diff --git a/reference/security/fields-and-object-schemas/alert-schema.md b/reference/security/fields-and-object-schemas/alert-schema.md
index 3ef820fdbe..2ac960799f 100644
--- a/reference/security/fields-and-object-schemas/alert-schema.md
+++ b/reference/security/fields-and-object-schemas/alert-schema.md
@@ -37,12 +37,12 @@ The non-ECS fields listed below are beta and subject to change.
| [`client.*`](ecs://reference/ecs-client.md) | ECS `client.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`cloud.*`](ecs://reference/ecs-cloud.md) | ECS `cloud.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`container.*`](ecs://reference/ecs-container.md) | ECS `container.* fields` copied from the source document, if present, for custom query and indicator match rules. |
-| [`data_stream.*`](ecs://reference/ecs-data_stream.md) | ECS `data_stream.*` fields copied from the source document, if present, for custom query and indicator match rules.
NOTE: These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords. |
+| [`data_stream.*`](ecs://reference/ecs-data_stream.md) | ECS `data_stream.*` fields copied from the source document, if present, for custom query and indicator match rules.
**Note:** These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords. |
| [`destination.*`](ecs://reference/ecs-destination.md) | ECS `destination.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`dll.*`](ecs://reference/ecs-dll.md) | ECS `dll.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`dns.*`](ecs://reference/ecs-dns.md) | ECS `dns.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`error.*`](ecs://reference/ecs-error.md) | ECS `error.*` fields copied from the source document, if present, for custom query and indicator match rules. |
-| [`event.*`](ecs://reference/ecs-event.md) | ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules.
NOTE: categorization fields above (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately above. |
+| [`event.*`](ecs://reference/ecs-event.md) | ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules.
**Note:** categorization fields above (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately above. |
| [`file.*`](ecs://reference/ecs-file.md) | ECS `file.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`group.*`](ecs://reference/ecs-group.md) | ECS `group.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`host.*`](ecs://reference/ecs-host.md) | ECS `host.*` fields copied from the source document, if present, for custom query and indicator match rules. |
@@ -56,7 +56,7 @@ The non-ECS fields listed below are beta and subject to change.
| [`process.*`](ecs://reference/ecs-process.md) | ECS `process.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`registry.*`](ecs://reference/ecs-registry.md) | ECS `registry.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`related.*`](ecs://reference/ecs-related.md) | ECS `related.*` fields copied from the source document, if present, for custom query and indicator match rules. |
-| [`rule.*`](ecs://reference/ecs-rule.md) | ECS `rule.*` fields copied from the source document, if present, for custom query and indicator match rules.
NOTE: These fields are not related to the detection rule that generated the alert. |
+| [`rule.*`](ecs://reference/ecs-rule.md) | ECS `rule.*` fields copied from the source document, if present, for custom query and indicator match rules.
**Note:** These fields are not related to the detection rule that generated the alert. |
| [`server.*`](ecs://reference/ecs-server.md) | ECS `server.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`service.*`](ecs://reference/ecs-service.md) | ECS `service.*` fields copied from the source document, if present, for custom query and indicator match rules. |
| [`source.*`](ecs://reference/ecs-source.md) | ECS `source.*` fields copied from the source document, if present, for custom query and indicator match rules. |
@@ -136,7 +136,7 @@ The non-ECS fields listed below are beta and subject to change.
| `kibana.alert.suppression.start` | The timestamp of the first document in the suppression group.
Type: date |
| `kibana.alert.suppression.end` | The timestamp of the last document in the suppression group.
Type: date |
| `kibana.alert.suppression.docs_count` | The number of suppressed alerts.
Type: long |
-| `kibana.alert.url` | The shareable URL for the alert.
NOTE: This field appears only if you’ve set the [`server.publicBaseUrl`](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) configuration setting in the `kibana.yml` file.
Type: long |
+| `kibana.alert.url` | The shareable URL for the alert.
**Note:** This field appears only if you’ve set the [`server.publicBaseUrl`](kibana://reference/configuration-reference/general-settings.md#server-publicbaseurl) configuration setting in the `kibana.yml` file.
Type: long |
| `kibana.alert.workflow_tags` | List of tags added to an alert.
This field can contain an array of values, for example: `["False Positive", "production"]`
Type: keyword
|
| `kibana.alert.workflow_assignee_ids` | List of users assigned to an alert.
An array of unique identifiers (UIDs) for user profiles, for example: `["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]`
UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings.
