elastic
diff --git a/‎docs/events/timeline-templates.asciidoc‎
Lines changed: 1 addition & 1 deletion b/‎docs/events/timeline-templates.asciidoc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/events/timeline-ui-overview.asciidoc‎
Lines changed: 1 addition & 1 deletion b/‎docs/events/timeline-ui-overview.asciidoc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/getting-started/data-views-in-sec.asciidoc‎
Lines changed: 1 addition & 1 deletion b/‎docs/getting-started/data-views-in-sec.asciidoc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/getting-started/security-spaces.asciidoc‎
Lines changed: 4 additions & 4 deletions b/‎docs/getting-started/security-spaces.asciidoc‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/serverless/explore/data-views-in-sec.mdx‎
Lines changed: 51 additions & 0 deletions b/‎docs/serverless/explore/data-views-in-sec.mdx‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎docs/serverless/investigate/timeline-templates-ui.mdx‎
Lines changed: 157 additions & 0 deletions b/‎docs/serverless/investigate/timeline-templates-ui.mdx‎
Lines changed: 157 additions & 0 deletions
@@ -136,7 +136,7 @@ NOTE: You cannot delete prebuilt templates.
 == Export and import Timeline templates
 
 You can import and export Timeline templates, which enables importing templates
-from one {kib} space or instance to another. Exported templates are saved in an `ndjson` file.
+from one space or {elastic-sec} instance to another. Exported templates are saved in an `ndjson` file.
 
 . Go to *Timelines* -> *Templates*.
 . To export templates, do one of the following:
 
@@ -171,7 +171,7 @@ then select an action from the *Bulk actions* menu.
 == Export and import Timelines
 
 You can export and import Timelines, which enables you to share Timelines from one
-{kib} space or instance to another. Exported Timelines are saved as `.ndjson` files.
+space or {elastic-sec} instance to another. Exported Timelines are saved as `.ndjson` files.
 
 To export Timelines:
 
 
@@ -33,7 +33,7 @@ NOTE: You cannot update the data view for the Alerts page. This includes referen
 [[default-data-view-security]]
 == The default {data-source}
 
-The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {kib}'s advanced settings (**Stack Management** > **Advanced Settings** > **Security Solution**). To learn more about this setting, including its default value, refer to {security-guide}/advanced-settings.html#update-sec-indices[Advanced settings].
+The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {security-guide}/advanced-settings.html#update-sec-indices[advanced settings].
 
 The first time a user visits {elastic-sec} within a given {kib} {kibana-ref}/xpack-spaces.html[space], the default {data-source} generates in that space and becomes active. 
 
 
@@ -2,13 +2,13 @@
 = Spaces and {elastic-sec}
 
 {elastic-sec} supports the organization of your security operations into
-logical instances with the {kibana-ref}/xpack-spaces.html[{kib} spaces]
+logical instances with the {kibana-ref}/xpack-spaces.html[spaces]
 feature. Each space in {kib} represents a separate logical instance of
 {elastic-sec} in which detection rules, rule exceptions, value lists,
 alerts, Timelines, cases, and {kib} advanced settings are private to the
 space and accessible only by users that have role privileges to
-access the space. For details about configuring privileges for
-{es} and {kib}, refer to <<detections-permissions-section>>.
+access the space. For details about privileges for
+{elastic-sec} and specific features, refer to <<sec-requirements>>.
 
 For example, if you create a `SOC_prod` space in which you load and
 activate all the {elastic-sec} prebuilt detection rules, these rules and
@@ -22,7 +22,7 @@ the `SOC_dev` space, and they will run independently of those in the
 [NOTE]
 ===== 
 By default, alerts created by detection rules are stored in {es} indices
-under the `.alerts-security.alerts-<Kibana-space>` index pattern, and they may be
+under the `.alerts-security.alerts-<space-name>` index pattern, and they may be
 accessed by any user with role privileges to access those
 {es} indices. In our example above, any user with {es} privileges to access
 `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from
 
