Address feedback

Author: natasha-moore-elastic

docs/advanced-entity-analytics/entity-store.asciidoc

@@ -9,17 +9,18 @@ preview::[]
 To use the entity store, you must have the appropriate privileges. For more information, refer to <<ers-requirements, Entity risk scoring requirements>>.
 --
 
-The entity store allows you to query, reconcile, maintain, and persist entity metadata from various sources such as:
+The entity store allows you to query, reconcile, maintain, and persist entity metadata such as:
 
-* Ingested log sources
-* Integrated identity providers (such as Active Directory, EntraID, and Okta)
-* Internal and external alerts
-* External asset repositories
-* Asset criticality submissions
+* Ingested log data
+* Data from integrated identity providers (such as Active Directory, EntraID, and Okta)
+* Data from internal and external alerts
+* External asset repository data
+* Asset criticality data
+* Entity risk score data
 
-The entity store can store any entity type observed by {elastic-sec}. This allows you to store, view, and query select entities directly from an index without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <<default-data-view-security, default data view>>.
+The entity store can hold any entity type observed by {elastic-sec}. It allows you to view and query select entities represented in your indices  without needing to perform real-time searches of observable data. The entity store extracts entities from all indices in the {elastic-sec} <<default-data-view-security, default data view>>.
 
-When the entity store is enabled, the following resources are generated:
+When the entity store is enabled, the following resources are generated for each entity type (hosts and users):
 
 * {es} resources, such as transforms, ingest pipelines, and enrich policies.
 * Data and fields for each entity.
@@ -40,7 +41,7 @@ Once you enable the entity store, the Entity Analytics dashboard displays the <<
 [[clear-entity-store]]
 == Clear entity store data
 
-Once the entity store is enabled, you may want to start fresh and clear the extracted entity data. For example, if you have refined your data by normalizing the `user.name` or `host.name` fields, clearing the entity store data allows you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis.
+Once the entity store is enabled, you may want to clear the stored data and start fresh. For example, if you normalized the `user.name` or `host.name` fields, clearing the entity store data would allow you to repopulate the entity store with the updated, normalized values. This action removes all previously extracted entity information, enabling new data extraction and analysis.
 
 Clearing entity store data does not delete your source data, assigned entity risk scores, or asset criticality assignments.
 

docs/dashboards/entity-dashboard.asciidoc

@@ -27,7 +27,7 @@ image::images/entity-dashboard.png[Entity dashboard]
 [float]
 == Entity KPIs (key performance indicators)
 
-Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or the **Anomalies** table. 
+Displays the total number of critical hosts, critical users, and anomalies. Select a link to jump to the **Hosts** page, **Users** page, or **Anomalies** table. 
 
 [[entity-user-risk-scores]]
 [float]
@@ -92,19 +92,20 @@ preview::[]
 To display the **Entities** section, you must <<enable-entity-store,enable the entity store>>.
 -- 
 
-The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities stored in the <<entity-store, entity store>>, which:
+The **Entities** section provides a centralized view of all hosts and users in your environment. It displays entities from the <<entity-store, entity store>>, which meet any of the following criteria:
 
 * Have been observed by {elastic-sec}
 * Have an asset criticality assignment
 * Have been added to {elastic-sec} through an integration, such Active Directory or Okta
 
-NOTE: The **Entities** table only shows a subset of the attributes stored in the entity store. You can query the `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices to see all the attributes stored in the entity store.
+NOTE: The **Entities** table only shows a subset of the data available for each entity. You can query the `.entities.v1.latest.security_user_<space-id>` and `.entities.v1.latest.security_host_<space-id>` indices to see all the fields for each entity in the entity store.
 
 [role="screenshot"]
 image::images/entities-section.png[Entities section] 
 
-The stored entity data appears in the **Entities** section based on the following timelines:
+Entity data from different sources appears in the **Entities** section based on the following timelines:
 
+* When you first enable the entity store, only data stored in the last 24 hours is processed. After that, data is processed continuously.
 * Observed events from the {elastic-sec} default data view are processed in near real-time.
 * Entity Analytics data, such as entity risk scores and asset criticality (including bulk asset criticality upload), is also processed in near real-time.
 * The availability of entities extracted from Entity Analytics integrations depends on the specific integration. Refer to {integrations-docs}/entityanalytics_ad[Active Directory Entity Analytics], {integrations-docs}/entityanalytics_entra_id[Microsoft Entra ID Entity Analytics], and {integrations-docs}/entityanalytics_okta[Okta Entity Analytics] for more details.