Merge branch 'main' into 31-serverless-spaces

.backportrc.json

@@ -1,5 +1,5 @@
 {
   "upstream": "elastic/security-docs",
-  "branches": ["8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
+  "branches": ["8.x", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
   "labels": ["backport"]
 }

.mergify.yml

@@ -13,6 +13,20 @@ pull_request_rules:
             git merge upstream/{{base}}
             git push upstream {{head}}
             ```
+  - name: backport patches to 8.16 branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.16.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.x"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.15 branch
     conditions:
       - merged

docs/AI-for-security/ai-security-assistant.asciidoc

@@ -47,7 +47,7 @@ You must create a generative AI connector before you can use AI Assistant. AI As
 .Recommended models
 [sidebar]
 --
-While AI Assistant is compatible with many different models, our testing found increased quality with Azure 32k, and faster, more cost-effective responses with Claude 3 Haiku and OpenAI GPT4 Turbo. For more information, refer to the <<llm-performance-matrix>>.
+While AI Assistant is compatible with many different models, refer to the <<llm-performance-matrix>> to select models that perform well with your desired use cases.
 --
 
 [discrete]

docs/AI-for-security/connect-to-azure-openai.asciidoc

@@ -68,9 +68,8 @@ Now, set up the Azure OpenAI model:
 
 . From within your Azure OpenAI deployment, select **Model deployments**, then click **Manage deployments**.
 . On the **Deployments** page, select **Create new deployment**.
-. Under **Select a model**, choose `gpt-4` or `gpt-4-32k`.
-** If you select `gpt-4`, set the **Model version** to `0125-Preview`. 
-** If you select `gpt-4-32k`, set the **Model version** to `default`.
+. Under **Select a model**, choose `gpt-4o` or `gpt-4 turbo`.
+. Set the model version to "Auto-update to default". 
 +
 IMPORTANT: The models available to you depend on https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models#model-summary-table-and-region-availability[region availability]. For best results, use `GPT-4o 2024-05-13` with the maximum Tokens-Per-Minute (TPM) capacity. For more information on how different models perform for different tasks, refer to the <<llm-performance-matrix>>.
 +

docs/advanced-entity-analytics/ers-req.asciidoc

@@ -1,5 +1,5 @@
 [[ers-requirements]]
-= Entity risk scoring prerequisites
+= Entity risk scoring requirements
 
 To use entity risk scoring and asset criticality, your role must have certain cluster, index, and {kib} privileges. These features require a https://www.elastic.co/pricing[Platinum subscription] or higher.
 

docs/cases/cases-req.asciidoc

@@ -1,5 +1,5 @@
 [[case-permissions]]
-= Cases prerequisites
+= Cases requirements
 
 :frontmatter-description: Learn about the {kib} feature privileges required to access {elastic-sec} cases. 
 :frontmatter-tags-products: [security]
@@ -12,8 +12,7 @@
 //For more information, see
 //{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges].
 
-You can create roles and define feature privileges at different levels to manage feature access in {kib}. {kib} privileges grant access to features within a specified {kib} space, and you can grant full or partial access. For more information, see
-{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges].
+You can create roles and define feature privileges at different levels to manage feature access in {kib}. {kib} privileges grant access to features within a specified {kib} space, and you can grant full or partial access. For more information, refer to {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges].
 
 [NOTE]
 ====
@@ -27,7 +26,7 @@ to {kib}, you must configure the
 
 IMPORTANT: Certain subscriptions and privileges might be required to manage case attachments. For example, to add alerts to cases, you must have privileges for <<enable-detections-ui,managing alerts>>. 
 
-To grant access to cases, set the {kib} space privileges for the *Cases* and *{connectors-feature}* features as follows:
+To grant access to cases, set the privileges for the *Cases* and *{connectors-feature}* features as follows:
 
 [discrete]
 [width="100%",options="header"]
@@ -60,6 +59,3 @@ NOTE: You can customize the sub-feature privileges to allow access to deleting c
 | Revoke all access to cases | **None** for the *Cases* feature under *Security*
 
 |==============================================
-
-[role="screenshot"]
-image::images/case-feature-privs-example.png[Shows privileges needed for cases, actions, and connectors]

docs/detections/detections-req.asciidoc

@@ -1,5 +1,5 @@
 [[detections-permissions-section]]
-= Detections prerequisites and requirements
+= Detections requirements
 
 To use the <<detection-engine-overview, Detections feature>>, you first need to
 configure a few settings. You also need the https://www.elastic.co/subscriptions[appropriate license] to send
@@ -37,22 +37,24 @@ and restarting {kib}, you must restart all detection rules.
 [[enable-detections-ui]]
 == Enable and access detections
 
-To use the Detections feature, it must be enabled, your role must have access to rules and alerts, and your {kib} space must have **Data View Management** {kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility]. If your role does not have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you. The following table describes the required privileges to access the Detections feature, including rules and alerts.
+To use the Detections feature, it must be enabled, your role must have access to rules and alerts, and your {kib} space must have **Data View Management** {kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility]. If your role doesn't have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your {kib} space, which will turn it on for you. 
 
