From 1fac429bbb7cc1b8e50e7a814141f88fa3018175 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 16:10:42 -0400
Subject: [PATCH 01/17] First draft

---
 docs/cases/cases-ui-integrations.asciidoc | 93 +++++++++++++++--------
 1 file changed, 61 insertions(+), 32 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 05c65c4e8b..5531ffa59e 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -26,71 +26,100 @@ image::images/cases-ui-connector.png[Shows the page for creating connectors]
 . From the *Incident management system* list, select *Add new connector*.
 . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, or *{swimlane}*.
 
+. Enter a name for the connector and provide required settings.
 +
-IMPORTANT: If you've upgraded from {stack} version 7.15.0 or earlier to 7.16.0 or later, you must complete several prerequisites before creating a new {sn-itsm} or {sn-sir} connector. For more information, refer to prerequisites for {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites[{sn-itsm}] and {kibana-ref}/servicenow-sir-action-type.html#servicenow-sir-connector-prerequisites[{sn-sir}].
 
-. Enter your required settings.
+** For {jira} connectors:
 +
 |===
 
-| *Connector name* | Name for the connector.
+| *URL* | The URL of the external system to which you want to send cases.
 
-| *URL* | ({ibm-r} and {jira} only) The URL of the external system to which you want to send cases.
+| *Project key* | The key of the {jira} project to which you are sending cases.
 
-| *{sn} instance URL* | ({sn} only) The URL of the {sn} instance to which you want to send cases.
+| *Email address* | The {jira} account username or email.
 
-| *Use OAuth authentication* | ({sn} only) Enable this to use open authorization (OAuth) to authenticate a connection between Elastic and {sn}.
+| *API token* | The API token or password is used to authenticate {jira} updates.
 
-To use open authorization (OAuth), you must {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-rsa-key[create an RSA keypair and add an X.509 Certificate] and also {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-endpoint[create an OAuth JWT API endpoint for external clients with a JWT Verifiers Map.]
+|===
 
-| *API URL* |  ({swimlane} only) The URL of the {swimlane} instance to which you want to send cases.
+** For {ibm-r} connectors:
++
+|===
 
-| *Organization ID* | ({ibm-r} only) Your organization’s {ibm-r} ID number.
+| *URL* | The URL of the external system to which you want to send cases.
 
-| *Application ID* | ({swimlane} only) The application ID of your {swimlane} application. From {swimlane}, you can find the application
-ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
+| *Organization ID* | Your organization’s {ibm-r} ID number.
+
+| *API key ID* | The API key is used to authenticate {ibm-r} updates.
 
-| *Username* | ({sn} only and displays if *Use OAuth authentication* is turned off) The username of the {sn} account used to access the {sn} instance.
+| *API key secret* | The API key secret is used to authenticate {ibm-r} updates.
 
-| *Password* | ({sn} only and displays if *Use OAuth authentication* is turned off) The password of the {sn} account used to access the {sn} instance.
+|===
 
-| *Client ID* | ({sn} only and displays if *Use OAuth authentication* is turned on) The client ID assigned to your OAuth application.
+** For {sn} connectors:
++
+IMPORTANT: If you've upgraded from {stack} version 7.15.0 or earlier to 7.16.0 or later, you must complete several prerequisites before creating a new {sn-itsm} or {sn-sir} connector. For more information, refer to prerequisites for {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites[{sn-itsm}] and {kibana-ref}/servicenow-sir-action-type.html#servicenow-sir-connector-prerequisites[{sn-sir}].
++
+|===
 
-| *User Identifier* | ({sn} only and displays if *Use OAuth authentication* is turned on) Identifier to use for OAuth type authentication. Use the value you entered into the *User field* when you created an OAuth JWT API endpoint for external clients.
+| *{sn} instance URL* | The URL of the {sn} instance to which you want to send cases.
 
-| *JWT Verifier Key ID* | ({sn} only and displays if *Use OAuth authentication* is turned on) The key ID assigned to the JWT Verifier Map of your OAuth application.
+| *Use OAuth authentication* | Enable this to use open authorization (OAuth) to authenticate a connection between Elastic and {sn}.
 
-| *Client Secret* | ({sn} only and displays if *Use OAuth authentication* is turned on) The client secret assigned to your OAuth application.
+To use open authorization (OAuth), you must {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-rsa-key[create an RSA keypair and add an X.509 Certificate] and also {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-endpoint[create an OAuth JWT API endpoint for external clients with a JWT Verifiers Map.]
 
-| *Private Key* | ({sn} only and displays if *Use OAuth authentication* is turned on) The RSA private key generated when you created an RSA keypair.
+| *Username* | Displays if *Use OAuth authentication* is turned _off_.
 
-| *Private Key Password* | ({sn} only and displays only if *Use OAuth authentication* is turned on) The The password for the RSA private key generated during setup, if set.
+The username of the {sn} account used to access the {sn} instance.
 
-| *Project key* | ({jira} only) The key of the {jira} project to which you are sending cases.
+| *Password* | Displays if *Use OAuth authentication* is turned _off_.
 
-| *Email address* | ({jira} only) The {jira} account username or email.
+The password of the {sn} account used to access the {sn} instance.
 
-| *API token* | ({jira} only) The API token or password is used to authenticate {jira} updates.
+| *Client ID* | Displays if *Use OAuth authentication* is turned _on_.
 
-| *API key ID* | ({ibm-r} only) The API key is used to authenticate {ibm-r} updates.
+The client ID assigned to your OAuth application.
 
