Merge branch 'main' into 5606-cspm-agentless-onboard-beta

Author: benironside

.mergify.yml

@@ -13,6 +13,19 @@ pull_request_rules:
             git merge upstream/{{base}}
             git push upstream {{head}}
             ```
+  - name: backport patches to main branch
+    conditions:
+      - merged
+      - label=backport-main
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        labels:
+          - "backport"
+        branches:
+          - "main"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
   - name: backport patches to 8.17 branch
     conditions:
       - merged

docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc

@@ -8,4 +8,4 @@
 For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-entity-analytics-api[Entity Analytics APIs].
 --
 
-You can manage <<asset-criticality, asset criticality>> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
+You can manage <<asset-criticality, asset criticality>> records through the API.

docs/advanced-entity-analytics/asset-criticality.asciidoc

@@ -4,12 +4,7 @@
 .Requirements
 [sidebar]
 --
-To view and assign asset criticality, you must:
-
-* Have the appropriate user role.
-* Turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-
-For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
+To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
 --
 
 The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

@@ -30,11 +30,7 @@ Entity risk scores are determined by the following risk inputs:
 
 The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
 
-[NOTE]
-======
-* Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
-* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-======
+NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
 
 [discrete]
 [[how-is-risk-score-calculated]]

docs/advanced-entity-analytics/ers-req.asciidoc

@@ -45,8 +45,6 @@ The risk scoring engine uses an internal user role to score all hosts and users,
 [discrete]
 == Asset criticality
 
-To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-
 [discrete]
 === Privileges
 

docs/detections/alerts-view-details.asciidoc

@@ -124,10 +124,32 @@ image::images/visualizations-section-rp.png[Visualizations section of the Overvi
 
 Click **Visualizations** to display the following previews:
 
-* **Session view preview**: Shows a preview of <<session-view,session view>> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. 
+* **Session viewer preview**: Shows a preview of <<session-view,Session View>> data. Click **Session viewer preview** to open the **Session View** tab in Timeline. 
 
 * **Analyzer preview**: Shows a preview of the <<visual-event-analyzer,visual analyzer graph>>. The preview displays up to three levels of the analyzed event's ancestors and up to three levels of the event's descendants and children. The ellipses symbol (**`...`**) indicates the event has more ancestors and descendants to examine. Click **Analyzer preview** to open the **Event Analyzer** tab in Timeline.
 
+[discrete]
+[[expanded-visualizations-view]]
+=== Expanded visualizations view
+
+preview::[]
+
+.Requirements
+[sidebar]
+--
+To use the **Visualize** tab, you must turn on the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>>. 
+--
+
+The **Visualize** tab allows you to maintain the context of the Alerts table, while providing a more detailed view of alerts that you're investigating in the event analyzer or Session View. To open the tab, click **Session viewer preview** or **Analyzer preview** from the right panel. 
+
+[role="screenshot"]
+image::images/visualize-tab-lp.png[Expanded view of visualization details, 80%]
+
+As you examine the alert's related processes, you can also preview the alerts and events which are associated with those processes. Then, if you want to learn more about a particular alert or event, you can click **Show full alert details** to open the full details flyout.
+
+[role="screenshot"]
+image::images/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] 
+
 [discrete]
 [[insights-section]]
 == Insights 

docs/detections/images/visualize-tab-lp-alert-details.gif

@@ -29,7 +29,9 @@ Or
 +
 ** `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *`
 
-. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. Alternatively, open the alert details flyout, go to the Visualizations section, then click **Analyzer preview**. This opens the **Analyzer** tab in Timeline.
+. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout. 
++
+TIP: Turn on the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>> to access the event analyzer from the **Visualize** tab in the alert or event details flyout.
 
 +
 [role="screenshot"]

docs/detections/images/visualize-tab-lp.png

@@ -102,17 +102,20 @@ Security *Overview* page.
 * `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
 retrieved.
 
-[discrete]
-[[enable-asset-criticality]]
-== Enable asset criticality workflows
-The `securitySolution:enableAssetCriticality` setting determines whether asset criticality is included as a risk input to entity risk scoring. This setting is turned off by default. Turn it on to enable asset criticality workflows and to use asset criticality as part of entity risk scoring.
-
 [discrete]
 [[exclude-cold-frozen-tiers]]
 == Exclude cold and frozen tier data from analyzer queries
 
 Including data from cold and frozen {ref}/data-tiers.html[data tiers] in <<visual-event-analyzer, visual event analyzer>> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
 
+[discrete]
+[[visualizations-in-flyout]]
+== Access the event analyzer and Session View from the event or alert details flyout
+
+preview::[]
+
+The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** <<expanded-visualizations-view,tab>> on the alert or event details flyout. This setting is turned off by default. 
+
 [discrete]
 == Change the default search interval and data refresh time