Merge branch '8.x' into mergify/bp/8.x/pr-5859

Author: lcawl

.mergify.yml

@@ -13,6 +13,34 @@ pull_request_rules:
             git merge upstream/{{base}}
             git push upstream {{head}}
             ```
+  - name: backport patches to 8.17 branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.17.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.x"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
+  - name: backport patches to 8.16 branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.16.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.16"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.15 branch
     conditions:
       - merged

docs/AI-for-security/connect-to-byo.asciidoc

@@ -180,10 +180,11 @@ Finally, configure the connector:
 1. Log in to your Elastic deployment.
 2. Navigate to **Stack Management → Connectors → Create Connector → OpenAI**. The OpenAI connector enables this use case because LM Studio uses the OpenAI SDK.
 3. Name your connector to help keep track of the model version you are using.
-4. Under **URL**, enter the domain name specified in your Nginx configuration file, followed by `/v1/chat/completions`.
-5. Under **Default model**, enter `local-model`.
-6. Under **API key**, enter the secret token specified in your Nginx configuration file.
-7. Click **Save**.
+4. Under **Select an OpenAI provider**, select **Other (OpenAI Compatible Service)**.
+5. Under **URL**, enter the domain name specified in your Nginx configuration file, followed by `/v1/chat/completions`.
+6. Under **Default model**, enter `local-model`.
+7. Under **API key**, enter the secret token specified in your Nginx configuration file.
+8. Click **Save**.
 
 image::images/lms-edit-connector.png[The Edit connector page in the {security-app}, with appropriate values populated]
 

docs/AI-for-security/images/lms-edit-connector.png

@@ -2,4 +2,10 @@
 [role="xpack"]
 == Asset criticality API
 
-You can manage <<asset-criticality, asset criticality>> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
+.New API Reference
+[sidebar]
+--
+For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-entity-analytics-api[Entity Analytics APIs].
+--
+
+You can manage <<asset-criticality, asset criticality>> records through the API.

docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc

@@ -4,12 +4,7 @@
 .Requirements
 [sidebar]
 --
-To view and assign asset criticality, you must:
-
-* Have the appropriate user role.
-* Turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-
-For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
+To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
 --
 
 The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
@@ -30,7 +25,7 @@ Entities do not have a default asset criticality level. You can either assign as
 
 When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated.
 
-NOTE: If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. The newly assigned or updated asset criticality levels will impact entity risk scores during the next hourly risk scoring calculation.
+NOTE: If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
 
 You can view, assign, change, or unassign asset criticality from the following places in the {elastic-sec} app:
 
@@ -78,13 +73,15 @@ host,host-001,extreme_impact
 
 To import a file:
 
-. Go to **Manage** → **Asset criticality**.
+. Find **Entity Store** in the main menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Select or drag and drop the file you want to import.
 +
 NOTE: The file validation step highlights any lines that don't follow the required file structure. The asset criticality levels for those entities won't be assigned. We recommend that you fix any invalid lines and re-upload the file.
 . Click **Assign**. 
 
-This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows and will impact entity risk scores during the next risk scoring calculation.
+This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows.
+
+You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
 
 [discrete]
 == Improve your security operations

docs/advanced-entity-analytics/asset-criticality.asciidoc

@@ -30,11 +30,7 @@ Entity risk scores are determined by the following risk inputs:
 
 The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
 
-[NOTE]
-======
-* Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
-* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-======
+NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
 
 [discrete]
 [[how-is-risk-score-calculated]]

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

@@ -40,15 +40,11 @@ Follow these guidelines to ensure clusters have adequate memory to handle data v
 [discrete]
 === Known limitations
 
-* You can only enable the risk scoring engine in a single {kib} space within a cluster.
-
-* The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.
+The risk scoring engine uses an internal user role to score all hosts and users, and doesn't respect privileges applied to custom users or roles. After you turn on the risk scoring engine for a {kib} space, all alerts in the space will contribute to host and user risk scores.
 
 [discrete]
 == Asset criticality
 
-To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-
 [discrete]
 === Privileges
 

docs/advanced-entity-analytics/ers-req.asciidoc

@@ -7,6 +7,10 @@ To run and create {ml} jobs and rules, you need all of these:
 * There must be at least one {ml} node in your cluster
 * The `machine_learning_admin` user role
 
+Additionally, to configure <<alert-suppression,alert suppression>> for {ml} rules, your role needs the following {kibana-ref}/kibana-role-management.html#adding_index_privileges[index privilege]:
+
+* `read` permission for the `.ml-anomalies-*` index
+
 For more information, go to {ml-docs}/setup.html[Set up {ml-features}].
 