-| *API key secret* | ({ibm-r} only) The API key secret is used to authenticate {ibm-r} updates.
+| *User Identifier* | Displays if *Use OAuth authentication* is turned _on_.
 
-| *API token* | ({swimlane} only) The {swimlane} API authentication token is used for HTTP Basic authentication.
-This is the personal access token for your user role.
+Identifier to use for OAuth type authentication. Use the value you entered into the *User field* when you created an OAuth JWT API endpoint for external clients.
+
+| *JWT Verifier Key ID* | Displays if *Use OAuth authentication* is turned _on_.
+
+The key ID assigned to the JWT Verifier Map of your OAuth application.
+
+| *Client Secret* | Displays if *Use OAuth authentication* is turned _on_.
+
+The client secret assigned to your OAuth application.
+
+| *Private Key* | Displays if *Use OAuth authentication* is turned _on_.
+
+The RSA private key generated when you created an RSA keypair.
+
+| *Private Key Password* | Displays only if *Use OAuth authentication* is turned _on_.
+
+The password for the RSA private key generated during setup, if set.
 
 |===
-+
-. Choose the connector type ({swimlane} only):
+
+** For {swimlane} connectors:
 +
 |===
 
-| *All* | You can choose to set all or no field mappings when creating your new {swimlane} connector. However, note that if
-you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.
+| *API URL* |  The URL of the {swimlane} instance to which you want to send cases.
+
+| *Application ID* | The application ID of your {swimlane} application. From {swimlane}, you can find the application
+ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
+
+| *API token* | The {swimlane} API authentication token is used for HTTP Basic authentication.
+This is the personal access token for your user role.
 
-| *Alerts* | Provide an alert ID and rule name.
+| *Connector Type* a| Select a connector type:
 
-| *Cases* | Provide a case ID, a case name, comments, and a description.
+* *All*: You can choose to set all or no field mappings when creating your new {swimlane} connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.
+* *Alerts*: Provide an alert ID and rule name.
+* *Cases*: Provide a case ID, a case name, comments, and a description.
 
 |===
 +

From de898f51975ae37a09db52ec27c0f9316d90c12d Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 16:29:59 -0400
Subject: [PATCH 02/17] Removed last step

---
 docs/cases/cases-ui-integrations.asciidoc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 5531ffa59e..862d8360ad 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -26,11 +26,13 @@ image::images/cases-ui-connector.png[Shows the page for creating connectors]
 . From the *Incident management system* list, select *Add new connector*.
 . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, or *{swimlane}*.
 
-. Enter a name for the connector and provide required settings.
+. Enter a name for the connector, provide the required settings, and then save it.
 +
 
 ** For {jira} connectors:
 +
+TIP: To learn how to connect {elastic-sec} to {jira}, check out the <<connect-security-to-jira, tutorial>> at the end of this topic.
++
 |===
 
 | *URL* | The URL of the external system to which you want to send cases.
@@ -123,9 +125,7 @@ This is the personal access token for your user role.
 
 |===
 +
-. Save the connector.
 
-TIP: To learn how to connect {elastic-sec} to {jira}, check out the <<connect-security-to-jira, tutorial>> at the end of this topic.
 
 [float]
 [[mapped-case-fields]]

From a60de98753f29298219a87e0c84e8d7a2fc25b9c Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 16:50:08 -0400
Subject: [PATCH 03/17] Updated mapping table

---
 docs/cases/cases-ui-integrations.asciidoc | 87 +++++++++++------------
 1 file changed, 40 insertions(+), 47 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 862d8360ad..a3371e3c00 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -136,55 +136,48 @@ mapped as follows:
 
 NOTE: Data from mapped case fields can be pushed to external systems but cannot be pulled in.
 
-* For {sn} incidents:
-+
-|===
-
-| *Title* | Mapped to the {sn} `Short description` field. When an update to a case title is sent to {sn}, the existing {sn} `Short description` field is overwritten.
-
-| *Description* | Mapped to the {sn} `Description` field. When an update to a case description is sent to {sn}, the existing {sn} `Description` field is overwritten.
-
-| *Comments* | Mapped to the {sn} `Work Notes` field. When a comment is updated in a case, a new comment is added to the {sn} incident.
-
-|===
-+
-
-* For {jira} issues:
-+
-|===
-
-| *Title* | Mapped to the {jira} `Summary` field. When an update to a case title is sent to {jira}, the existing {jira} `Summary` field is overwritten.
-
-| *Description* | Mapped to the {jira} `Description` field. When an update to a case description is sent to {jira}, the existing {jira} `Description` field is overwritten.
-
-| *Comments* | Mapped to the {jira} `Comments` field. When a comment is updated in a case, a new comment is added to the {jira} incident.
-
 |===
-+
-
-* For {ibm-r} issues:
-+
-|===
-
-| *Title* | Mapped to the {ibm-r} `Name` field. When an update to a case title is sent to {ibm-r}, the existing {ibm-r} `Name` field is overwritten.
-
-| *Description* | Mapped to the {ibm-r} `Description` field. When an update to a case description is sent to {ibm-r}, the existing {ibm-r} `Description` field is overwritten.
-
-| *Comments* | Mapped to the {ibm-r} `Comments` field. When a comment is updated in a case, a new comment is added to the {ibm-r} incident.
-
-|===
-+
-
-* For {swimlane} records:
-+
-|===
-
-| *Title* | Mapped to the {swimlane} `caseName` field. When an update to a case title is sent to {swimlane}, the field that is mapped to the {swimlane} `caseName` field is
-overwritten.
-
-| *Description* | Mapped to the {swimlane} `Description` field. When an update to a case description is sent to {swimlane}, the field that is mapped to the {swimlane} `Description` field is overwritten.
 