Type: string[]
|
| `kibana.alert.intended_timestamp` | Shows the alert’s estimated timestamp, had the alert been created when the source event initially occurred. The value in this field is determined by the way the rule was run:
- **Scheduled run**: Alerts created by scheduled runs have the same timestamp as the `@timestamp` field, which shows when the alert was created.
- **Manual run**: Alerts created by manual runs have a timestamp that falls within the time range specified for the manual run. For example, if you set a rule to manually run on event data from `10/01/2024 05:00 PM` to `10/07/2024 05:00 PM`, the `kibana.alert.intended_timestamp` value will be a date and time within that range.
Type: date
|
diff --git a/reference/security/fields-and-object-schemas/timeline-object-schema.md b/reference/security/fields-and-object-schemas/timeline-object-schema.md
index 21bc9a51bc..8e6578b01d 100644
--- a/reference/security/fields-and-object-schemas/timeline-object-schema.md
+++ b/reference/security/fields-and-object-schemas/timeline-object-schema.md
@@ -42,22 +42,22 @@ This screenshot maps the Timeline UI components to their JSON objects:
| `createdBy` | String | The user who created the Timeline. |
| $$$timeline-object-dropzone$$$`dataProviders` | [dataProviders[]](#dataProvider-obj) | Object containing dropzone queryclauses. |
| $$$timeline-object-dataViewId$$$`dataViewId` | String | ID of the Timeline’s Data View, for example: `"dataViewId":"security-solution-default"`. |
-| $$$timeline-object-daterange$$$`dateRange` | dateRange | The Timeline’s search period:
* `end`: The time up to which events are searched, using a 13-digit Epoch timestamp.
* `start`: The time from which events are searched, using a 13-digit Epoch timestamp.
|
+| $$$timeline-object-daterange$$$`dateRange` | dateRange | The Timeline’s search period:
- `end`: The time up to which events are searched, using a 13-digit Epoch timestamp.
- `start`: The time from which events are searched, using a 13-digit Epoch timestamp.
|
| `description` | String | The Timeline’s description. |
| $$$timeline-object-event-notes$$$`eventNotes` | [eventNotes[]](#eventNotes-obj) | Notes added to specific events in the Timeline. |
-| `eventType` | String | Event types displayed in the Timeline, which can be:
* `All data sources`
* `Events`: Event sources only
* `Detection Alerts`: Detection alerts only
|
+| `eventType` | String | Event types displayed in the Timeline, which can be:
- `All data sources`
- `Events`: Event sources only
- `Detection Alerts`: Detection alerts only
|
| `favorite` | [favorite[]](#favorite-obj) | Indicates when and who marked aTimeline as a favorite. |
| $$$timeline-object-filters$$$`filters` | [filters[]](#filters-obj) | Filters usedin addition to the dropzone query. |
| $$$timeline-object-global-notes$$$`globalNotes` | [globalNotes[]](#globalNotes-obj) | Global notes added to the Timeline. |
-| $$$timeline-object-kqlmode$$$`kqlMode` | String | Indicates whether the KQL bar filters the dropzone query results or searches for additional results, where:
* `filter`: filters dropzone query results
* `search`: displays additional search results
|
+| $$$timeline-object-kqlmode$$$`kqlMode` | String | Indicates whether the KQL bar filters the dropzone query results or searches for additional results, where:
- `filter`: filters dropzone query results
- `search`: displays additional search results
|
| $$$timeline-object-kqlquery$$$`kqlQuery` | [kqlQuery](#kqlQuery-obj) | KQL barquery. |
| `pinnedEventIds` | pinnedEventIds[] | IDs of events pinned to the Timeline’ssearch results. |
| `savedObjectId` | String | The Timeline’s saved object ID. |
| `savedQueryId` | String | If used, the saved query ID used to filter or searchdropzone query results. |
-| `sort` | sort | Object indicating how rows are sorted in the Timeline’s grid:
* `columnId` (string): The ID of the column used to sort results.
* `sortDirection` (string): The sort direction, which can be either `desc` or `asc`.
|
+| `sort` | sort | Object indicating how rows are sorted in the Timeline’s grid:
- `columnId` (string): The ID of the column used to sort results.
- `sortDirection` (string): The sort direction, which can be either `desc` or `asc`.
|
| `templateTimelineId` | String | A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.
|
| `templateTimelineVersion` | Integer | Timeline template version number. ForTimelines, the value is `null`. |
-| $$$timeline-object-typeField$$$`timelineType` | String | Indicates whether the Timeline is a template or not, where:
* `default`: Indicates a Timeline used to actively investigate events.