-NOTE: For instructions about using Machine Learning jobs and rules, refer to <<ml-requirements, Machine learning job and rule requirements>>.
+NOTE: For instructions about using {ml} jobs and rules, refer to <<ml-requirements, Machine learning job and rule requirements>>.
 
 IMPORTANT: In {stack} version 8.0.0, the `.siem-signals-<space-id>` index was renamed to `.alerts-security.alerts-<space-id>`. Detection alert indices are created for each {kib} space. For the default space, the alerts index is
 named `.alerts-security.alerts-default`. If you're upgrading to 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you're newly installing the {stack}, then users do not need privileges for the `.siem-signals-<space-id>` index.
 
+The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {kib} privileges, refer to {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges].
+
 [discrete]
 [width="100%",options="header"]
 |==============================================
 |Action |Cluster Privileges |Index Privileges |Kibana Privileges
 
-|Enable the Detections feature in your Kibana space
-|The `manage` privilege
+|Enable detections in your space
+|`manage`
 
-a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for the following system indices and data streams, where `<space-id>` is the {kib} space name:
+a|`manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:
 
 * `.alerts-security.alerts-<space-id>`
 * `.siem-signals-<space-id>` ^1^
@@ -61,15 +63,14 @@ a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for t
 
 ^1^ *NOTE*: If you're upgrading to {stack} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you're newly installing the {stack}, then users do not need privileges for the `.siem-signals-<space-id>` index.
 
-|{kib} space `All` privileges for the `Security` feature (refer to
-{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges])
+|`All` for the `Security` feature
 
-|Enable the Detections feature in all Kibana spaces
+|Enable detections in all spaces
 
-*NOTE*: To turn on the Detections feature, visit the Rules and Alerts pages for each appropriate Kibana space.
+*NOTE*: To turn on detections, visit the Rules and Alerts pages for each space.
 
-|The `manage` privilege
-a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for the following system indices and data streams:
+|`manage`
+a|`manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:
 
 * `.alerts-security.alerts-<space-id>`
 * `.siem-signals-<space-id>` ^1^
@@ -78,22 +79,20 @@ a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for t
 
 ^1^ *NOTE*: If you're upgrading to {stack} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you're newly installing the {stack}, then users do not need privileges for the `.siem-signals-<space-id>` index.
 
-|{kib} space `All` privileges for the `Security` feature (refer to
-{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges])
+|`All` for the `Security` feature
 
 | Preview rules
 |N/A
-a| The `read` privilege for the following indices:
+a| `read` for these indices:
 
 * `.preview.alerts-security.alerts-<space-id>`
 * `.internal.preview.alerts-security.alerts-<space-id>-*`
 
-|{kib} space `All` privileges for the `Security` feature (refer to
-{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges])
+|`All` for the `Security` feature
 
 |Manage rules
 | N/A
-a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for the following system indices and data streams, where `<space-id>` is the {kib} space name:
+a|`manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:
 
 * `.alerts-security.alerts-<space-id`
 * `.siem-signals-<space-id>`^1^
@@ -102,8 +101,7 @@ a|The `manage`, `write`,`read`, and `view_index_metadata` index privileges for t
 
 ^1^ *NOTE*: If you're upgrading to {stack} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you're newly installing the {stack}, then users do not need privileges for the `.siem-signals-<space-id>` index.
 
-a| {kib} space `All` privileges for the `Security` feature (refer to
-{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges])
+a|`All` for the `Security` feature
 
 *NOTE:* You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:
 
@@ -115,7 +113,7 @@ a| {kib} space `All` privileges for the `Security` feature (refer to
 
 **NOTE**: Allows you to manage alerts, but not modify rules.
 |N/A
-a|The `maintenance`, `write`,`read`, and `view_index_metadata` index privileges for the following system indices and data streams, where `<space-id>` is the {kib} space name:
+a|`maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:
 
 * `.alerts-security.alerts-<space-id>`
 * `.internal.alerts-security.alerts-<space-id>-*`
@@ -124,21 +122,19 @@ a|The `maintenance`, `write`,`read`, and `view_index_metadata` index privileges
 * `.items-<space-id>`
 
 ^1^ *NOTE*: If you're upgrading to {stack} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you're newly installing the {stack}, then users do not need privileges for the `.siem-signals-<space-id>` index.
-|{kib} space `Read` privileges for the `Security` feature (refer to
-{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges])
+|`Read` for the `Security` feature
 
-|Create the `.lists` and `.items` data streams in your {kib} space
+|Create the `.lists` and `.items` data streams in your space
 
-**NOTE**: To initiate the process that creates the `.lists` and `.items` data streams, you must visit the Rules page for each appropriate {kib} space.
+**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space.
 