-| *Comments* | Mapped to the {swimlane} `Comments` field. When a new comment is added to a case, or an existing one is updated, the field that is mapped to the {swimlane} `Comment` field is appended. Comments are posted to the {swimlane} incident record individually.
+| *Case field* | *Mapping* | *Description*
+
+| Title
+a|
+* *{sn}*: Mapped to the `Short description` field.
+* *{jira}*: Mapped to the `Summary` field.
+* *{ibm-r}*: Mapped to the `Name` field.
+* *{swimlane}*: Mapped to the `Description` field.
+
+a|
+* *{sn}*: When an update to a case title is sent to {sn}, the existing {sn} `Short description` field is overwritten.
+* *{jira}*: When an update to a case title is sent to {jira}, the existing {jira} `Summary` field is overwritten.
+* *{ibm-r}*: When an update to a case title is sent to {ibm-r}, the existing {ibm-r} `Name` field is overwritten.
+* *{swimlane}*: When an update to a case title is sent to {swimlane}, the field that is mapped to the {swimlane} `caseName` field is overwritten.
+
+| Description
+a|
+* *{sn}*: Mapped to the {sn} `Description` field.
+* *{jira}*: Mapped to the {jira} `Description` field.
+* *{ibm-r}*: Mapped to the {ibm-r} `Description` field.
+* *{swimlane}*: Mapped to the {swimlane} `Description` field.
+
+a|
+* *{sn}*: When an update to a case description is sent to {sn}, the existing {sn} `Description` field is overwritten.
+* *{jira}*: When an update to a case description is sent to {jira}, the existing {jira} `Description` field is overwritten.
+* *{ibm-r}*: When an update to a case description is sent to {ibm-r}, the existing {ibm-r} `Description` field is overwritten.
+* *{swimlane}*: When an update to a case description is sent to {swimlane}, the field that is mapped to the {swimlane} `Description` field is overwritten.
+
+| Comments
+a|
+* *{sn}*: Mapped to the {sn} `Work Notes` field.
+* *{jira}*: Mapped to the {jira} `Comments` field.
+* *{ibm-r}*: Mapped to the {ibm-r} `Comments` field.
+* *{swimlane}*: Mapped to the {swimlane} `Comments` field.
+
+a|
+* *{sn}*: When a comment is updated in a case, a new comment is added to the {sn} incident.
+* *{jira}*: When a comment is updated in a case, a new comment is added to the {jira} incident.
+* *{ibm-r}*: Mapped to the {ibm-r} `Comments` field.
+* *{swimlane}*: When a new comment is added to a case, or an existing one is updated, the field that is mapped to the {swimlane} `Comment` field is appended. Comments are posted to the {swimlane} incident record individually.
 
 |===
 

From e1320743b1f3a49722c6b285122d38a0560305ff Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 17:35:18 -0400
Subject: [PATCH 04/17] Further revisions

---
 docs/cases/cases-ui-integrations.asciidoc | 51 ++++++++---------------
 1 file changed, 17 insertions(+), 34 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index a3371e3c00..58174de069 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -131,53 +131,36 @@ This is the personal access token for your user role.
 [[mapped-case-fields]]
 === Mapped case fields
 
-To represent an {es-sec} case in an external system, {es-sec} case fields are
-mapped as follows:
-
-NOTE: Data from mapped case fields can be pushed to external systems but cannot be pulled in.
+To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to to external systems, but you cannot pull data in.
 
 |===
 
-| *Case field* | *Mapping* | *Description*
+| *Case field* | *Mapped field*
 
 | Title
-a|
+
+a| The case `Title` field is mapped as follows:
+
 * *{sn}*: Mapped to the `Short description` field.
 * *{jira}*: Mapped to the `Summary` field.
 * *{ibm-r}*: Mapped to the `Name` field.
 * *{swimlane}*: Mapped to the `Description` field.
 
-a|
-* *{sn}*: When an update to a case title is sent to {sn}, the existing {sn} `Short description` field is overwritten.
-* *{jira}*: When an update to a case title is sent to {jira}, the existing {jira} `Summary` field is overwritten.
-* *{ibm-r}*: When an update to a case title is sent to {ibm-r}, the existing {ibm-r} `Name` field is overwritten.
-* *{swimlane}*: When an update to a case title is sent to {swimlane}, the field that is mapped to the {swimlane} `caseName` field is overwritten.
-
 | Description
-a|
-* *{sn}*: Mapped to the {sn} `Description` field.
-* *{jira}*: Mapped to the {jira} `Description` field.
-* *{ibm-r}*: Mapped to the {ibm-r} `Description` field.
-* *{swimlane}*: Mapped to the {swimlane} `Description` field.
-
-a|
-* *{sn}*: When an update to a case description is sent to {sn}, the existing {sn} `Description` field is overwritten.
-* *{jira}*: When an update to a case description is sent to {jira}, the existing {jira} `Description` field is overwritten.
-* *{ibm-r}*: When an update to a case description is sent to {ibm-r}, the existing {ibm-r} `Description` field is overwritten.
-* *{swimlane}*: When an update to a case description is sent to {swimlane}, the field that is mapped to the {swimlane} `Description` field is overwritten.
+| The case `Description` field is mapped to the `Description` field in {sn}, {jira}, {ibm-r}, and {swimlane}.
 
 | Comments
-a|
-* *{sn}*: Mapped to the {sn} `Work Notes` field.
-* *{jira}*: Mapped to the {jira} `Comments` field.
-* *{ibm-r}*: Mapped to the {ibm-r} `Comments` field.
-* *{swimlane}*: Mapped to the {swimlane} `Comments` field.
-
-a|
-* *{sn}*: When a comment is updated in a case, a new comment is added to the {sn} incident.
-* *{jira}*: When a comment is updated in a case, a new comment is added to the {jira} incident.
-* *{ibm-r}*: Mapped to the {ibm-r} `Comments` field.
-* *{swimlane}*: When a new comment is added to a case, or an existing one is updated, the field that is mapped to the {swimlane} `Comment` field is appended. Comments are posted to the {swimlane} incident record individually.
+
+a| The case `Comments` field is mapped to the `Work Notes` field for {sn}.
+
+For {jira}, {ibm-r}, and {swimlane}, the case `Comments` field is mapped to the `Comments` field in {jira}, {ibm-r}, and {swimlane}.
+
+====
+
+*NOTE:* When you push new or updated case comments to {sn}, {jira}, and {ibm-r}, they are added to existing incidents.
+
+In {swimlane} incident records, the field that's mapped to the `Comment` field gets appended. Comments are also posted to the {swimlane} incident record individually.
+====
 
 |===
 

From 2982ebada735121f4b260c6ec941ed93570b9916 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 18:02:04 -0400
Subject: [PATCH 05/17] Minor edits

---
 docs/cases/cases-ui-integrations.asciidoc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 58174de069..d1ca8170a0 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -151,15 +151,15 @@ a| The case `Title` field is mapped as follows:
 
 | Comments
 
-a| The case `Comments` field is mapped to the `Work Notes` field for {sn}.
+a| For {sn} connctors, the case `Comments` field is mapped to the `Work Notes` field in {sn}.
 
-For {jira}, {ibm-r}, and {swimlane}, the case `Comments` field is mapped to the `Comments` field in {jira}, {ibm-r}, and {swimlane}.
+For {jira}, {ibm-r}, and {swimlane} connectors, the case `Comments` field is mapped to the `Comments` field in {jira}, {ibm-r}, and {swimlane}.
 
 ====
 
 *NOTE:* When you push new or updated case comments to {sn}, {jira}, and {ibm-r}, they are added to existing incidents.
 
-In {swimlane} incident records, the field that's mapped to the `Comment` field gets appended. Comments are also posted to the {swimlane} incident record individually.
+When you push new or updated case comments to {swimlane}, the field mapped to the `Comment` field in the {swimlane} incident gets appended. Comments are posted individually.
 ====
 
 |===

From 61c83b3e5b539554fa8a7f00b6829072dd0e3df8 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 18:04:36 -0400
Subject: [PATCH 06/17] Additional edits

---
 docs/cases/cases-ui-integrations.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index d1ca8170a0..a3dd1d259c 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -131,7 +131,7 @@ This is the personal access token for your user role.
 [[mapped-case-fields]]
 === Mapped case fields
 
-To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to to external systems, but you cannot pull data in.
+To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems. Pulling data in is not supported.
 
 |===
 

From 182f8a79d139eaf4102b3fa0e27ca863a15a0ccb Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 18:31:52 -0400
Subject: [PATCH 07/17] Changed note structure

---
 docs/cases/cases-ui-integrations.asciidoc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index a3dd1d259c..c32391700e 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -157,9 +157,10 @@ For {jira}, {ibm-r}, and {swimlane} connectors, the case `Comments` field is map
 
 ====
 
-*NOTE:* When you push new or updated case comments to {sn}, {jira}, and {ibm-r}, they are added to existing incidents.
+*NOTE:* New or updated comments that you push to external systems are handled as follows: 
 
-When you push new or updated case comments to {swimlane}, the field mapped to the `Comment` field in the {swimlane} incident gets appended. Comments are posted individually.
+* Comments pushed to {sn}, {jira}, or {ibm-r} are added to existing incidents.
+* Comments pushed to {swimlane} are appended to the `Comment` field in {swimlane} and posted individually.
 ====
 
 |===

From 15e620bcbdc94f60e7cc225978d233acd2843283 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Mon, 25 Jul 2022 19:25:00 -0400
Subject: [PATCH 08/17] Removed note

---
 docs/cases/cases-ui-integrations.asciidoc | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index c32391700e..170c1cea87 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -131,7 +131,7 @@ This is the personal access token for your user role.
 [[mapped-case-fields]]
 === Mapped case fields
 
-To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems. Pulling data in is not supported.
+To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems and mapped fields are overwritten or appended. Pulling data in is not supported.
 
 |===
 
@@ -139,7 +139,7 @@ To represent an {es-sec} case in an external system, {es-sec} case fields are ma
 
 | Title
 
-a| The case `Title` field is mapped as follows:
+a| The case `Title` field is mapped to corresponding fields in external systems. Mapped field values are overwritten when you push updates.
 
 * *{sn}*: Mapped to the `Short description` field.
 * *{jira}*: Mapped to the `Summary` field.
@@ -147,7 +147,7 @@ a| The case `Title` field is mapped as follows:
 * *{swimlane}*: Mapped to the `Description` field.
 
 | Description
-| The case `Description` field is mapped to the `Description` field in {sn}, {jira}, {ibm-r}, and {swimlane}.
+| The case `Description` field is mapped to the `Description` field in {sn}, {jira}, {ibm-r}, and {swimlane}. Mapped field values are overwritten when you push updates.
 
 | Comments
 
@@ -155,13 +155,7 @@ a| For {sn} connctors, the case `Comments` field is mapped to the `Work Notes` f
 
 For {jira}, {ibm-r}, and {swimlane} connectors, the case `Comments` field is mapped to the `Comments` field in {jira}, {ibm-r}, and {swimlane}.
 
-====
-
-*NOTE:* New or updated comments that you push to external systems are handled as follows: 
-
-* Comments pushed to {sn}, {jira}, or {ibm-r} are added to existing incidents.
-* Comments pushed to {swimlane} are appended to the `Comment` field in {swimlane} and posted individually.
-====
+New and edited comments are added to incident records when pushed to {sn}, {jira}, or {ibm-r}. Comments pushed to {swimlane} are appended to the `Comment` field in {swimlane} and posted individually.
 
 |===
 

From a92bc7704c18796c736a80e92a0051507cb9dcaa Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Fri, 29 Jul 2022 09:18:33 -0400
Subject: [PATCH 09/17] Widget code

---
 docs/cases/cases-ui-integrations.asciidoc     |   6 +
 docs/cases/cloud-login.asciidoc               |  14 ++
 .../tab-widgets/cloud-login-widget.asciidoc   |  39 +++++
 docs/cases/tab-widgets/code.asciidoc          | 163 ++++++++++++++++++
 4 files changed, 222 insertions(+)
 create mode 100644 docs/cases/cloud-login.asciidoc
 create mode 100644 docs/cases/tab-widgets/cloud-login-widget.asciidoc
 create mode 100644 docs/cases/tab-widgets/code.asciidoc

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 170c1cea87..0493187b6c 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -27,8 +27,14 @@ image::images/cases-ui-connector.png[Shows the page for creating connectors]
 . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, or *{swimlane}*.
 
 . Enter a name for the connector, provide the required settings, and then save it.
+
 +
 
+include::tab-widgets/code.asciidoc[]
+include::tab-widgets/cloud-login-widget.asciidoc[]
+
+
+
 ** For {jira} connectors:
 +
 TIP: To learn how to connect {elastic-sec} to {jira}, check out the <<connect-security-to-jira, tutorial>> at the end of this topic.
diff --git a/docs/cases/cloud-login.asciidoc b/docs/cases/cloud-login.asciidoc
new file mode 100644
index 0000000000..e2c28c5fcb
--- /dev/null
+++ b/docs/cases/cloud-login.asciidoc
@@ -0,0 +1,14 @@
+// tag::ess[]
+. Log in to the link:https://cloud.elastic.co/?baymax=docs-body&elektra=docs[Elasticsearch Service Console].
+. Select your deployment on the home page in the {ess} card or go to the deployments page.
++
+Narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+// end::ess[]
+
+
+// tag::ece[]
+. {ece-ref}/ece-login.html[Log into the Cloud UI]
+. On the deployments page, select your deployment.
++
+Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
+// end::ece[]
diff --git a/docs/cases/tab-widgets/cloud-login-widget.asciidoc b/docs/cases/tab-widgets/cloud-login-widget.asciidoc
new file mode 100644
index 0000000000..c8f9c4c1f2
--- /dev/null
+++ b/docs/cases/tab-widgets/cloud-login-widget.asciidoc
@@ -0,0 +1,39 @@
+++++
+<div class="tabs" data-tab-group="os">
+  <div role="tablist" aria-label="cloud-login">
+    <button role="tab"
+            aria-selected="true"
+            aria-controls="ess-tab-cloud-login"
+            id="ess-cloud-login">
+      Elasticsearch Service
+    </button>
+    <button role="tab"
+            aria-selected="false"
+            aria-controls="ece-tab-cloud-login"
+            id="ece-cloud-login">
+      Elastic Cloud Enterprise
+    </button>
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="ess-tab-cloud-login"
+       aria-labelledby="ess-cloud-login">
+++++
+
+include::../cloud-login.asciidoc[tag=ess]
+
+++++
+  </div>
+  <div tabindex="0"
+       role="tabpanel"
+       id="ece-tab-cloud-login"
+       aria-labelledby="ece-cloud-login"
+       hidden="">
+++++
+
+include::../cloud-login.asciidoc[tag=ece]
+
+++++
+  </div>
+</div>
+++++
\ No newline at end of file
diff --git a/docs/cases/tab-widgets/code.asciidoc b/docs/cases/tab-widgets/code.asciidoc
new file mode 100644
index 0000000000..a6949b681e
--- /dev/null
+++ b/docs/cases/tab-widgets/code.asciidoc
@@ -0,0 +1,163 @@
+// Defining styles and script here for simplicity.
+++++
+<style>
+.tabs {
+  width: 100%;
+}
+[role="tablist"] {
+  margin: 0 0 -0.1em;
+  overflow: visible;
+}
+[role="tab"] {
+  position: relative;
+  padding: 0.3em 0.5em 0.4em;
+  border: 1px solid hsl(219, 1%, 72%);
+  border-radius: 0.2em 0.2em 0 0;
+  overflow: visible;
+  font-family: inherit;
+  font-size: inherit;
+  background: hsl(220, 20%, 94%);
+}
+[role="tab"]:hover::before,
+[role="tab"]:focus::before,
+[role="tab"][aria-selected="true"]::before {
+  position: absolute;
+  bottom: 100%;
+  right: -1px;
+  left: -1px;
+  border-radius: 0.2em 0.2em 0 0;
+  border-top: 3px solid hsl(219, 1%, 72%);
+  content: '';
+}
+[role="tab"][aria-selected="true"] {
+  border-radius: 0;
+  background: hsl(220, 43%, 99%);
+  outline: 0;
+}
+[role="tab"][aria-selected="true"]:not(:focus):not(:hover)::before {
+  border-top: 5px solid hsl(218, 96%, 48%);
+}
+[role="tab"][aria-selected="true"]::after {
+  position: absolute;
+  z-index: 3;
+  bottom: -1px;
+  right: 0;
+  left: 0;
+  height: 0.3em;
+  background: hsl(220, 43%, 99%);
+  box-shadow: none;
+  content: '';
+}
+[role="tab"]:hover,
+[role="tab"]:focus,
+[role="tab"]:active {
+  outline: 0;
+  border-radius: 0;
+  color: inherit;
+}
+[role="tab"]:hover::before,
+[role="tab"]:focus::before {
+  border-color: hsl(218, 96%, 48%);
+}
+[role="tabpanel"] {
+  position: relative;
+  z-index: 2;
+  padding: 1em;
+  border: 1px solid hsl(219, 1%, 72%);
+  border-radius: 0 0.2em 0.2em 0.2em;
+  box-shadow: 0 0 0.2em hsl(219, 1%, 72%);
+  background: hsl(220, 43%, 99%);
+  margin-bottom: 1em;
+}
+[role="tabpanel"] p {
+  margin: 0;
+}
+[role="tabpanel"] * + p {
+  margin-top: 1em;
+}
+</style>
+<script>
+window.addEventListener("DOMContentLoaded", () => {
+  const tabs = document.querySelectorAll('[role="tab"]');
+  const tabList = document.querySelector('[role="tablist"]');
+  // Add a click event handler to each tab
+  tabs.forEach(tab => {
+    tab.addEventListener("click", changeTabs);
+  });
+  // Enable arrow navigation between tabs in the tab list
+  let tabFocus = 0;
+  tabList.addEventListener("keydown", e => {
+    // Move right
+    if (e.keyCode === 39 || e.keyCode === 37) {
+      tabs[tabFocus].setAttribute("tabindex", -1);
+      if (e.keyCode === 39) {
+        tabFocus++;
+        // If we're at the end, go to the start
+        if (tabFocus >= tabs.length) {
+          tabFocus = 0;
+        }
+        // Move left
+      } else if (e.keyCode === 37) {
+        tabFocus--;
+        // If we're at the start, move to the end
+        if (tabFocus < 0) {
+          tabFocus = tabs.length - 1;
+        }
+      }
+      tabs[tabFocus].setAttribute("tabindex", 0);
+      tabs[tabFocus].focus();
+    }
+  });
+});
+function setActiveTab(target) {
+  const parent = target.parentNode;
+  const grandparent = parent.parentNode;
+  // console.log(grandparent);
+  // Remove all current selected tabs
+  parent
+    .querySelectorAll('[aria-selected="true"]')
+    .forEach(t => t.setAttribute("aria-selected", false));
+  // Set this tab as selected
+  target.setAttribute("aria-selected", true);
+  // Hide all tab panels
+  grandparent
+    .querySelectorAll('[role="tabpanel"]')
+    .forEach(p => p.setAttribute("hidden", true));
+  // Show the selected panel
+  grandparent.parentNode
+    .querySelector(`#${target.getAttribute("aria-controls")}`)
+    .removeAttribute("hidden");
+}
+function changeTabs(e) {
+  // get the containing list of the tab that was just clicked
+  const tabList = e.target.parentNode;
+  
+  // get all of the sibling tabs
+  const buttons = Array.apply(null, tabList.querySelectorAll('button'));
+  
+  // loop over the siblings to discover which index thje clicked one was
+  const { index } = buttons.reduce(({ found, index }, button) => {
+    if (!found && buttons[index] === e.target) {
+      return { found: true, index };
+    } else if (!found) {
+      return { found, index: index + 1 };
+    } else {
+      return { found, index };
+    }
+  }, { found: false, index: 0 });
+  
+  // get the tab container
+  const container = tabList.parentNode;
+  // read the data-tab-group value from the container, e.g. "os"
+  const { tabGroup } = container.dataset;
+  // get a list of all the tab groups that match this value on the page
+  const groups = document.querySelectorAll('[data-tab-group=' + tabGroup + ']');
+  
+  // for each of the found tab groups, find the tab button at the previously discovered index and select it for each group
+  groups.forEach((group) => {
+    const target = group.querySelectorAll('button')[index];
+    setActiveTab(target);
+  });
+}
+</script>
+++++
\ No newline at end of file

From 6868f617de235fba8559c48cfb1cd249ed98f610 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Wed, 3 Aug 2022 14:08:05 -0400
Subject: [PATCH 10/17] Removed widget

---
 docs/cases/cases-ui-integrations.asciidoc     | 116 ++++---------
 docs/cases/cloud-login.asciidoc               |  14 --
 .../tab-widgets/cloud-login-widget.asciidoc   |  39 -----
 docs/cases/tab-widgets/code.asciidoc          | 163 ------------------
 4 files changed, 30 insertions(+), 302 deletions(-)
 delete mode 100644 docs/cases/cloud-login.asciidoc
 delete mode 100644 docs/cases/tab-widgets/cloud-login-widget.asciidoc
 delete mode 100644 docs/cases/tab-widgets/code.asciidoc

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 0493187b6c..268b12681c 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -4,10 +4,10 @@
 
 You can push {es-sec} cases to these third-party systems:
 
-* {sn-itsm}
-* {sn-sir}
 * {jira} (including Jira Service Desk)
 * {ibm-r}
+* {sn-itsm}
+* {sn-sir}
 * {swimlane}
 
 To push cases, you need to create a connector, which stores the information required to interact with an external system. After you have created a connector, you can set {es-sec} cases to automatically close when they are sent to external systems.
@@ -27,110 +27,54 @@ image::images/cases-ui-connector.png[Shows the page for creating connectors]
 . Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, or *{swimlane}*.
 
