[8.16] [Request][8.16] Update nav references for all "Investigation tools" topics (backport #6000) (#6097)

* First draft

* Fixed outdated instruction

* More updates

* Updates to cases

* Last update

* Updates instructions for cases

* Update docs/osquery/invest-guide-run-osquery.asciidoc

Co-authored-by: natasha-moore-elastic <[email protected]>

* Update docs/osquery/invest-guide-run-osquery.asciidoc

Co-authored-by: natasha-moore-elastic <[email protected]>

* Nat's edit

---------

Co-authored-by: natasha-moore-elastic <[email protected]>
(cherry picked from commit e210b0d)

Co-authored-by: Nastasha Solomon <[email protected]>

Author: mergify[bot]

docs/cases/cases-manage-settings.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
-To change case closure options and add custom fields, templates, and connectors for external incident management systems, go to *Cases* -> *Settings*.
+To change case closure options and add custom fields, templates, and connectors for external incident management systems, find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Settings**. 
 
 [role="screenshot"]
 image::images/cases-settings.png[Shows the case settings page]

docs/cases/cases-manage.asciidoc

@@ -14,7 +14,7 @@ You can create and manage cases using the UI or the <<cases-api-overview>>.
 Open a new case to keep track of security issues and share their details with
 colleagues.
 
-. Go to *Cases*, then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table.
+. Find **Cases** in the navigation menu or search for `Security/Cases` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click *Create case*. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the *Create case* button inside the table.
 
 . If you defined <<cases-templates,templates>>, you can optionally select one to use its default field values. preview:[]
 
@@ -232,7 +232,7 @@ The following attachments are _not_ exported:
 
 To export a case:
 
-. Open the main menu, go to *Stack Management -> {kib}*, then select the *Saved Objects* tab.
+. Find *Saved Objects* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Search for the case by choosing a saved object type or entering the case title in the search bar.
 . Select one or more cases, then click the *Export* button.
 . Click *Export*. A confirmation message that your file is downloading displays.
@@ -249,7 +249,7 @@ image::images/cases-export-button.png[Shows the export saved objects workflow]
 
 To import a case:
 
-. Open the main menu, go to *Stack Management -> {kib}*, then select the *Saved Objects* tab.
+. Find *Saved Objects* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Click *Import*.
 . Select the NDJSON file containing the exported case and configure the import options.
 . Click *Import*.

docs/cases/indicators-of-compromise.asciidoc

@@ -29,9 +29,7 @@ An indicator, also referred to as an IoC, is a piece of information associated w
 Install a threat intelligence integration to add indicators to the Indicators page.
 
 
-. Choose one of the following:
-* From the {security-app} main menu, go to *Intelligence* -> *Indicators* -> *Add Integrations*.
-* From the {kib} main menu, click *Add integrations*.
+. From the {security-app}, click *Add Integrations*.
 . In the search bar, search for `Threat Intelligence` to get a list of threat intelligence integrations.
 . Select a threat intelligence integration, then complete the integration's guided installation.
 +

docs/cloud-native-security/session-view.asciidoc

@@ -30,7 +30,8 @@ NOTE: To view Linux session data from your Kubernetes infrastructure, you'll nee
 Session View uses process data collected by the {elastic-defend} integration,
 but this data is not always collected by default. To confirm that Session View data is enabled:
 
-. Go to *Manage* -> *Policies*, and edit one or more of your {elastic-defend} integration policies.
+. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Select one or more of your {elastic-defend} integration policies to edit.
 . Select the *Policy settings* tab, then scroll down to the Linux event collection section near the bottom.
 . Check the box for *Process* events, and turn on the *Collect session data* toggle.
 . If you want to include file and network alerts in Session View, check the boxes for *Network* and *File* events.
@@ -124,7 +125,8 @@ From a security perspective, terminal output is important because it offers a me
 
 To enable terminal output data capture:
 
-. Go to *Manage* -> *Policies*, then select one or more of your {elastic-defend} integration policies to edit.
+. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Select one or more of your {elastic-defend} integration policies to edit.
 . On the *Policy settings* tab, scroll down to the Linux event collection section near the bottom of the page
 and select the *Collect session data* and *Capture terminal output* options.
 

docs/detections/visual-event-analyzer.asciidoc

@@ -20,8 +20,8 @@ In KQL, this translates to any event with the `agent.type` set to either:
 To find events that can be visually analyzed:
 
 . First, display a list of events by doing one of the following:
-* Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page.
-* Go to *Alerts*, then scroll down to the Alerts table.
+* Find **Hosts** in the main menu, or search for `Security/Explore/Hosts` by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page.
+* Find **Alerts** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then scroll down to the Alerts table.
 . Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*:
 ** `agent.type:"endpoint" and process.entity_id :*`
 +

docs/events/timeline-templates.asciidoc

@@ -74,7 +74,7 @@ filter (refer to <<pivot>>).
 . Choose one of the following:
 +
 
-** Go to **Timelines** → **Templates**, then click **Create new Timeline template**.
+** Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Next, select the **Templates** tab, then click **Create new Timeline template**.
 ** Go to the Timeline bar (which is at the bottom of most pages), click the image:images/add-new-timeline-button.png[Click the add new button,20,20] button, then click **Create new Timeline template**.
 ** From an open Timeline  or Timeline template, click **New** -> **New Timeline template**.
 
@@ -112,13 +112,13 @@ value is retrieved from the alert's `process.name` field.
 
 You can view, duplicate, export, delete, and create templates from existing Timelines:
 
-. Go to *Timelines* -> *Templates*.
+. Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the **Templates** tab.
 
 +
 [role="screenshot"]
 image::images/all-actions-timeline-ui.png[]
 
-. Click the *All actions* icon in the relevant row, and then select the action:
+. Click the *All actions* icon in the relevant row, and then select the action:   
 
 * *Create timeline from template* (refer to <<create-timeline-template>>)
 * *Duplicate template*
@@ -138,7 +138,7 @@ NOTE: You cannot delete prebuilt templates.
 You can import and export Timeline templates, which enables importing templates
 from one space or {elastic-sec} instance to another. Exported templates are saved in an `ndjson` file.
 
-. Go to *Timelines* -> *Templates*.
+. Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select the **Templates** tab.
 . To export templates, do one of the following:
 
 * To export one template, click the *All actions* icon in the relevant row and

docs/events/timeline-ui-overview.asciidoc

@@ -25,7 +25,7 @@ retrieved from the alert. For more information, refer to <<timeline-templates-ui
 
 To make a new Timeline, choose one of the following:
 
-* Go to **Timelines**, then click **Create new Timeline**. 
+* Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then click **Create new Timeline**. 
 * Go to the Timeline bar (which is at the bottom of most pages), click the image:images/add-new-timeline-button.png[Click the add new button,20,20] button, then click **Create new Timeline template**.
 * From an open Timeline or Timeline template, click **New** -> **New Timeline**.
 
@@ -174,7 +174,7 @@ space or {elastic-sec} instance to another. Exported Timelines are saved as `.nd
 
 To export Timelines:
 
-* Go to *Timelines*.
+* Find **Timelines** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 * Either click the *All actions* menu in the relevant row and select *Export selected*, or select multiple Timelines and then click *Bulk actions* -> *Export selected*.
 
 To import Timelines:

docs/osquery/invest-guide-run-osquery.asciidoc

@@ -19,7 +19,8 @@ image::images/osquery-investigation-guide.png[Shows a live query in an investiga
 
 NOTE: You can only add Osquery to investigation guides for custom rules because prebuilt rules cannot be edited.
 
-. Go to *Rules* -> *Detection rules (SIEM)*, select a rule, then click *Edit rule settings* on the rule details page.
+. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Select a rule to open the its details, then click *Edit rule settings*.
 . Select the *About* tab, then expand the rule's advanced settings.
 . Scroll down to the Investigation guide section. In the toolbar, click the *Osquery* button (image:images/osquery-button.png[Click the Osquery button,20,20]).
 .. Add a descriptive label for the query; for example, `Search for executables`.
@@ -39,6 +40,8 @@ image::images/setup-osquery-investigation-guide.png[width=70%][height=70%][Shows
 [[run-live-queries-ig]]
 === Run live queries from an investigation guide
 
+. Go to the *Rules* page. To access it, find **Detection rules (SIEM)** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Select a rule to open the its details.
 . Go to *Rules* -> *Detection rules (SIEM)*, then select a rule to open its details.
 . Go to the About section of the rule details page and click *Investigation guide*.
 . Click the query. The Run Osquery pane displays with the *Query* field autofilled. Do the following: