Merge branch 'main' into 6170-cloudsec-section-titleupdate

Author: benironside

.backportrc.json

@@ -1,5 +1,5 @@
 {
   "upstream": "elastic/security-docs",
-  "branches": ["8.x", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
+  "branches": ["8.x", "8.17", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
   "labels": ["backport"]
 }

.mergify.yml

@@ -26,6 +26,20 @@ pull_request_rules:
         branches:
           - "main"
         title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+  - name: backport patches to 8.x branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.18.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.x"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.17 branch
     conditions:
       - merged
@@ -36,7 +50,7 @@ pull_request_rules:
         assignees:
           - "{{ author }}"
         branches:
-          - "8.x"
+          - "8.17"
         title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
         labels:
           - backport

docs/AI-for-security/knowledge-base.asciidoc

@@ -44,7 +44,7 @@ image::images/knowledge-base-assistant-menu-dropdown.png[AI Assistant's dropdown
 [discrete]
 === Option 2: Enable Knowledge Base from the Security AI settings
 
-. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security."
+. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security."
 . On the **Knowledge Base** tab, click **Setup Knowledge Base**. If the button doesn't appear, Knowledge Base is already enabled.
 
 image::images/knowledge-base-assistant-settings-kb-tab.png[AI Assistant's settings menu open to the Knowledge Base tab]
@@ -57,15 +57,15 @@ When Knowledge Base is enabled, AI Assistant receives `open` or `acknowledged` a
 To enable Knowledge Base for alerts:
 
 . Ensure that knowledge base is <<enable-knowledge-base, enabled>>.
-. Use the slider on the Security AI settings' Knowledge Base tab to select the number of alerts to send to AI Assistant. Click **Save**.
+. On the **Security AI settings** page, go to the **Knowledge Base** tab and use the slider to select the number of alerts to send to AI Assistant. Click **Save**.
 
 NOTE: Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send.
 
 [discrete]
 [[knowledge-base-add-knowledge]]
 == Add knowledge 
 
-To view all knowledge base entries, go to the Security AI settings and select the **Knowledge Base** tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a **Sharing** setting of `private` or `global`. Private entries apply to the current user only and do not affect other users in the {kib} space, whereas global entries affect all users. Each entry can also have a `Required knowledge` setting, which means it will be included as context for every message sent to AI Assistant. 
+To view all knowledge base entries, go to **Security AI settings** and select the **Knowledge Base** tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a **Sharing** setting of `private` or `global`. Private entries apply to the current user only and do not affect other users in the {kib} space, whereas global entries affect all users. Each entry can also have a `Required knowledge` setting, which means it will be included as context for every message sent to AI Assistant. 
 
 NOTE: When you enable Knowledge Base, it comes pre-populated with articles from https://www.elastic.co/security-labs[Elastic Security Labs], current through September 30, 2024, which allows AI Assistant to leverage Elastic's security research during your conversations. This enables it to answer questions such as, “Are there any new tactics used against Windows hosts that I should be aware of when investigating my alerts?”
 
@@ -75,7 +75,7 @@ NOTE: When you enable Knowledge Base, it comes pre-populated with articles from
 
 Add an individual document to Knowledge Base when you want AI Assistant to remember a specific piece of information.
 
-. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
+. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
 . Click **New → Document** and give it a name. 
 . Under **Sharing**, select whether this knowledge should be **Global** or **Private**.
 . Write the knowledge AI Assistant should remember in the **Markdown text** field.
@@ -108,7 +108,7 @@ Add an index as a knowledge source when you want new information added to that i
 
 IMPORTANT: Indices added to Knowledge Base must have at least one field mapped as {ref}/semantic-text.html[semantic text].
 
-. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
+. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab.
 . Click **New → Index**.
 . Name the knowledge source.
 . Under **Sharing**, select whether this knowledge should be **Global** or **Private**.
@@ -136,3 +136,51 @@ Refer to the following video for an example of adding an index to Knowledge Base
 </br>
 ++++
 =======
+
+[discrete]
+[[knowledge-base-crawler-or-connector]]
+=== Add knowledge with a connector or web crawler
+
+You can use an {es} connector or web crawler to create an index that contains data you want to add to Knowledge Base. 
+
+This section provides an example of adding a threat intelligence feed to Knowledge Base using a web crawler. For more information on adding data to {es} using a connector, refer to {ref}/es-connectors.html[Ingest data with Elastic connectors]. For more information on web crawlers, refer to {enterprise-search-ref}/crawler.html[Elastic web crawler].
+
+[discrete]
+==== Use a web crawler to add threat intelligence to Knowledge Base
+
+First, you'll need to set up a web crawler to add the desired data to an index, then you'll need to add that index to Knowledge Base.
+
+. From the **Search** section of {kib}, find **Web crawlers** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. 
+. Click **New web crawler**.
+.. Under **Index name**, name the index where the data from your new web crawler will be stored, for example `threat_intelligence_feed_1`. Click **Create index**.
+.. Under **Domain URL**, enter the URL where the web crawler should collect data. Click **Validate Domain** to test it, then **Add domain**. 
+. The previous step opens a page with the details of your new index. Go to its **Mappings** tab, then click **Add field**.
++ 
+NOTE: Remember, each index added to Knowledge Base must have at least one semantic text field.
++
+.. Under **Field type**, select `Semantic text`. Under **Select an inference endpoint**, select `elastic-security-ai-assistant-elser2`. Click **Add field**, then **Save mapping**.
+. Go to the **Scheduling** tab. Enable the **Enable recurring crawls with the following schedule** setting, and define your desired schedule.
+. Go to the **Manage Domains** tab. Select the domain associated with your new web crawler, then go the its **Crawl rules** tab and click **Add crawl rule**. For more information, refer to {enterprise-search-ref}/crawler-extraction-rules.html[Web crawler content extraction rules].
+.. Click **Add crawl rule** again. Under **Policy**, select `Disallow`. Under **Rule**, select `Regex`. Under **Path pattern**, enter `.*`. Click **Save**.
+.. Under **Policy**, select `Allow`. Under **Rule**, select `Contains`. Under **Path pattern**, enter your path pattern, for example `threat-intelligence`. Click **Save**. Make sure this rule appears below the rule created in the previous step on the list.
+.. Click **Crawl**, then **Crawl all domains on this index**. A success message appears. The crawl process will take longer for larger data sources. Once it finishes, your new web crawler's index will contain documents provided by the crawler.
+. Finally, follow the instructions to <<knowledge-base-add-knowledge-index, add an index to Knowledge Base>>. Add the index that contains the data from your new web crawler (`threat_intelligence_feed_1` in this example).
+
+Your new threat intelligence data is now included in Knowledge Base and can inform AI Assistant's responses.
+
+Refer to the following video for an example of creating a web crawler to ingest threat intelligence data and adding it to Knowledge Base.
+
+=======
+++++
+<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
+<img
+  style="width: 100%; margin: auto; display: block;"
+  class="vidyard-player-embed"
+  src="https://play.vidyard.com/eYo1e1ZRwT2mjfM7Yr9MuZ.jpg"
+  data-uuid="eYo1e1ZRwT2mjfM7Yr9MuZ"
+  data-v="4"
+  data-type="inline"
+/>
+</br>
+++++
+=======

docs/cases/cases-manage.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [how-to] 
 :frontmatter-tags-user-goals: [analyze]
 
-You can create and manage cases using the UI or the <<cases-api-overview>>.
+You can create and manage cases using the UI or the {api-kibana}/group/endpoint-cases[cases API].
 
 [float]
 [[cases-ui-open]]

docs/cases/cases-overview.asciidoc

@@ -5,7 +5,7 @@
 :frontmatter-tags-content-type: [overview] 
 :frontmatter-tags-user-goals: [analyze]
 
-Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the <<cases-api-overview,cases API>> to perform the same tasks.
+Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the {api-kibana}/group/endpoint-cases[cases API] to perform the same tasks.
 
 You can also send cases to these external systems by <<cases-ui-integrations, configuring external connectors>>:
 

docs/cloud-native-security/cspm-get-started-aws.asciidoc

@@ -43,6 +43,9 @@ beta::[]
 . Click **Advanced options**, then select **Agentless (BETA)**.
 . Next, you'll need to authenticate to AWS. Two methods are available:
 .. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation.
++
+NOTE: If you don't want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**.
++
 .. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <<cspm-use-temp-credentials, temporary keys>>.  
 . Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes.
 
@@ -76,7 +79,7 @@ For most use cases, the simplest option is to use AWS CloudFormation to automati
 . Return to your {kib} tab. Click *Save and continue* at the bottom of the page.
 . Review the information, then click *Launch CloudFormation*.
 . A CloudFormation template appears in a new browser tab.
-. For organization-level deployments only, you must enter the ID of the organizational unit where you want to deploy into the `OrganizationalUnitIds` field in the CloudFormation template. You can find it in the AWS console under *AWS Organizations -> AWS Accounts* (it appears under the organization name).
+. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template's `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under *AWS Organizations -> AWS Accounts* (under each organization's name). You can also use this field to specify which accounts in your organization to monitor, and which to skip.
 . (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner.
 . Tick the checkbox under *Capabilities* to authorize the creation of necessary resources.
 +

docs/detections/alerts-add-to-cases.asciidoc

@@ -9,7 +9,7 @@ From the Alerts table, you can attach one or more alerts to a <<signals-to-new-c
 
 [NOTE]
 ===============================
-* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the <<cases-api-overview,Elastic Security Cases API>>.
+* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {api-kibana}/group/endpoint-cases[cases API].
 * Each case can have a maximum of 1,000 alerts.
 ===============================
 

docs/detections/notes-page-timeline-details.png

@@ -207,8 +207,7 @@ image::images/install-endpoint/event-collection.png[Detail of event collection s
 [[register-as-antivirus]]
 == Register {elastic-sec} as antivirus (optional)
 
-With {elastic-defend} version 7.10 or later on Windows 7 or later, you can
-register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**.
+You can register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**.
 
 NOTE: Windows Server versions are not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems.
 

docs/getting-started/configure-integration-policy.asciidoc

@@ -20,7 +20,7 @@ Like other Elastic integrations, {elastic-defend} is integrated into the {agent}
 [[security-before-you-begin]]
 == Before you begin
 
-If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <<elastic-endpoint-deploy-reqs, requirements for {elastic-endpoint}>> for more information.
+If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <<elastic-endpoint-deploy-reqs>> for more information.
 
 NOTE: {elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes.