Merge branch 'main' into 11-custom-roles-remove-conditions

Author: joepeeples

.backportrc.json

@@ -1,5 +1,5 @@
 {
   "upstream": "elastic/security-docs",
-  "branches": ["8.x", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
+  "branches": ["8.x", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
   "labels": ["backport"]
 }

.mergify.yml

@@ -13,6 +13,20 @@ pull_request_rules:
             git merge upstream/{{base}}
             git push upstream {{head}}
             ```
+  - name: backport patches to 8.17 branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.17.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.x"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.16 branch
     conditions:
       - merged
@@ -23,7 +37,7 @@ pull_request_rules:
         assignees:
           - "{{ author }}"
         branches:
-          - "8.x"
+          - "8.16"
         title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
         labels:
           - backport

docs/AI-for-security/attack-discovery.asciidoc

@@ -45,10 +45,10 @@ When you access Attack discovery for the first time, you'll need to select an LL
 .Recommended models
 [sidebar]
 --
-While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3 Sonnet and Claude 3 Opus. In general, models with larger context windows are more effective for Attack discovery.
+While Attack discovery is compatible with many different models, our testing found increased performance with Claude 3.5 Sonnet. In general, models with larger context windows are more effective for Attack discovery.
 --
 +
-image::images/select-model-empty-state.png[]
+image::images/attck-disc-select-model-empty-state.png[]
 +
 . Once you've selected a connector, click **Generate** to start the analysis.
 

docs/AI-for-security/images/attck-disc-select-model-empty-state.png

@@ -30,7 +30,7 @@ Entities do not have a default asset criticality level. You can either assign as
 
 When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated.
 
-NOTE: If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. The newly assigned or updated asset criticality levels will impact entity risk scores during the next hourly risk scoring calculation.
+NOTE: If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
 
 You can view, assign, change, or unassign asset criticality from the following places in the {elastic-sec} app:
 
@@ -84,7 +84,9 @@ To import a file:
 NOTE: The file validation step highlights any lines that don't follow the required file structure. The asset criticality levels for those entities won't be assigned. We recommend that you fix any invalid lines and re-upload the file.
 . Click **Assign**. 
 
-This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows and will impact entity risk scores during the next risk scoring calculation.
+This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows.
+
+You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
 
 [discrete]
 == Improve your security operations

docs/AI-for-security/images/select-model-empty-state.png

@@ -40,9 +40,7 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 [discrete]
 === Known limitations
 
-* You can only enable the risk scoring engine in a single {kib} space within a cluster.
-
-* The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.
+The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.
 
 [discrete]
 == Asset criticality

docs/advanced-entity-analytics/asset-criticality.asciidoc

@@ -7,6 +7,10 @@ To run and create {ml} jobs and rules, you need all of these:
 * There must be at least one {ml} node in your cluster
 * The `machine_learning_admin` user role
 
+Additionally, to configure <<alert-suppression,alert suppression>> for {ml} rules, your role needs the following {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privilege]:
+
+* `read` permission for the `.ml-anomalies-*` index
+
 For more information, go to {ml-docs}/setup.html[Set up {ml-features}].
 
 [IMPORTANT]

docs/advanced-entity-analytics/ers-req.asciidoc

@@ -4,9 +4,11 @@
 .Requirements and notices
 [sidebar]
 --
-Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription].
+* Alert suppression requires a https://www.elastic.co/pricing[Platinum or higher subscription].
 
-preview::["Alert suppression is in technical preview for threshold, indicator match, event correlation, and new terms rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."]
+* {ml-cap} rules have <<ml-requirements,additional requirements>> for alert suppression.
+
+preview::["Alert suppression is in technical preview for event correlation rules. The functionality may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."]
 --
 
 Alert suppression allows you to reduce the number of repeated or duplicate detection alerts created by these detection rule types:
@@ -17,7 +19,7 @@ Alert suppression allows you to reduce the number of repeated or duplicate detec
 * <<create-eql-rule,Event correlation>> (non-sequence queries only)
 * <<create-new-terms-rule,New terms>>  
 * <<create-esql-rule,{esql}>>
-* <<create-ml-rule,{ml-app}>>
+* <<create-ml-rule,{ml-cap}>>
 
 Normally, when a rule meets its criteria repeatedly, it creates multiple alerts, one for each time the rule's criteria are met. When alert suppression is configured, duplicate qualifying events are grouped, and only one alert is created for each group. Depending on the rule type, you can configure alert suppression to create alerts each time the rule runs, or once within a specified time window. You can also specify multiple fields to group events by unique combinations of values.
 

docs/advanced-entity-analytics/ml-req.asciidoc

@@ -289,14 +289,24 @@ to apply.
 * `duplicate`
 * `export`
 * `edit`
+* `run`
 
 | Yes
+
+| `run` | <<bulk-manual-rule-run, BulkManualRuleRun[]>>
+| Object that describes applying a manual rule run action.
+|No.
+
+Yes, if action is `run`.
+
 | `edit` | <<bulk-edit-object-schema, BulkEditAction[]>>
 | Edit object that describes applying an update action.
 
 |No.
 
 Yes, if action is `edit`.
+
+
 | `duplicate` | <<bulk-duplicate-object-schema, BulkDuplicateAction[]>>
 | Duplicate object that describes applying an update action.
 
@@ -314,6 +324,13 @@ To enable dry run mode on a request, add the query parameter `dry_run=true` to t
 
 IMPORTANT: Dry run mode is not supported for the `export` bulk action. A `400` error will be returned in the request response.
 
+[[bulk-manual-rule-run]]
+[discrete]
+==== BulkManualRuleRun object
+
+* `start_date` field: (String, Required) Defines the start date of the manual run.
+* `end_date` field: (String, Optional) Defines the end date of the manual run.
+
 [[bulk-duplicate-object-schema]]
 [discrete]
 ==== BulkDuplicateAction object
@@ -525,14 +542,14 @@ POST api/detection_engine/rules/_bulk_action
 [discrete]
 ===== Response payload
 
-For `enable`, `disable`, `delete`, `edit`, and `duplicate` actions, a JSON object containing the action's outcome:
+For `enable`, `disable`, `delete`, `edit`, `duplicate`, and `run` actions, a JSON object containing the action's outcome:
 
 - `attributes.summary.total`: Total number of rules matching the bulk action
 - `attributes.summary.succeeded`: Number of successful outcomes (number of rules that were enabled, deleted, or updated)
 - `attributes.summary.failed`: Number of failed outcomes
 - `attributes.summary.skipped`: Number of rules that were skipped due to various reasons (explained below)
 - `attributes.results.created`: Rule objects that were created during the action's execution
-- `attributes.results.updated`: Rule objects that were updated during the action's execution
+- `attributes.results.updated`: Rule objects that were updated during the action's execution. If the action execution is `run`, it returns rule objects that were scheduled for manual runs.
 - `attributes.results.deleted`: Rule objects that were deleted during the action's execution
 - `attributes.results.skipped`: Rules that were skipped during the action's execution