alerts are investigated in Timeline.<br> |
 | $$$timeline-object-title$$$`title` | String | The Timeline’s title. |
 | `updated` | Float | The last time the Timeline was updated, using a13-digit Epoch timestamp. |
 | `updatedBy` | String | The user who last updated the Timeline. |
@@ -86,7 +86,7 @@ This screenshot maps the Timeline UI components to their JSON objects:
 | `excluded` | Boolean | Indicates if the dropzone query clause uses `NOT` logic. |
 | `id` | String | The dropzone query clause’s unique ID. |
 | `name` | String | The dropzone query clause’s name (the clause’s valuewhen Timelines are exported from the UI). |
-| `queryMatch` | queryMatch | The dropzone query clause:<br><br>* `field` (string): The field used to search Security indices.<br>* `operator` (string): The clause’s operator, which can be:<br><br>    * `:` - The `field` has the specified `value`.<br>    * `:*` - The field exists.<br><br>* `value` (string): The field’s value used to match results.<br> |
+| `queryMatch` | queryMatch | The dropzone query clause:<br><br>- `field` (string): The field used to search Security indices.<br>- `operator` (string): The clause’s operator, which can be:<br><br>    - `:` - The `field` has the specified `value`.<br>    - `:*` - The field exists.<br><br>- `value` (string): The field’s value used to match results.<br> |
 
 
 ## eventNotes object [eventNotes-obj]
@@ -119,7 +119,7 @@ This screenshot maps the Timeline UI components to their JSON objects:
 | Name | Type | Description |
 | --- | --- | --- |
 | `exists` | String | [Exists term query](elasticsearch://reference/query-languages/query-dsl/query-dsl-exists-query.md) for thespecified field (`null` when undefined). For example, `{"field":"user.name"}`. |
-| `meta` | meta | Filter details:<br><br>* `alias` (string): UI filter name.<br>* `disabled` (boolean): Indicates if the filter is disabled.<br>* `key`(string): Field name or unique string ID.<br>* `negate` (boolean): Indicates if the filter query clause uses `NOT` logic.<br>* `params` (string): Value of `phrase` filter types.<br>* `type` (string): Type of filter. For example, `exists` and `range`. For more information about filtering, see [Query DSL](elasticsearch://reference/query-languages/querydsl.md).<br> |
+| `meta` | meta | Filter details:<br><br>- `alias` (string): UI filter name.<br>- `disabled` (boolean): Indicates if the filter is disabled.<br>- `key`(string): Field name or unique string ID.<br>- `negate` (boolean): Indicates if the filter query clause uses `NOT` logic.<br>- `params` (string): Value of `phrase` filter types.<br>- `type` (string): Type of filter. For example, `exists` and `range`. For more information about filtering, see [Query DSL](elasticsearch://reference/query-languages/querydsl.md).<br> |
 | `match_all` | String | [Match all term query](elasticsearch://reference/query-languages/query-dsl/query-dsl-match-all-query.md)for the specified field (`null` when undefined). |
 | `query` | String | [DSL query](elasticsearch://reference/query-languages/querydsl.md) (`null` when undefined). Forexample, `{"match_phrase":{"ecs.version":"1.4.0"}}`. |
 | `range` | String | [Range query](elasticsearch://reference/query-languages/query-dsl/query-dsl-range-query.md) (`null` whenundefined). For example, `{"@timestamp":{"gte":"now-1d","lt":"now"}}"`. |
@@ -143,5 +143,5 @@ This screenshot maps the Timeline UI components to their JSON objects:
 
 | Name | Type | Description |
 | --- | --- | --- |
-| `filterQuery` | filterQuery | Object containing query details:<br><br>* `kuery`: Object containing the query’s clauses and type:<br><br>    * `expression`(string): The query’s clauses.<br>    * `kind` (string): The type of query, which can be `kuery` or `lucene`.<br><br>* `serializedQuery` (string): The query represented in JSON format.<br> |
+| `filterQuery` | filterQuery | Object containing query details:<br><br>- `kuery`: Object containing the query’s clauses and type:<br><br>    - `expression`(string): The query’s clauses.<br>    - `kind` (string): The type of query, which can be `kuery` or `lucene`.<br><br>- `serializedQuery` (string): The query represented in JSON format.<br> |
 
@@ -121,7 +121,7 @@ The **Security AI settings** page allows you to configure AI Assistant. To acces
 
 It has the following tabs:
 
-* **Conversations:** When you open AI Assistant from certain pages, such as ***Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
+* **Conversations:** When you open AI Assistant from certain pages, such as **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
 * **Connectors:** Manage all LLM connectors.
 * **System Prompts:** Edit existing System Prompts or create new ones. To create a new System Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the System Prompt’s text. Under **Contexts**, select where the System Prompt should appear.
 * **Quick Prompts:** Modify existing Quick Prompts or create new ones. To create a new Quick Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the Quick Prompt’s text.
@@ -137,7 +137,7 @@ To modify Anonymization settings, you need the **Elastic AI Assistant: All** pri
 ::::
 
 
-The **Anonymization** tab of the Security AI settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed*** toggled on are included in events provided to AI Assistant. ***Allowed*** fields with ***Anonymized** set to **Yes** are included, but with their values obfuscated.
+The **Anonymization** tab of the Security AI settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed** toggled on are included in events provided to AI Assistant. **Allowed** fields with **Anonymized** set to **Yes** are included, but with their values obfuscated.
 
 ::::{note}
 You can access anonymization settings directly from the **Attack Discovery** page by clicking the settings (![Settings icon](/solutions/images/security-icon-settings.png "title =20x20")) button next to the model selection dropdown menu.

@@ -57,7 +57,7 @@ When you access Attack Discovery for the first time, you’ll need to select an
 It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
 
 ::::{important}
-By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (![Settings icon](/solutions/images/security-icon-settings.png "title=20px")) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
+By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon (![Settings icon](/solutions/images/security-icon-settings.png "title =20x20")) next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
 ::::
 
 
@@ -92,7 +92,7 @@ Each discovery includes the following information describing the potential threa
 There are several ways you can incorporate discoveries into your {{elastic-sec}} workflows:
 
 * Click an entity’s name to open the entity details flyout and view more details that may be relevant to your investigation.
-* Hover over an entity’s name to either add the entity to Timeline (![Add to timeline icon](/solutions/images/security-icon-add-to-timeline.png "title=70%")) or copy its field name and value to the clipboard (![Copy to clipboard icon](/solutions/images/security-icon-copy.png "title=70%")).
+* Hover over an entity’s name to either add the entity to Timeline (![Add to timeline icon](/solutions/images/security-icon-add-to-timeline.png "title =20x20")) or copy its field name and value to the clipboard (![Copy to clipboard icon](/solutions/images/security-icon-copy.png "title =20x20")).
 * Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a [case](/solutions/security/investigate/cases.md). This makes it easy to share the information with your team and other stakeholders.
 * Click **Investigate in timeline** to explore the discovery in [Timeline](/solutions/security/investigate/timeline.md).
 * Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts.