Merge branch 'main' into issue-6060-bugbash

Author: natasha-moore-elastic

docs/detections/detection-engine-intro.asciidoc

@@ -86,7 +86,7 @@ Indicator match rules provide a powerful capability to search your security data
 
 In addition, the following support restrictions are in place:
 
-* {elastic-sec} does not support the use of either cold or frozen {ref}/data-tiers.html[tier data] with indicator match rules.
+* Indicator match rules don't support cold or frozen data. Cold or frozen data in indices queried by indicator match rules must be older than the time range queried by the rule. If your data's timestamps are unreliable, you can exclude cold and frozen tier data using a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>>. 
 * Indicator match rules with an additional look-back time value greater than 24 hours are not supported.
 
 [float]

docs/detections/detections-exclude-cold-frozen-data-tiers.asciidoc

@@ -1,18 +1,25 @@
 [[exclude-cold-frozen-data-individual-rules]]
-== Exclude cold and frozen data from a rule
+== Exclude cold and frozen data from individual rules
 
 :frontmatter-description: Configure a rule to ignore cold and frozen data during execution. 
 :frontmatter-tags-products: [security]
 :frontmatter-tags-content-type: [how-to]
 :frontmatter-tags-user-goals: [manage]
 
-Rules that query cold and frozen data might perform more slowly. To exclude cold and frozen data, add a Query DSL filter that ignores cold and frozen {ref}/data-tiers.html[data tiers] when executing. You can add the filter when creating a new rule or updating an existing one. 
+Your rule might perform slower or fail if it queries data from cold or frozen {ref}/data-tiers.html[data tiers]. To help Elasticsearch exclude cold and frozen data more efficiently, apply a Query DSL filter that ignores cold and frozen documents when your rule executes. You can add the filter when creating a new rule or updating an existing one.
 
-NOTE: This method is not supported for {esql} and {ml} rules.
+TIP: To ensure that rules in your {kib} space exclude cold and frozen documents when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>. This setting does not apply to {ml} rules. 
 
-TIP: To ensure that _all_ rules in a {kib} space exclude cold and frozen data when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
+[IMPORTANT]
+====
 
-Here is a sample Query DSL filter that excludes frozen tier data from a rule's execution:
+* This method is not supported for {esql} and {ml} rules.
+* Even when applying this filter, indicator match and event correlation rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data.
+
+
+====
+
+Here is a sample Query DSL filter that excludes frozen tier documents during rule execution:
 
 [source,console]
 ----
@@ -29,7 +36,7 @@ Here is a sample Query DSL filter that excludes frozen tier data from a rule's e
 }
 ----
 
-Here is another sample Query DSL filter that excludes cold and frozen tier data from a rule's execution:
+Here is another sample Query DSL filter that excludes cold and frozen tier documents during rule execution:
 
 [source,console]
 ----

docs/getting-started/advanced-setting.asciidoc

@@ -187,15 +187,17 @@ The `securitySolution:maxUnassociatedNotes` field determines the maximum number
 
 [discrete]
 [[exclude-cold-frozen-data-rule-executions]]
-== Exclude cold and frozen data from rule executions 
+== Exclude cold and frozen data from rules 
 
-To ensure rules don't search cold and frozen data when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
+To ensure the rules in your {kib} space exclude query results from cold and frozen tiers when executing, specify cold and frozen {ref}/data-tiers.html[data tiers] in the `excludedDataTiersForRuleExecution` field. Multiple data tiers must be separated by commas, for example: `data_frozen`, `data_cold`. This setting is turned off by default; turning it on can improve rule performance and reduce execution time. 
 
-This setting does not apply to {ml} rules. 
+This setting does not apply to {ml} rules because {ml} anomalies are not stored in cold or frozen data tiers.
 
 [TIP]
 ====
 
-This setting applies to all rules in a {kib} space. To only exclude cold and frozen data from specific rules, add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to the rules you want affected. 
+To only exclude cold and frozen data from specific rules, add a <<exclude-cold-frozen-data-individual-rules,Query DSL filter>> to the rules you want affected. 
 
-====
+====
+
+IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data.

docs/management/admin/deploy-with-mdm.asciidoc

@@ -71,13 +71,13 @@ image::images/content-filtering-jamf.png[]
 . Under **App Name**, enter `Elastic Security.app`.
 . Under **Bundle ID**, enter `co.elastic.alert`.
 . In the **Settings** section, include these options with the following settings:
-.. **Critical Alerts**: **Enable**.
-.. **Notifications**: **Enable**.
-.. **Banner alert type**: **Persistent**.
-.. **Notifications on Lock Screen**: **Display**.
-.. **Notifications in Notification Center**: **Display**.
-.. **Badge app icon**: **Display**.
-.. **Play sound for notifications**: **Enable**.
+.. **Critical Alerts**: Enable
+.. **Notifications**: Enable
+.. **Banner alert type**: Persistent
+.. **Notifications on Lock Screen**: Display
+.. **Notifications in Notification Center**: Display
+.. **Badge app icon**: Display
+.. **Play sound for notifications**: Enable
 . Save the configuration.
 
 [role="screenshot"]

docs/management/admin/event-filters.asciidoc

@@ -16,20 +16,20 @@ IMPORTANT: Since an event filter blocks an event from streaming to {es}, be cons
 
 By default, event filters are recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign an event filter to a specific {elastic-defend} integration policy, which would filter endpoint events from the hosts assigned to that policy.
 
-Create event filters from the Hosts page or the Event filters page.
+Create event filters from the **Hosts** page or the **Event filters** page.
 
 . Do one of the following:
 +
 --
-* To create an event filter from the Hosts page:
+* To create an event filter from the **Hosts** page:
 .. Select the *Events* tab to view the Events table.
 +
 .. Find the event to filter, click the *More actions* menu (*...*), then select *Add Endpoint event filter*.
 +
 TIP: Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {elastic-endpoint}. +
 For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`.
 
-* To create an event filter from the Event filters page:
+* To create an event filter from the **Event filters** page:
 .. Cick *Add event filter*, which opens a flyout.
 --
 +

docs/release-notes/8.16.asciidoc

@@ -56,6 +56,28 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 ====
 // end::known-issue[]
 
+// tag::known-issue-53[]
+[discrete]
+.Alerts page crashes if you upgrade to 8.16 and access it in a non-default {kib} space  
+[%collapsible]
+====
+*Details* +
+On November 14, 2024, it was discovered that the **Alerts** page would crash and display an `Unable to load` error if you upgraded to 8.16 and accessed the page in a non-default {kib} space.
+
+*Workaround* +
+Manually edit your browser's local storage and refresh the **Alerts** page:
+
+NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on the browser you're using.
+
+. Right-click anywhere on the **Alerts** page, then select *Inspect* to open Chrome's Developer Tools.
+. Go to *Application -> Storage*, then expand *Local Storage*. 
+. Click on the name of your Kibana instance, for example, http://localhost:1234. 
+. Search for the `siem.<space_name>.pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space.
+. Refresh the **Alerts** page to reload it.
+
+====
+// end::known-issue-53[]
+
 [discrete]
 [[breaking-changes-8.16.0]]
 ==== Breaking changes
@@ -82,7 +104,9 @@ On November 12, 2024, it was discovered that manually running a custom query rul
 * Allows you to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]).
 * Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]).
 * Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]).
-* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule execution. This setting does not apply to {ml} rules ({kibana-pull}186908[#186908]). 
+* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule executions ({kibana-pull}186908[#186908]). 
++
+IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data.
 * Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]).
 * Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <<adv-policy-settings,advanced policy setting>>.
 * Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <<adv-policy-settings,advanced policy setting>>.

docs/serverless/edr-install-config/deploy-with-mdm.asciidoc

@@ -81,13 +81,13 @@ image::images/deploy-with-mdm/content-filtering-jamf.png[]
 . Under **Bundle ID**, enter `co.elastic.alert`.
 . In the **Settings** section, include these options with the following settings:
 +
-.. **Critical Alerts**: **Enable**.
-.. **Notifications**: **Enable**.
-.. **Banner alert type**: **Persistent**.
-.. **Notifications on Lock Screen**: **Display**.
-.. **Notifications in Notification Center**: **Display**.
-.. **Badge app icon**: **Display**.
-.. **Play sound for notifications**: **Enable**.
+.. **Critical Alerts**: Enable
+.. **Notifications**: Enable
+.. **Banner alert type**: Persistent
+.. **Notifications on Lock Screen**: Display
+.. **Notifications in Notification Center**: Display
+.. **Badge app icon**: Display
+.. **Play sound for notifications**: Enable
 . Save the configuration.
 
 [role="screenshot"]

docs/serverless/edr-manage/event-filters.asciidoc

@@ -26,11 +26,11 @@ Since an event filter blocks an event from streaming to {es}, be conscious of ev
 
 By default, event filters are recognized globally across all hosts running {elastic-defend}. You can also assign an event filter to a specific {elastic-defend} integration policy, which would filter endpoint events from the hosts assigned to that policy.
 
-Create event filters from the Hosts page or the Event filters page.
+Create event filters from the **Hosts** page or the **Event filters** page.
 
 . Do one of the following:
 +
-** To create an event filter from the Hosts page:
+** To create an event filter from the **Hosts** page:
 +
 ... Select the **Events** tab to view the Events table.
 ... Find the event to filter, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions menu icon]), then select **Add Endpoint event filter**.
@@ -40,7 +40,7 @@ Create event filters from the Hosts page or the Event filters page.
 Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {elastic-endpoint}.
 For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`.
 ====
-** To create an event filter from the Event filters page:
+** To create an event filter from the **Event filters** page:
 +
 ... Click **Add event filter**, which opens a flyout.
 +

docs/whats-new.asciidoc

@@ -85,9 +85,9 @@ image::whats-new/images/8.16/install-enable-rules.png[Install and enable rules,
 image::whats-new/images/8.16/manual-rule-run-table.png[Manual rule run table]
 
 [float]
-=== Exclude cold and frozen data from rule execution
+=== Exclude cold and frozen data from rules
 
-Rules that query cold and frozen data tiers might perform more slowly. To {security-guide}/exclude-cold-frozen-data-individual-rules.html[exclude query results from cold and frozen tiers], add a Query DSL filter that ignores cold and frozen documents when executing. This can help {es} exclude cold and frozen data more efficiently.
+Rules that query cold and frozen data tiers might perform more slowly or fail. To ensure that the rules in your {kib} space exclude query results from cold and frozen tiers when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.
 
 [float]
 === View {es} queries that run during rule execution