* `template`: Indicates a Timeline template used when detection rule alerts are investigated in Timeline.
|
+| $$$timeline-object-typeField$$$`timelineType` | String | Indicates whether the Timeline is a template or not, where:
- `default`: Indicates a Timeline used to actively investigate events.
- `template`: Indicates a Timeline template used when detection rule alerts are investigated in Timeline.
|
| $$$timeline-object-title$$$`title` | String | The Timeline’s title. |
| `updated` | Float | The last time the Timeline was updated, using a13-digit Epoch timestamp. |
| `updatedBy` | String | The user who last updated the Timeline. |
@@ -86,7 +86,7 @@ This screenshot maps the Timeline UI components to their JSON objects:
| `excluded` | Boolean | Indicates if the dropzone query clause uses `NOT` logic. |
| `id` | String | The dropzone query clause’s unique ID. |
| `name` | String | The dropzone query clause’s name (the clause’s valuewhen Timelines are exported from the UI). |
-| `queryMatch` | queryMatch | The dropzone query clause:
* `field` (string): The field used to search Security indices.
* `operator` (string): The clause’s operator, which can be:
* `:` - The `field` has the specified `value`.
* `:*` - The field exists.
* `value` (string): The field’s value used to match results.
|
+| `queryMatch` | queryMatch | The dropzone query clause:
- `field` (string): The field used to search Security indices.
- `operator` (string): The clause’s operator, which can be:
- `:` - The `field` has the specified `value`.
- `:*` - The field exists.
- `value` (string): The field’s value used to match results.
|
## eventNotes object [eventNotes-obj]
@@ -119,7 +119,7 @@ This screenshot maps the Timeline UI components to their JSON objects:
| Name | Type | Description |
| --- | --- | --- |
| `exists` | String | [Exists term query](elasticsearch://reference/query-languages/query-dsl/query-dsl-exists-query.md) for thespecified field (`null` when undefined). For example, `{"field":"user.name"}`. |
-| `meta` | meta | Filter details:
* `alias` (string): UI filter name.
* `disabled` (boolean): Indicates if the filter is disabled.
* `key`(string): Field name or unique string ID.
* `negate` (boolean): Indicates if the filter query clause uses `NOT` logic.
* `params` (string): Value of `phrase` filter types.
* `type` (string): Type of filter. For example, `exists` and `range`. For more information about filtering, see [Query DSL](elasticsearch://reference/query-languages/querydsl.md).
|
+| `meta` | meta | Filter details:
- `alias` (string): UI filter name.
- `disabled` (boolean): Indicates if the filter is disabled.
- `key`(string): Field name or unique string ID.
- `negate` (boolean): Indicates if the filter query clause uses `NOT` logic.
- `params` (string): Value of `phrase` filter types.
- `type` (string): Type of filter. For example, `exists` and `range`. For more information about filtering, see [Query DSL](elasticsearch://reference/query-languages/querydsl.md).
|
| `match_all` | String | [Match all term query](elasticsearch://reference/query-languages/query-dsl/query-dsl-match-all-query.md)for the specified field (`null` when undefined). |
| `query` | String | [DSL query](elasticsearch://reference/query-languages/querydsl.md) (`null` when undefined). Forexample, `{"match_phrase":{"ecs.version":"1.4.0"}}`. |
| `range` | String | [Range query](elasticsearch://reference/query-languages/query-dsl/query-dsl-range-query.md) (`null` whenundefined). For example, `{"@timestamp":{"gte":"now-1d","lt":"now"}}"`. |
@@ -143,5 +143,5 @@ This screenshot maps the Timeline UI components to their JSON objects:
| Name | Type | Description |
| --- | --- | --- |
-| `filterQuery` | filterQuery | Object containing query details:
* `kuery`: Object containing the query’s clauses and type:
* `expression`(string): The query’s clauses.
* `kind` (string): The type of query, which can be `kuery` or `lucene`.
* `serializedQuery` (string): The query represented in JSON format.
|
+| `filterQuery` | filterQuery | Object containing query details:
- `kuery`: Object containing the query’s clauses and type:
- `expression`(string): The query’s clauses.
- `kind` (string): The type of query, which can be `kuery` or `lucene`.
- `serializedQuery` (string): The query represented in JSON format.
|
diff --git a/solutions/security/ai/ai-assistant.md b/solutions/security/ai/ai-assistant.md
index 5e49f96b27..2cc5e16b09 100644
--- a/solutions/security/ai/ai-assistant.md
+++ b/solutions/security/ai/ai-assistant.md
@@ -121,7 +121,7 @@ The **Security AI settings** page allows you to configure AI Assistant. To acces
It has the following tabs:
-* **Conversations:** When you open AI Assistant from certain pages, such as ***Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
+* **Conversations:** When you open AI Assistant from certain pages, such as **Alerts**, it defaults to the relevant conversation type. For each conversation type, choose the default System Prompt, the default connector, and the default model (if applicable). The **Streaming** setting controls whether AI Assistant’s responses appear word-by-word (streamed), or as a complete block of text. Streaming is currently only available for OpenAI models.
* **Connectors:** Manage all LLM connectors.
* **System Prompts:** Edit existing System Prompts or create new ones. To create a new System Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the System Prompt’s text. Under **Contexts**, select where the System Prompt should appear.
* **Quick Prompts:** Modify existing Quick Prompts or create new ones. To create a new Quick Prompt, type a unique name in the **Name** field, then press **enter**. Under **Prompt**, enter or update the Quick Prompt’s text.
@@ -137,7 +137,7 @@ To modify Anonymization settings, you need the **Elastic AI Assistant: All** pri
::::
-The **Anonymization** tab of the Security AI settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed*** toggled on are included in events provided to AI Assistant. ***Allowed*** fields with ***Anonymized** set to **Yes** are included, but with their values obfuscated.
+The **Anonymization** tab of the Security AI settings menu allows you to define default data anonymization behavior for events you send to AI Assistant. Fields with **Allowed** toggled on are included in events provided to AI Assistant. **Allowed** fields with **Anonymized** set to **Yes** are included, but with their values obfuscated.
::::{note}
You can access anonymization settings directly from the **Attack Discovery** page by clicking the settings () button next to the model selection dropdown menu.
diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md
index a33ab521df..7857dc341a 100644
--- a/solutions/security/ai/attack-discovery.md
+++ b/solutions/security/ai/attack-discovery.md
@@ -57,7 +57,7 @@ When you access Attack Discovery for the first time, you’ll need to select an
It may take from a few seconds up to several minutes to generate discoveries, depending on the number of alerts and the model you selected.
::::{important}
-By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon () next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
+By default, Attack Discovery analyzes up to 100 alerts within this timeframe, but you can expand this up to 500 by clicking the settings icon () next to the model selection menu and adjusting the **Alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error.
::::
@@ -92,7 +92,7 @@ Each discovery includes the following information describing the potential threa
There are several ways you can incorporate discoveries into your {{elastic-sec}} workflows:
* Click an entity’s name to open the entity details flyout and view more details that may be relevant to your investigation.
-* Hover over an entity’s name to either add the entity to Timeline () or copy its field name and value to the clipboard ().
+* Hover over an entity’s name to either add the entity to Timeline () or copy its field name and value to the clipboard ().
* Click **Take action**, then select **Add to new case** or **Add to existing case** to add a discovery to a [case](/solutions/security/investigate/cases.md). This makes it easy to share the information with your team and other stakeholders.
* Click **Investigate in timeline** to explore the discovery in [Timeline](/solutions/security/investigate/timeline.md).
* Click **View in AI Assistant** to attach the discovery to a conversation with AI Assistant. You can then ask follow-up questions about the discovery or associated alerts.
diff --git a/solutions/security/ai/connect-to-amazon-bedrock.md b/solutions/security/ai/connect-to-amazon-bedrock.md
index 330f086de5..74fc05a309 100644
--- a/solutions/security/ai/connect-to-amazon-bedrock.md
+++ b/solutions/security/ai/connect-to-amazon-bedrock.md
@@ -82,7 +82,7 @@ Create the access keys that will authenticate your Elastic connector:
2. Search for the user you just created, and click its name.
3. Go to the **Security credentials** tab.
4. Under **Access keys**, click **Create access key**.
-5. Select **Third-party service**, check the box under **Confirmation***, click ***Next**, then click **Create access key**.
+5. Select **Third-party service**, check the box under **Confirmation**, click **Next**, then click **Create access key**.
6. Click **Download .csv file** to download the key. Store it securely.
The following video demonstrates these steps.
diff --git a/solutions/security/ai/connect-to-google-vertex.md b/solutions/security/ai/connect-to-google-vertex.md
index df4cec3ebf..9d3760a529 100644
--- a/solutions/security/ai/connect-to-google-vertex.md
+++ b/solutions/security/ai/connect-to-google-vertex.md
@@ -32,18 +32,7 @@ Before continuing, you should have an active project in one of Google Vertex AI
The following video demonstrates these steps.
-::::{admonition}
-
-
-
-::::
+[](https://videos.elastic.co/watch/vFhtbiCZiKhvdZGy2FjyeT?)
::::{note}
@@ -63,19 +52,7 @@ For more information about enabling the Vertex AI API, refer to [Google’s docu
The following video demonstrates these steps.
-::::{admonition}
-
-
-
-::::
-
+[](https://videos.elastic.co/watch/tmresYYiags2w2nTv3Gac8?)
## Generate a key [_generate_an_api_key]
@@ -87,18 +64,7 @@ The following video demonstrates these steps.
The following video demonstrates these steps.
-::::{admonition}
-
-
-
-::::
+[](https://videos.elastic.co/watch/hrcy3F9AodwhJcV1i2yqbG?)
@@ -117,15 +83,5 @@ Finally, configure the connector in your Elastic deployment:
The following video demonstrates these steps.
-::::{admonition}
-
-
-
-::::
+
+[](https://videos.elastic.co/watch/8L2WPm2HKN1cH872Gs5uvL?)
diff --git a/solutions/security/ai/large-language-model-performance-matrix.md b/solutions/security/ai/large-language-model-performance-matrix.md
index 2e04f26fee..4add6d2287 100644
--- a/solutions/security/ai/large-language-model-performance-matrix.md
+++ b/solutions/security/ai/large-language-model-performance-matrix.md
@@ -41,7 +41,7 @@ Models from third-party LLM providers.
Models you can [deploy yourself](/solutions/security/ai/connect-to-own-local-llm.md).
-| **Feature** | | **Assistant - General** | **Assistant - {{esql}} generation** | **Assistant - Alert questions** | **Assistant - Knowledge retrieval** | **Attack Discovery** |
+| **Feature** | - | **Assistant - General** | **Assistant - {{esql}} generation** | **Assistant - Alert questions** | **Assistant - Knowledge retrieval** | **Attack Discovery** |
| --- | --- | --- | --- | --- | --- | --- |
| **Model** | **Mistral Nemo** | Good | Good | Great | Good | Poor |
| | **LLama 3.2** | Good | Poor | Good | Poor | Poor |
diff --git a/solutions/security/cloud/get-started-with-cspm-for-azure.md b/solutions/security/cloud/get-started-with-cspm-for-azure.md
index 8c72689194..b814aa804a 100644
--- a/solutions/security/cloud/get-started-with-cspm-for-azure.md
+++ b/solutions/security/cloud/get-started-with-cspm-for-azure.md
@@ -109,7 +109,7 @@ This method involves creating an Azure VM (or using an existing one), giving it
After assigning the role:
1. Return to the **Add CSPM** page in {{kib}}.
-2. Under **Configure integration**, select **Azure***. Under ***Setup access**, select **Manual**.
+2. Under **Configure integration**, select **Azure**. Under **Setup access**, select **Manual**.
3. Under **Where to add this integration**, select **New hosts**.
4. Click **Save and continue**, then follow the instructions to install {{agent}} on your Azure VM.
diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md
index fcafefb237..eff3c20213 100644
--- a/solutions/security/detect-and-alert/detections-requirements.md
+++ b/solutions/security/detect-and-alert/detections-requirements.md
@@ -51,12 +51,12 @@ The following table describes the required privileges to access the Detections f
| Action | Cluster Privileges | Index Privileges | Kibana Privileges |
| --- | --- | --- | --- |
-| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
* `.alerts-security.alerts-`
* `.siem-signals-` 1
* `.lists-`
* `.items-`
1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature |
-| Enable detections in all spaces
**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:
* `.alerts-security.alerts-`
* `.siem-signals-` 1
* `.lists-`
* `.items-`
1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature |
-| Preview rules | N/A | `read` for these indices:
* `.preview.alerts-security.alerts-`
* `.internal.preview.alerts-security.alerts--*`
| `All` for the `Security` feature |
-| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
* `.alerts-security.alerts-* `.siem-signals-`1
* `.lists-`
* `.items-`
1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature
**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:
* To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
* To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.
|
-| Manage alerts
**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
* `.alerts-security.alerts-`
* `.internal.alerts-security.alerts--*`
* `.siem-signals-`1
* `.lists-`
* `.items-`
1 **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `Read` for the `Security` feature |
-| Create the `.lists` and `.items` data streams in your space
**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:
* `.lists-`
* `.items-`
| `All` for the `Security` and `Saved Objects Management` features |
+| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`
^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature |
+| Enable detections in all spaces
**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:
- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`
^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature |
+| Preview rules | N/A | `read` for these indices:
- `.preview.alerts-security.alerts-`
- `.internal.preview.alerts-security.alerts--*`
| `All` for the `Security` feature |
+| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
- `.alerts-security.alerts-`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`
^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature
**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:
- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.
|
+| Manage alerts
**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:
- `.alerts-security.alerts-`
- `.internal.alerts-security.alerts--*`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`
^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `Read` for the `Security` feature |
+| Create the `.lists` and `.items` data streams in your space
**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:
- `.lists-`
- `.items-`
| `All` for the `Security` and `Saved Objects Management` features |
### Authorization [alerting-auth-model]
diff --git a/solutions/security/detect-and-alert/launch-timeline-from-investigation-guides.md b/solutions/security/detect-and-alert/launch-timeline-from-investigation-guides.md
index 40ee36dbe0..54c7115c14 100644
--- a/solutions/security/detect-and-alert/launch-timeline-from-investigation-guides.md
+++ b/solutions/security/detect-and-alert/launch-timeline-from-investigation-guides.md
@@ -88,7 +88,7 @@ The following syntax defines a query button in an interactive investigation guid
| `!{investigate{ }}` | The container object holding all the query button’s configuration attributes. |
| `label` | Identifying text on the button. |
| `description` | Additional text included with the button. |
-| `providers` | A two-level nested array that defines the query to run in Timeline. Similar to the structure of queries in Timeline, items in the outer level are joined by an `OR` relationship, and items in the inner level are joined by an `AND` relationship.
Each item in `providers` corresponds to a filter created in the query builder UI and is defined by these attributes:
* `field`: The name of the field to query.
* `excluded`: Whether the query result is excluded (such as **is not one of**) or included (**is one of**).
* `queryType`: The query type used to filter events, based on the filter’s operator. For example, `phrase` or `range`.
* `value`: The value to search for. Either a hard-coded literal value, or the name of an alert field (in double curly brackets) whose value you want to use as a query parameter.
* `valueType`: The data type of `value`, such as `string` or `boolean`.
|
+| `providers` | A two-level nested array that defines the query to run in Timeline. Similar to the structure of queries in Timeline, items in the outer level are joined by an `OR` relationship, and items in the inner level are joined by an `AND` relationship.
Each item in `providers` corresponds to a filter created in the query builder UI and is defined by these attributes:
- `field`: The name of the field to query.
- `excluded`: Whether the query result is excluded (such as **is not one of**) or included (**is one of**).
- `queryType`: The query type used to filter events, based on the filter’s operator. For example, `phrase` or `range`.
- `value`: The value to search for. Either a hard-coded literal value, or the name of an alert field (in double curly brackets) whose value you want to use as a query parameter.
- `valueType`: The data type of `value`, such as `string` or `boolean`.
|
| `relativeFrom`, `relativeTo` | (Optional) The start and end, respectively, of the relative time range for the query. Times are relative to the alert’s creation time, represented as `now` in [date math](elasticsearch://reference/elasticsearch/rest-apis/common-options.md#date-math) format. For example, selecting **Last 15 minutes** in the query builder form creates the syntax `"relativeFrom": "now-15m", "relativeTo": "now"`. |
::::{note}
diff --git a/solutions/security/elastic-security-serverless.md b/solutions/security/elastic-security-serverless.md
index 5a3e9d0db8..e84e50c8dc 100644
--- a/solutions/security/elastic-security-serverless.md
+++ b/solutions/security/elastic-security-serverless.md
@@ -25,15 +25,15 @@ Serverless projects provide you with the existing {{elastic-sec}} on-premise and
## Get started [_get_started_2]
-* [**Create a Security project**](get-started/create-security-project.md): Create your first serverless Security project.
-* [**Ingest data**](get-started/ingest-data-to-elastic-security.md): Learn how to add your own data to {{elastic-sec}}.
+* [Create a Security project](get-started/create-security-project.md): Create your first serverless Security project.
+* [Ingest data](get-started/ingest-data-to-elastic-security.md): Learn how to add your own data to {{elastic-sec}}.
## How to [_how_to_2]
-* [**Enable detection rules**](detect-and-alert.md): Activate prebuilt rules from Elastic, and create your own custom rules.
-* [**Protect endpoints**](configure-elastic-defend/install-elastic-defend.md): Install and configure real-time endpoint protection with {{elastic-defend}}.
-* [**Secure your cloud**](cloud.md): Improve cloud security posture, scan for vulnerabilities, and monitor workloads.