 . Enter a name for the connector, provide the required settings, and then save it.
-
 +
-
-include::tab-widgets/code.asciidoc[]
-include::tab-widgets/cloud-login-widget.asciidoc[]
-
-
-
 ** For {jira} connectors:
-+
-TIP: To learn how to connect {elastic-sec} to {jira}, check out the <<connect-security-to-jira, tutorial>> at the end of this topic.
-+
-|===
-
-| *URL* | The URL of the external system to which you want to send cases.
-
-| *Project key* | The key of the {jira} project to which you are sending cases.
 
-| *Email address* | The {jira} account username or email.
-
-| *API token* | The API token or password is used to authenticate {jira} updates.
-
-|===
+* *URL*: The URL of the external system to which you want to send cases.
+* *Project key*: The key of the {jira} project to which you are sending cases.
+* *Email address*: The {jira} account username or email.
+* *API token*: The API token or password is used to authenticate {jira} updates.
 
 ** For {ibm-r} connectors:
-+
-|===
-
-| *URL* | The URL of the external system to which you want to send cases.
-
-| *Organization ID* | Your organization’s {ibm-r} ID number.
 
-| *API key ID* | The API key is used to authenticate {ibm-r} updates.
-
-| *API key secret* | The API key secret is used to authenticate {ibm-r} updates.
-
-|===
+* *URL*: The URL of the external system to which you want to send cases.
+* *Organization ID*: Your organization’s {ibm-r} ID number.
+* *API key ID*: The API key is used to authenticate {ibm-r} updates.
+* *API key secret*: The API key secret is used to authenticate {ibm-r} updates.
 
 ** For {sn} connectors:
 +
 IMPORTANT: If you've upgraded from {stack} version 7.15.0 or earlier to 7.16.0 or later, you must complete several prerequisites before creating a new {sn-itsm} or {sn-sir} connector. For more information, refer to prerequisites for {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites[{sn-itsm}] and {kibana-ref}/servicenow-sir-action-type.html#servicenow-sir-connector-prerequisites[{sn-sir}].
 +
-|===
-
-| *{sn} instance URL* | The URL of the {sn} instance to which you want to send cases.
-
-| *Use OAuth authentication* | Enable this to use open authorization (OAuth) to authenticate a connection between Elastic and {sn}.
-
-To use open authorization (OAuth), you must {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-rsa-key[create an RSA keypair and add an X.509 Certificate] and also {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-endpoint[create an OAuth JWT API endpoint for external clients with a JWT Verifiers Map.]
 
-| *Username* | Displays if *Use OAuth authentication* is turned _off_.
-
-The username of the {sn} account used to access the {sn} instance.
-
-| *Password* | Displays if *Use OAuth authentication* is turned _off_.
-
-The password of the {sn} account used to access the {sn} instance.
-
-| *Client ID* | Displays if *Use OAuth authentication* is turned _on_.
-
-The client ID assigned to your OAuth application.
-
-| *User Identifier* | Displays if *Use OAuth authentication* is turned _on_.
-
-Identifier to use for OAuth type authentication. Use the value you entered into the *User field* when you created an OAuth JWT API endpoint for external clients.
-
-| *JWT Verifier Key ID* | Displays if *Use OAuth authentication* is turned _on_.
+* *{sn} instance URL*: The URL of the {sn} instance to which you want to send cases.
+* *Use OAuth authentication*: Enable this to use open authorization (OAuth) to authenticate a connection between Elastic and {sn}.
++
+NOTE: To use open authorization (OAuth), you must {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-rsa-key[create an RSA keypair and add an X.509 Certificate] and also {kibana-ref}/servicenow-action-type.html#servicenow-itsm-connector-prerequisites-endpoint[create an OAuth JWT API endpoint for external clients with a JWT Verifiers Map.]
++
 
+* *Username*: (Displays if *Use OAuth authentication* is turned _off_.) The username of the {sn} account used to access the {sn} instance.
+* *Password*: (Displays if *Use OAuth authentication* is turned _off_.) The password of the {sn} account used to access the {sn} instance.
+* *Client ID*: (Displays if *Use OAuth authentication* is turned _on_.) The client ID assigned to your OAuth application.
+* *User Identifier*: (Displays if *Use OAuth authentication* is turned _on_.) Identifier to use for OAuth type authentication. Use the value you entered into the *User field* when you created an OAuth JWT API endpoint for external clients.
+* *JWT Verifier Key ID*: (Displays if *Use OAuth authentication* is turned _on_.)
 The key ID assigned to the JWT Verifier Map of your OAuth application.
-
-| *Client Secret* | Displays if *Use OAuth authentication* is turned _on_.
-
-The client secret assigned to your OAuth application.
-
-| *Private Key* | Displays if *Use OAuth authentication* is turned _on_.
-
+* *Client Secret*: (Displays if *Use OAuth authentication* is turned _on_.) The client secret assigned to your OAuth application.
+* *Private Key*: (Displays if *Use OAuth authentication* is turned _on_.)
 The RSA private key generated when you created an RSA keypair.
-
-| *Private Key Password* | Displays only if *Use OAuth authentication* is turned _on_.
-
-The password for the RSA private key generated during setup, if set.
-
-|===
+* *Private Key Password*: (Displays only if *Use OAuth authentication* is turned _on_.) The password for the RSA private key generated during setup, if set.
 