@@ -0,0 +1,51 @@
+---
+slug: /serverless/security/data-views-in-sec
+title: ((data-sources-cap)) in Elastic Security
+description: Use data views to control what data displays on ((elastic-sec)) pages with event or alert data.
+tags: [ 'serverless', 'security', 'reference', 'manage' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+<div id="data-views-in-sec"></div>
+
+((data-sources-cap)) determine what data displays on ((elastic-sec)) pages with event or alert data.
+((data-sources-cap)) are defined by the index patterns they include.
+Only data from ((es)) [indices](((ref))/documents-indices.html), [data streams](((ref))/data-streams.html), or [index aliases](((ref))/alias.html) specified in the active ((data-source)) will appear.
+
+<DocCallOut title="Important" color="warning">
+Custom indices are not included in the <DocLink slug="/serverless/security/data-views-in-sec" section="the-default-((data-source))">default ((data-source))</DocLink>. Modify it or create a custom ((data-source)) to include custom indices.
+</DocCallOut>
+
+## Switch to another ((data-source))
+
+You can tell which ((data-source)) is active by clicking the **((data-source-cap))** menu at the upper right of ((elastic-sec)) pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts.
+To switch to another ((data-source)), click **Choose ((data-source))**, select one of the options, and click **Save**.
+
+![image highlighting how to open the data view selection menu](../images/data-views-in-sec/-getting-started-dataview-button-highlighted.png)
+
+## Create or modify a ((data-source))
+
+To learn how to modify the default **Security Default Data View**, refer to <DocLink slug="/serverless/security/advanced-settings" section="update-sec-indices" />.
+
+To learn how to modify, create, or delete another ((data-source)) refer to [((data-sources-cap))](((kibana-ref))/data-views.html).
+
+You can also temporarily modify the active ((data-source)) from the **((data-source-cap))** menu by clicking **Advanced options**, then adding or removing index patterns.
+
+![video showing how to filter the active data view](../images/data-views-in-sec/-getting-started-dataview-filter-example.gif)
+
+This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes made are saved in the current browser window and won't persist if you open a new tab.
+
+<DocCallOut title="Note">
+    You cannot update the data view for the Alerts page. This includes referencing a cross-cluster search (CCS) data view or any other data view. The Alerts page always shows data from `.alerts-security.alerts-default`.
+</DocCallOut>
+
+<div id="default-data-view-security"></div>
+
+## The default ((data-source))
+
+The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in <DocLink slug="/serverless/security/advanced-settings">advanced settings</DocLink>.
+
+The first time a user visits ((elastic-sec)) within a given ((kib)) <DocLink slug="/serverless/spaces">space</DocLink>, the default ((data-source)) generates in that space and becomes active.
+
+If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page in the space.
@@ -0,0 +1,157 @@
+---
+slug: /serverless/security/timeline-templates-ui
+title: Timeline templates
+description: Attach Timeline templates to detection rules to streamline investigations.
+tags: [ 'serverless', 'security', 'how-to', 'analyze', 'manage' ]
+status:  in review
+---
+
+<DocBadge template="technical preview" />
+<div id="timeline-templates-ui"></div>
+
+You can attach Timeline templates to detection rules. When attached, the rule's alerts use the template when they are investigated in Timeline. This enables immediately viewing the alert's most interesting fields when you start an investigation.
+
+Templates can include two types of filters:
+
+* **Regular filter**: Like other KQL filters, defines both the source event field and its value. For example: `host.name : "win-server"`.
+
+* **Template filter**: Only defines the event field and uses a placeholder
+    for the field's value. When you investigate an alert in Timeline, the field's value is taken from the alert.
+
+For example, if you define the `host.name: "{host.name}"` template filter, when alerts generated by the rule are investigated in Timeline, the alert's
+`host.name` value is used in the filter. If the alert's `host.name` value is
+`Linux_stafordshire-061`, the Timeline filter is:
+`host.name: "Linux_stafordshire-061"`.
+
+<DocCallOut title="Note">
+For information on how to add Timeline templates to rules, refer to <DocLink slug="/serverless/security/rules-create">Create a detection rule</DocLink>.
+</DocCallOut>
+
+When you load ((elastic-sec)) prebuilt rules, ((elastic-sec)) also loads a selection of prebuilt Timeline templates, which you can attach to detection rules. **Generic** templates use broad KQL queries to retrieve event data, and **Comprehensive** templates use detailed KQL queries to retrieve additional information. The following prebuilt templates appear by default:
+
+* **Alerts Involving a Single Host Timeline**: Investigate detection alerts involving a single host.
+* **Alerts Involving a Single User Timeline**: Investigate detection alerts involving a single user.
+* **Generic Endpoint Timeline**: Investigate ((elastic-endpoint)) detection alerts.
+* **Generic Network Timeline**: Investigate network-related detection alerts.
+* **Generic Process Timeline**: Investigate process-related detection alerts.
+* **Generic Threat Match Timeline**: Investigate threat indicator match detection alerts.
+* **Comprehensive File Timeline**: Investigate file-related detection alerts.
