[Security] Data view picker updates (elastic#3568)

Resolves elastic/docs-content-internal#410

Previews:
* [Data views and Elastic
Security](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3568/solutions/security/get-started/data-views-elastic-security)
*
[Timeline](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3568/solutions/security/investigate/timeline)

---------

Co-authored-by: Benjamin Ironside Goldstein <[email protected]>

Author: 2 people

solutions/images/security-dataview-button-highlighted.png

@@ -23,7 +23,7 @@ Custom indices are not included in the [default {{data-source}}](/solutions/secu
 
 ## Switch to another {{data-source}} [security-data-views-in-sec-switch-to-another-data-source]
 
-You can tell which {{data-source}} is active by clicking the **{{data-source-cap}}** menu at the upper right of {{elastic-sec}} pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts. To switch to another {{data-source}}, click **Choose {{data-source}}**, select one of the options, and click **Save**.
+The active {{data-source}} appears under **{{data-source-cap}}** in the upper-right corner of {{elastic-sec}} pages that display event or alert data, such as Overview, Alerts, Timelines, or Hosts. Click the menu to switch to another {{data-source}}.
 
 :::{image} /solutions/images/security-dataview-button-highlighted.png
 :alt: image highlighting how to open the data view selection menu
@@ -32,17 +32,16 @@ You can tell which {{data-source}} is active by clicking the **{{data-source-cap
 
 ## Create or modify a {{data-source}} [security-data-views-in-sec-create-or-modify-a-data-source]
 
+:::{note}
+:applies_to: {"stack": "ga 9.2", "serverless": "ga"}
+Some data views are managed by Elastic and cannot be edited. However, you can [duplicate them](/explore-analyze/find-and-organize/data-views.md#duplicate-managed-data-view) and make changes to duplicated versions without affecting managed data views. 
+:::
+
 To learn how to modify the default **Security Default Data View**, refer to [Update default {{elastic-sec}} indices](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices).
 
 To learn how to modify, create, or delete another {{data-source}} refer to [{{kib}} {{data-sources-cap}}](/explore-analyze/find-and-organize/data-views.md).
 
-You can also temporarily modify the active {{data-source}} from the **{{data-source-cap}}** menu by clicking **Advanced options**, then adding or removing index patterns.
-
-:::{image} /solutions/images/security-dataview-filter-example.gif
-:alt: video showing how to filter the active data view
-:::
-
-This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes made are saved in the current browser window and won’t persist if you open a new tab.
+{applies_to}`stack: removed 9.2` {applies_to}`serverless: removed` You can also temporarily modify the active {{data-source}} from the **{{data-source-cap}}** menu by clicking **Advanced options**, then adding or removing index patterns. This only allows you to add index patterns that match indices that currently contain data (other index patterns are unavailable). Note that any changes you make are saved in the browser and won’t persist if you open a new tab.
 
 ::::{note}
 You cannot update the data view for the Alerts page. This includes referencing a cross-cluster search (CCS) data view or any other data view. The Alerts page always shows data from `.alerts-security.alerts-default`.
@@ -53,10 +52,15 @@ You cannot update the data view for the Alerts page. This includes referencing a
 ## The default {{data-source}} [default-data-view-security]
 
 The default {{data-source}} is defined by the `securitySolution:defaultIndex` setting, which you can modify in [advanced settings](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices).
+::::{note}
+If you modify this view directly in the Edit data view UI, the changes will not persist.
+::::
+
 
 The first time a user visits {{elastic-sec}} within a given {{kib}} [space](/deploy-manage/manage-spaces.md), the default {{data-source}} generates in that space and becomes active.
 
 ::::{note}
+:applies_to: stack: ga
 In {{stack}}, your {{kib}} space must have the **Data View Management** [feature visibility](/deploy-manage/manage-spaces.md) setting enabled for the default {{data-source}} to generate and become active in your space.
 ::::
 

solutions/images/security-dataview-filter-example.gif

@@ -53,7 +53,9 @@ Click the star icon (![Favorite icon](/solutions/images/security-favorite-icon.p
 
 ## View and refine Timeline results [refine-timeline-results]
 
-You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click **Data view** to the left of the KQL query bar, then select **Show only detection alerts**.
+You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only:
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Select the `Security solution alerts` data view.
+* {applies_to}`stack: ga 9.0` Click **Data view** to the left of the KQL query bar, then select **Show only detection alerts**.
 
 
 ## Inspect an event or alert [timeline-inspect-events-alerts]