-* [**Triage and respond to alerts**](detect-and-alert/manage-detection-alerts.md): Analyze potential threats and launch investigations.
-* [**Investigate security events**](investigate.md): Query security event data and hunt for threats.
-* [**Visualize security data**](dashboards.md): Use prebuilt dashboards and create your own visualizations.
+* [Enable detection rules](detect-and-alert.md): Activate prebuilt rules from Elastic, and create your own custom rules.
+* [Protect endpoints](configure-elastic-defend/install-elastic-defend.md): Install and configure real-time endpoint protection with {{elastic-defend}}.
+* [Secure your cloud](cloud.md): Improve cloud security posture, scan for vulnerabilities, and monitor workloads.
+* [Triage and respond to alerts](detect-and-alert/manage-detection-alerts.md): Analyze potential threats and launch investigations.
+* [Investigate security events](investigate.md): Query security event data and hunt for threats.
+* [Visualize security data](dashboards.md): Use prebuilt dashboards and create your own visualizations.
diff --git a/solutions/security/get-started/elastic-security-ui.md b/solutions/security/get-started/elastic-security-ui.md
index d83f63f270..6cc1cd0268 100644
--- a/solutions/security/get-started/elastic-security-ui.md
+++ b/solutions/security/get-started/elastic-security-ui.md
@@ -227,33 +227,33 @@ Use your keyboard to interact with draggable elements in the Elastic Security UI
* Press the `Tab` key to apply keyboard focus to an element within a table. Or, use your mouse to click on an element and apply keyboard focus to it.
-:::{image} /solutions/images/security-timeline-accessiblity-keyboard-focus.gif
-:alt: timeline accessiblity keyboard focus
-:width: 650px
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-keyboard-focus.gif
+ :alt: timeline accessiblity keyboard focus
+ :width: 650px
+ :screenshot:
+ :::
* Press `Enter` on an element with keyboard focus to display its menu and press `Tab` to apply focus sequentially to menu options. The `f`, `o`, `a`, `t`, `c` hotkeys are automatically enabled during this process and offer an alternative way to interact with menu options.
-:::{image} /solutions/images/security-timeline-accessiblity-keyboard-focus-hotkeys.gif
-:alt: timeline accessiblity keyboard focus hotkeys
-:width: 500px
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-keyboard-focus-hotkeys.gif
+ :alt: timeline accessiblity keyboard focus hotkeys
+ :width: 500px
+ :screenshot:
+ :::
* Press the spacebar once to begin dragging an element to a different location and press it a second time to drop it. Use the directional arrows to move the element around the UI.
-:::{image} /solutions/images/security-timeline-ui-accessiblity-drag-n-drop.gif
-:alt: timeline ui accessiblity drag n drop
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-ui-accessiblity-drag-n-drop.gif
+ :alt: timeline ui accessiblity drag n drop
+ :screenshot:
+ :::
* If an event has an event renderer, press the `Shift` key and the down directional arrow to apply keyboard focus to the event renderer and `Tab` or `Shift` + `Tab` to navigate between fields. To return to the cells in the current row, press the up directional arrow. To move to the next row, press the down directional arrow.
-:::{image} /solutions/images/security-timeline-accessiblity-event-renderers.gif
-:alt: timeline accessiblity event renderers
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-event-renderers.gif
+ :alt: timeline accessiblity event renderers
+ :screenshot:
+ :::
### Navigate the Elastic Security UI [timeline-tab]
@@ -262,30 +262,30 @@ Use your keyboard to navigate through rows, columns, and menu options in the Ela
* Use the directional arrows to move keyboard focus right, left, up, and down in a table.
-:::{image} /solutions/images/security-timeline-accessiblity-directional-arrows.gif
-:alt: timeline accessiblity directional arrows
-:width: 500px
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-directional-arrows.gif
+ :alt: timeline accessiblity directional arrows
+ :width: 500px
+ :screenshot:
+ :::
* Press the `Tab` key to navigate through a table cell with multiple elements, such as buttons, field names, and menus. Pressing the `Tab` key will sequentially apply keyboard focus to each element in the table cell.
-:::{image} /solutions/images/security-timeline-accessiblity-tab-keys.gif
-:alt: timeline accessiblity tab keys
-:width: 400px
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-tab-keys.gif
+ :alt: timeline accessiblity tab keys
+ :width: 400px
+ :screenshot:
+ :::
* Use `CTRL + Home` to shift keyboard focus to the first cell in a row. Likewise, use `CTRL + End` to move keyboard focus to the last cell in the row.