+* **Comprehensive Network Timeline**: Investigate network-related detection alerts.
+* **Comprehensive Process Timeline**: Investigate process-related detection alerts.
+* **Comprehensive Registry Timeline**: Investigate registry-related detection alerts.
+
+<DocCallOut title="Tip">
+You can <DocLink slug="/serverless/security/timeline-templates-ui" section="manage-existing-timeline-templates">duplicate prebuilt templates</DocLink> and use them as
+a starting point for your own custom templates.
+</DocCallOut>
+
+<div id="template-legend-ui"></div>
+
+## Timeline template legend
+
+When you add filters to a Timeline template, the items are color coded to
+indicate which type of filter is added. Additionally, you change Timeline
+filters to template filters as you build your template.
+
+Regular Timeline filter 
+    : Clicking **Convert to template field** changes the filter to a template filter:
+
+    <DocImage size="m" url="../images/timeline-templates-ui/-events-template-filter-value.png" alt="" />
+
+Template filter 
+
+    : <DocImage size="m" url="../images/timeline-templates-ui/-events-timeline-template-filter.png" alt="" />  
+    When you <DocLink slug="/serverless/security/timeline-templates-ui" section="manage-existing-timeline-templates">convert a template to a Timeline</DocLink>, template filters with placeholders are disabled:
+
+    <DocImage size="m" url="../images/timeline-templates-ui/-events-invalid-filter.png" alt="" />
+
+    To enable the filter, either specify a value or change it to a field's existing filter (refer to <DocLink slug="/serverless/security/timelines-ui" section="edit-existing-filters">Edit existing filters</DocLink>).
+
+<div id="create-timeline-template"></div>
+
+## Create a Timeline template
+
+1. Choose one of the following:
+   * Go to **Investigations** → **Timelines**. Click the **Templates** tab, then click **Create new Timeline template**.
+   * Go to the Timeline bar (which is at the bottom of most pages), click the <DocIcon type="plusInCircle" title="New Timeline" /> button, then click **Create new Timeline template**.
+   * From an open Timeline or Timeline template, click **New** → **New Timeline template**.
+
+1. Add filters to the new Timeline template. Click **Add field**, and select the required option:
+
+    * **Add field**: Add a regular Timeline filter.
+    * **Add template field**: Add a template filter with a value placeholder.
+
+    <DocCallOut title="Tip">
+    You can also drag and send items to the template from the **Overview**, **Hosts**, **Network**, and **Alerts** pages.
+    </DocCallOut>
+
+    ![An example of a Timeline filter](../images/timeline-templates-ui/-events-create-a-timeline-template-field.png)
+
+1. Click **Save** to give the template a title and description.
+
+**Example**
+
+To create a template for process-related alerts on a specific host:
+
+* Add a regular filter for the host name:
+    `host.name: "Linux_stafordshire-061"`
+
+* Add template filter for process names: `process.name: "{process.name}"`
+
+![](../images/timeline-templates-ui/-events-template-query-example.png)
+
+When alerts generated by rules associated with this template are investigated
+in Timeline, the host name is `Linux_stafordshire-061`, whereas the process name
+value is retrieved from the alert's `process.name` field.
+
+<div id="man-templates-ui"></div>
+
+## Manage existing Timeline templates
+
+You can view, duplicate, export, delete, and create templates from existing Timelines:
+
+1. Go to **Investigations** → **Timelines** → **Templates**.
+
+    ![](../images/timeline-templates-ui/-events-all-actions-timeline-ui.png)
+
+1. Click the **All actions** icon in the relevant row, and then select the action:
+
+    * **Create timeline from template** (refer to <DocLink slug="/serverless/security/timeline-templates-ui" section="create-a-timeline-template">Create a Timeline template</DocLink>)
+    * **Duplicate template**
+    * **Export selected** (refer to <DocLink slug="/serverless/security/timeline-templates-ui" section="export-and-import-timeline-templates">Export and import Timeline templates</DocLink>)
+    * **Delete selected**
+    * **Create query rule from timeline** (only available if the Timeline contains a KQL query)
+    * **Create EQL rule from timeline** (only available if the Timeline contains an EQL query)
+
+<DocCallOut title="Tip">
+To perform the same action on multiple templates, select templates, then the required action from the **Bulk actions** menu.
+</DocCallOut>
+
+<DocCallOut title="Note">
+You cannot delete prebuilt templates.
+</DocCallOut>
+
+<div id="import-export-timeline-templates"></div>
+
+## Export and import Timeline templates
+
+You can import and export Timeline templates, which enables importing templates from one space or ((elastic-sec)) instance to another. Exported templates are saved in an `ndjson` file.
+
+1. Go to **Investigations** → **Timelines** → **Templates**.
+1. To export templates, do one of the following:
+
+    * To export one template, click the **All actions** icon in the relevant row and then select **Export selected**.
+
+    * To export multiple templates, select all the required templates and then click **Bulk actions** → **Export selected**.
+
+1. To import templates, click **Import**, then select or drag and drop the template `ndjson` file.
+
+    <DocCallOut title="Note">
+    Each template object in the file must be represented in a single line.
+    Multiple template objects are delimited with newlines.
+    </DocCallOut>
+
+<DocCallOut title="Note">
+You cannot export prebuilt templates.
+</DocCallOut>
+