-|The `manage` privilege
-a| The `manage`, `write`,`read`, and `view_index_metadata` index privileges for the following data streams, where `<space-id>` is the {kib} space name:
+|`manage`
+a|`manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:
 
 * `.lists-<space-id>`
 * `.items-<space-id>`
 
-|{kib} space `All` privileges for the `Security` and `Saved Objects Management`
-features (refer to {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges])
+|`All` for the `Security` and `Saved Objects Management` features
 
 |==============================================
 

docs/detections/rules-ui-create.asciidoc

@@ -13,7 +13,7 @@ To create a new detection rule, follow these steps:
 . Configure basic rule settings.
 . Configure advanced rule settings (optional).
 . Set the rule's schedule.
-. Set up alert notifications (optional).
+. Set up rule actions (optional).
 . Set up response actions (optional).
 
 .Requirements
@@ -616,9 +616,6 @@ run exactly at its scheduled time.
 `Additional look-back time` are _not_ created.
 ==============
 . Click *Continue*. The *Rule actions* pane is displayed.
-+
-[role="screenshot"]
-image::images/available-action-types.png[Available connector types]
 
 . Do either of the following:
 
@@ -627,23 +624,26 @@ image::images/available-action-types.png[Available connector types]
 
 [float]
 [[rule-notifications]]
-=== Set up alert notifications (optional)
+=== Set up rule actions (optional)
 
-Use {kib} Actions to set up notifications sent via other systems when alerts
+Use {kib} actions to set up notifications sent via other systems when alerts
 are generated.
 
-NOTE: To use {kib} Actions for alert notifications, you need the
+NOTE: To use {kib} actions for alert notifications, you need the
 https://www.elastic.co/subscriptions[appropriate license] and your role needs *All* privileges for the *Action and Connectors* feature. For more information, see <<case-permissions>>.
 
 . Select a connector type to determine how notifications are sent. For example, if you select the {jira} connector, notifications are sent to your {jira} system.
 +
-NOTE: Each action type requires a connector. Connectors store the
+[NOTE] 
+=====
+Each action type requires a connector. Connectors store the
 information required to send the notification from the external system. You can
 configure connectors while creating the rule or in *{stack-manage-app}* -> *{connectors-ui}*. For more
 information, see {kibana-ref}/action-types.html[Action and connector types].
-+
-[role="screenshot"]
-image::images/available-action-types.png[Available connector types]
+
+Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the {kibana-ref}/cases-action-type.html[Cases connector]
+
+=====
 
 . After you select a connector, set its action frequency to define when notifications are sent:
 
@@ -775,18 +775,15 @@ Example using the mustache "current element" notation `{{.}}` to output all the
 
 [float]
 [[rule-response-action]]
-=== Set up response actions (optional)
-Use Response Actions to set up additional functionality that will run whenever a rule executes:
+==== Set up response actions (optional)
+Use response actions to set up additional functionality that will run whenever a rule executes:
 
 * **Osquery**: Include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to <<osquery-response-action>> to learn more.
 
 * **{elastic-defend}**: Automatically run response actions on an endpoint when rule conditions are met. For example, you can automatically isolate a host or terminate a process when specific activities or events are detected on the host. Refer to <<automated-response-actions>> to learn more.
 
 IMPORTANT: Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.
 
-[role="screenshot"]
-image::images/available-response-actions.png[Shows available response actions]
-
 [discrete]
 [[preview-rules]]
 === Preview your rule (optional)

docs/getting-started/advanced-setting.asciidoc

@@ -20,8 +20,7 @@ pages
 * Whether related integrations are displayed on the Rules page tables
 * The options provided in the alert tag menu  
 
-You need `All` privileges for the *Advanced Settings* feature to change these
-settings (refer to {kibana-ref}/kibana-privileges.html[Kibana privileges]).
+To change these settings, you need `All` privileges for the *Advanced Settings* {kibana-ref}/kibana-privileges.html[{kib} feature].
 
 WARNING: Modifying advanced settings can affect Kibana performance and cause
 problems that are difficult to diagnose. Setting a property value to a blank