 [IMPORTANT]

docs/advanced-entity-analytics/ml-req.asciidoc

@@ -128,14 +128,14 @@ If you are using the AWS visual editor to create and modify your IAM Policies, y
 
 Follow AWS's https://aws.github.io/aws-eks-best-practices/security/docs/iam/#iam-roles-for-service-accounts-irsa[EKS Best Practices] documentation to use the https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html[IAM Role to Kubernetes Service-Account] (IRSA) feature to get temporary credentials and scoped permissions.
 
-During setup, do not fill in any option in the "Setup Access" section. Instead click *Save and continue*.
+IMPORTANT: During setup, do not fill in any option in the "Setup Access" section. Click *Save and continue*.
 
 [discrete]
 [[kspm-use-instance-role]]
 ==== Option 2 - Use default instance role
 Follow AWS's https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html[IAM roles for Amazon EC2] documentation to create an IAM role using the IAM console, which automatically generates an instance profile.
 
-During setup, do not fill in any option in the "Setup Access" section. Click *Save and continue*.
+IMPORTANT: During setup, do not fill in any option in the "Setup Access" section. Click *Save and continue*.
 
 [discrete]
 [[kspm-use-keys-directly]]

docs/cloud-native-security/kspm-get-started.asciidoc

@@ -35,7 +35,7 @@ Data does not appear in the dashboard until a user selects indices to check.
 
 IMPORTANT: To customize which indices are checked when you click *Check all*, {security-guide}/data-views-in-sec.html[change the current data view].
 
-* *Check a single index*: To check a single index, expand it using the arrow on the left. Checking a single index is faster than checking all indices.
+* *Check a single index*: To check a single index, click the **Check now** button under **Actions**. Checking a single index is faster than checking all indices.
 
 Once checked, an index's data quality results persist indefinitely. You can see when the index was last checked, and generate updated results at any time.
 
@@ -53,15 +53,24 @@ Click a node in the treemap to expand the corresponding index.
 
 [discrete]
 == Learn more about checked index fields
-After an index is checked, an X (❌) or a checkmark (✅) appears in its *Result* column. The X (❌) indicates mapping problems in an index. To view index details, including which fields weren't successfully mapped, click the arrow next to the result to expand it.
+After an index is checked, a **Pass** or **Fail** status appears. **Fail** indicates mapping problems in an index. To view index check details, including which fields weren't successfully mapped, click the **Check now** button under **Actions**.
 
 [role="screenshot"]
 image::images/data-qual-dash-detail.png[An expanded index with some failed results in the Data Quality dashboard]
 
-When you expand a result, the *Summary* tab immediately helps you visualize the status of fields in that index. The other tabs display more details about particular fields, grouped by their mapping status.  
+The index check flyout provides more information about the status of fields in that index. Each of its tabs describe fields grouped by mapping status.
 
 NOTE: Fields in the *Same family* category have the correct search behavior, but might have different storage or performance characteristics (for example, you can index strings to both `text` and `keyword` fields). To learn more, refer to {ref}/mapping-types.html[Field data types].
 
+[discrete]
+== View historical data quality results
+
+You can review an index's data quality history by clicking **View history** under **Actions**, or by clicking the **History** tab in the details flyout. You can filter the results by time and **Pass** / **Fail** status. Click a historical check to expand it and view more details.
+
+image::images/data-qual-dash-history.png[The Data Quality dashboard]
+
+NOTE: Recent historical data includes the **Incompatible fields** and **Same family** views. Legacy historical data only includes the **Incompatible fields** view.
+
 [discrete]
 == Export data quality results
 
@@ -73,8 +82,7 @@ You can share data quality results to help track your team's remediation efforts
 . Click *Copy to clipboard* to copy a Markdown report to your clipboard.
 
 * Export results for one index:
-. Expand an index that has at least one incompatible field by clicking the arrow to the left of its *Result*.
-. From the *Summary* or *Incompatible fields* tab, select *Add to new case* to open a new <<cases-overview,case>>.
-. From the *Summary*, *Incompatible fields*, or *Same family* tab, click *Copy to clipboard* to copy a Markdown report to your clipboard.
+. View details for a checked index by clicking the **Check now** button under **Actions**.
+. From the **Incompatible fields** tab, select **Add to new case** to open a new <<cases-overview,case>>.
 
 NOTE: For more information about how to fix mapping problems, refer to {ref}/mapping.html[Mapping].