elastic · joepeeples · May 2, 2022 · Apr 29, 2022 · Apr 29, 2022 · Apr 29, 2022
@@ -113,7 +113,7 @@ image::images/exception-histogram.png[Detail of Exceptions tab, 75%]
 
 * To add an exception from the Alerts table:
 .. Go to *Detect* -> *Alerts*.
-.. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* button (*...*), then select *Add rule exception*.
+.. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*.
 
 The *Add Rule Exception* flyout opens (the example below was opened from the Alerts table):
 --
@@ -181,7 +181,7 @@ Additionally, to add an Endpoint exception to the Elastic {endpoint-sec} rule, t
 * To add an Endpoint exception from the Alerts table:
 .. Go to *Detect* -> *Alerts*.
 .. Scroll down to the Alerts table, and from an Elastic Security Endpoint
-alert, click the *More actions* button (*...*), then select *Add Endpoint exception*.
+alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*.
 --
 +
 The *Add Endpoint Exception* flyout opens, from either the rule details page or the Alerts table.

@@ -73,7 +73,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc
 
 If you see values in the Gaps column in the Rule Monitoring table or on the Rule details page
 for a small number of rules, you can increase those rules'
-Additional look-back time (*Detect* -> *Rules* -> the rule's *All actions* button (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*).
+Additional look-back time (*Detect* -> *Rules* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*).
 
 It's recommended to set the `Additional look-back time` to at
 least 1 minute. This ensures there are no missing alerts when a rule doesn't

@@ -65,7 +65,7 @@ You can individually modify each blocklist entry. With a Platinum or Enterprise
 
 To edit a blocklist entry:
 
-. Click the actions menu (*...*) for the blocklist entry you want to edit, then select *Edit blocklist*.
+. Click the actions menu (*...*) for the blocklist entry you want to edit, then select *Edit blocklist*.
 . Modify details as needed.
 . Click *Save*.
 

@@ -63,23 +63,21 @@ NOTE: You can also select the `Per Policy` option without immediately assigning
 [discrete]
 == View and manage event filters
 
-The **Event filters** list allows you to view and manage your endpoint event filters. To view the Event filters list, go to *Manage* -> *Event filters*. Event filters appear in reverse chronological order, with the most recently created at the top. Each filter has its own entry, which displays details such as the filter's name, operating system, date created, and conditions.
-
-To refine the **Event filters** list, use the search bar to search by filter names, comments, and field values.
+The **Event filters** page displays all the event filters that have been added to the {security-app}. To refine the list, use the search bar to search by filter name, description, comments, or field value.
 
 [role="screenshot"]
 image::images/event-filters-list.png[]
 
 [discrete]
 [[edit-event-filter]]
 === Edit an event filter
-You can individually configure each event filter. With a Platinum or Enterprise subscription, you can also change the policies applied to each filter.
+You can individually modify each event filter. With a Platinum or Enterprise subscription, you can also change the policies that an event filter is assigned to.
 
 To edit an event filter:
 
-. Click the actions button (*...*) for the event filter you want to edit, then select *Edit event filter*.
+. Click the actions menu (*...*) for the event filter you want to edit, then select *Edit event filter*.
 . Modify details or conditions as needed.
-. Click *Update event filter*.
+. Click *Save*.
 
 [discrete]
 [[delete-event-filter]]
@@ -88,5 +86,5 @@ You can delete an event filter, which removes it entirely from all {endpoint-sec
 
 To delete an event filter:
 
-. Click the actions button (*...*) for the event filter you want to delete, then select *Delete event filter*.
-. On the dialog that opens, verify that you are removing the correct event filter, then click *Remove event filter*. A confirmation message is displayed.
+. Click the actions menu (*...*) on the event filter you want to delete, then select *Delete event filter*.
+. On the dialog that opens, verify that you are removing the correct event filter, then click *Delete*. A confirmation message is displayed.
@@ -30,21 +30,21 @@ NOTE: You can also select the `Per Policy` option without immediately assigning
 [[manage-host-isolation-exceptions]]
 == View and manage host isolation exceptions
 
-The **Host isolation exceptions** list displays all the host isolation exceptions that have been configured for {elastic-sec}. To refine the **Host isolation exceptions** list, use the search bar to search by name, description, or IP address.
+The **Host isolation exceptions** page displays all the host isolation exceptions that have been configured for {elastic-sec}. To refine the list, use the search bar to search by name, description, or IP address.
 
 [role="screenshot"]
 image::images/host-isolation-exceptions-ui.png[List of host isolation exceptions]
 
 [discrete]
 [[edit-host-isolation-exception]]
 === Edit a host isolation exception
-You can individually configure each host isolation exception and change the policies applied to each host isolation exception.
+You can individually modify each host isolation exception and change the policies that a host isolation exception is assigned to.
 
 To edit a host isolation exception:
 
-. Click the actions button (**...**) for the exception you want to edit, then select **Edit Exception**.
+. Click the actions menu (**...**) for the exception you want to edit, then select **Edit Exception**.
 . Modify details as needed.
-. Click **Edit Host isolation exception**. The newly modified exception appears at the top of the list.
+. Click **Save**. The newly modified exception appears at the top of the list.
 
 [discrete]
 [[delete-host-isolation-exception]]
@@ -53,7 +53,7 @@ You can delete a host isolation exception, which removes it entirely from all {e
 
 To delete a host isolation exception:
 
-. Click the actions button (**...**) for the exception you want to delete, then select **Delete Exception**.
-. On the dialog that opens, verify that you are removing the correct host isolation exception, then click **Remove exception**. A confirmation message is displayed.
+. Click the actions menu (**...**) on the exception you want to delete, then select **Delete Exception**.
+. On the dialog that opens, verify that you are removing the correct host isolation exception, then click **Delete**. A confirmation message is displayed.
 
 
@@ -51,19 +51,19 @@ NOTE: You can also select the `Per Policy` option without immediately assigning
 [[trusted-apps-list]]
 == View and manage trusted applications
 
-The *Trusted applications* list displays all the trusted applications that have been added to the {security-app}. To refine the *Trusted applications* list, use the search bar to search by name, description, or a field value.
+The *Trusted applications* page displays all the trusted applications that have been added to the {security-app}. To refine the list, use the search bar to search by name, description, or field value.
 
 [role="screenshot"]
 image::images/trusted-apps-list.png[]
 
 [discrete]
 [[edit-trusted-app]]
 === Edit a trusted application
-You can individually configure each trusted application. With a Platinum or Enterprise subscription, you can also change the policies applied to a trusted application.
+You can individually modify each trusted application. With a Platinum or Enterprise subscription, you can also change the policies that a trusted application is assigned to.
 
 To edit a trusted application:
 
-. Click the actions button (*...*) for the trusted application you want to edit, then select *Edit trusted application*.
+. Click the actions menu (*...*) on the trusted application you want to edit, then select *Edit trusted application*.
 . Modify details as needed.
 . Click *Save*.
 
@@ -74,5 +74,5 @@ You can delete a trusted application, which removes it entirely from all {endpoi
 
 To delete a trusted application:
 
-. Click the actions button (*...*) for the trusted application you want to delete, then select *Delete trusted application*.
+. Click the actions menu (*...*) on the trusted application you want to delete, then select *Delete trusted application*.
 . On the dialog that opens, verify that you are removing the correct application, then click *Delete*. A confirmation message is displayed.
@@ -21,7 +21,7 @@ To restart a transform that’s not running:
 
 . Go to *Kibana* -> *Stack Management* -> *Data* -> *Transforms*.
 . Enter `endpoint.metadata` in the search box to find the transforms for {endpoint-sec}.
-. Click the *Actions* button (*...*) and do one of the following for each transform, depending on the value in the *Status* column:
+. Click the *Actions* menu (*...*) and do one of the following for each transform, depending on the value in the *Status* column:
 * `stopped`: Select *Start* to restart the transform. 
 * `failed`: Select *Stop* to first stop the transform, and then select *Start* to restart it.
 +