-:::{image} /solutions/images/security-timeline-accessiblity-shifting-keyboard-focus.gif
-:alt: timeline accessiblity shifting keyboard focus
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-shifting-keyboard-focus.gif
+ :alt: timeline accessiblity shifting keyboard focus
+ :screenshot:
+ :::
* Use the `Page Up` and `Page Down` keys to scroll through the page.
-:::{image} /solutions/images/security-timeline-accessiblity-page-up-n-down.gif
-:alt: timeline accessiblity page up n down
-:screenshot:
-:::
+ :::{image} /solutions/images/security-timeline-accessiblity-page-up-n-down.gif
+ :alt: timeline accessiblity page up n down
+ :screenshot:
+ :::
diff --git a/solutions/security/get-started/ingest-data-to-elastic-security.md b/solutions/security/get-started/ingest-data-to-elastic-security.md
index 73669967bb..118517234a 100644
--- a/solutions/security/get-started/ingest-data-to-elastic-security.md
+++ b/solutions/security/get-started/ingest-data-to-elastic-security.md
@@ -16,7 +16,7 @@ To ingest data, you can use:
* The {{agent}} with integrations, which are available in the [Elastic Package Registry (EPR)](/reference/fleet/index.md#package-registry-intro). To install an integration that works with {{elastic-sec}}, go to the {{kib}} Home page or navigation menu and click **Add integrations**. On the Integrations page, click the **Security** category filter, then select an integration to view the installation instructions. For more information on integrations, refer to [{{integrations}}](https://docs.elastic.co/en/integrations).
* **{{beats}}** shippers installed for each system you want to monitor.
* The {{agent}} to send data from Splunk to {{elastic-sec}}. See [Get started with data from Splunk](/solutions/observability/get-started/add-data-from-splunk.md).
-* Third-party collectors configured to ship ECS-compliant data. [*Elastic Security ECS field reference*](/reference/security/fields-and-object-schemas/siem-field-reference.md) provides a list of ECS fields used in {{elastic-sec}}.
+* Third-party collectors configured to ship ECS-compliant data. [](/reference/security/fields-and-object-schemas/siem-field-reference.md) provides a list of ECS fields used in {{elastic-sec}}.
::::{important}
If you use a third-party collector to ship data to {{elastic-sec}}, you must map its fields to the [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current). Additionally, you must add its index to the {{elastic-sec}} indices (update the **`securitySolution:defaultIndex`** [advanced setting](/solutions/security/get-started/configure-advanced-settings.md#update-sec-indices)).
diff --git a/solutions/security/investigate/osquery.md b/solutions/security/investigate/osquery.md
index 9aa1f79a86..6f92b56609 100644
--- a/solutions/security/investigate/osquery.md
+++ b/solutions/security/investigate/osquery.md
@@ -243,7 +243,7 @@ When you save queries or add queries to a pack, you can optionally map Osquery r
* For saved queries: Open the **Saved queries** tab, and then click the edit icon for the query that you want to map.
* For packs: Open the **Packs** tab, edit a pack, and then click the edit icon for the query that you want to map.
-2. In the **ECS mapping** section, select an ***ECS field** to map.
+2. In the **ECS mapping** section, select an **ECS field** to map.
3. In the **Value** column, use the dropdown on the left to choose what type of value to map to the ECS field:
* **Osquery value**: Select an Osquery field. The fields available are based on the SQL query entered, and only include fields that the query returns. When the query runs, the ECS field is set dynamically to the value of the Osquery field selected.
diff --git a/troubleshoot/security/detection-rules.md b/troubleshoot/security/detection-rules.md
index 174dbed557..6433466db2 100644
--- a/troubleshoot/security/detection-rules.md
+++ b/troubleshoot/security/detection-rules.md
@@ -54,7 +54,7 @@ If you receive the following rule failure: `"An error occurred during rule execu
::::
-::::{dropdown} Indicator match rules are failing because the `maxClauseCount` limit is too low
+::::{dropdown} Indicator match rules are failing because the maxClauseCount limit is too low
:name: IM-rule-heap-memory
If you receive the following rule failure: `Bulk Indexing of signals failed: index: ".index-name" reason: "maxClauseCount is set to 1024" type: "too_many_clauses"`, this indicates that the limit for the total number of clauses that a query tree can have is too low. To update your maximum clause count, [increase the size of your {{es}} JVM heap memory](elasticsearch://reference/elasticsearch/jvm-settings.md#set-jvm-heap-size). 1 GB of {{es}} JVM heap size or more is sufficient.