 ** For {swimlane} connectors:
-+
-|===
-
-| *API URL* |  The URL of the {swimlane} instance to which you want to send cases.
 
-| *Application ID* | The application ID of your {swimlane} application. From {swimlane}, you can find the application
+* *API URL*: The URL of the {swimlane} instance to which you want to send cases.
+* *Application ID*: The application ID of your {swimlane} application. From {swimlane}, you can find the application
 ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
-
-| *API token* | The {swimlane} API authentication token is used for HTTP Basic authentication.
+* *API token*: The {swimlane} API authentication token is used for HTTP Basic authentication.
 This is the personal access token for your user role.
-
-| *Connector Type* a| Select a connector type:
-
-* *All*: You can choose to set all or no field mappings when creating your new {swimlane} connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.
-* *Alerts*: Provide an alert ID and rule name.
-* *Cases*: Provide a case ID, a case name, comments, and a description.
-
-|===
-+
+* *Connector Type*: Select a connector type:
+*** *All*: You can choose to set all or no field mappings when creating your new {swimlane} connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.
+*** *Alerts*: Provide an alert ID and rule name.
+*** *Cases*: Provide a case ID, a case name, comments, and a description.
 
 
 [float]
diff --git a/docs/cases/cloud-login.asciidoc b/docs/cases/cloud-login.asciidoc
deleted file mode 100644
index e2c28c5fcb..0000000000
--- a/docs/cases/cloud-login.asciidoc
+++ /dev/null
@@ -1,14 +0,0 @@
-// tag::ess[]
-. Log in to the link:https://cloud.elastic.co/?baymax=docs-body&elektra=docs[Elasticsearch Service Console].
-. Select your deployment on the home page in the {ess} card or go to the deployments page.
-+
-Narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-// end::ess[]
-
-
-// tag::ece[]
-. {ece-ref}/ece-login.html[Log into the Cloud UI]
-. On the deployments page, select your deployment.
-+
-Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
-// end::ece[]
diff --git a/docs/cases/tab-widgets/cloud-login-widget.asciidoc b/docs/cases/tab-widgets/cloud-login-widget.asciidoc
deleted file mode 100644
index c8f9c4c1f2..0000000000
--- a/docs/cases/tab-widgets/cloud-login-widget.asciidoc
+++ /dev/null
@@ -1,39 +0,0 @@
-++++
-<div class="tabs" data-tab-group="os">
-  <div role="tablist" aria-label="cloud-login">
-    <button role="tab"
-            aria-selected="true"
-            aria-controls="ess-tab-cloud-login"
-            id="ess-cloud-login">
-      Elasticsearch Service
-    </button>
-    <button role="tab"
-            aria-selected="false"
-            aria-controls="ece-tab-cloud-login"
-            id="ece-cloud-login">
-      Elastic Cloud Enterprise
-    </button>
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="ess-tab-cloud-login"
-       aria-labelledby="ess-cloud-login">
-++++
-
-include::../cloud-login.asciidoc[tag=ess]
-
-++++
-  </div>
-  <div tabindex="0"
-       role="tabpanel"
-       id="ece-tab-cloud-login"
-       aria-labelledby="ece-cloud-login"
-       hidden="">
-++++
-
-include::../cloud-login.asciidoc[tag=ece]
-
-++++
-  </div>
-</div>
-++++
\ No newline at end of file
diff --git a/docs/cases/tab-widgets/code.asciidoc b/docs/cases/tab-widgets/code.asciidoc
deleted file mode 100644
index a6949b681e..0000000000
--- a/docs/cases/tab-widgets/code.asciidoc
+++ /dev/null
@@ -1,163 +0,0 @@
-// Defining styles and script here for simplicity.
-++++
-<style>
-.tabs {
-  width: 100%;
-}
-[role="tablist"] {
-  margin: 0 0 -0.1em;
-  overflow: visible;
-}
-[role="tab"] {
-  position: relative;
-  padding: 0.3em 0.5em 0.4em;
-  border: 1px solid hsl(219, 1%, 72%);
-  border-radius: 0.2em 0.2em 0 0;
-  overflow: visible;
-  font-family: inherit;
-  font-size: inherit;
-  background: hsl(220, 20%, 94%);
-}
-[role="tab"]:hover::before,
-[role="tab"]:focus::before,
-[role="tab"][aria-selected="true"]::before {
-  position: absolute;
-  bottom: 100%;
-  right: -1px;
-  left: -1px;
-  border-radius: 0.2em 0.2em 0 0;
-  border-top: 3px solid hsl(219, 1%, 72%);
-  content: '';
-}
-[role="tab"][aria-selected="true"] {
-  border-radius: 0;
-  background: hsl(220, 43%, 99%);
-  outline: 0;
-}
-[role="tab"][aria-selected="true"]:not(:focus):not(:hover)::before {
-  border-top: 5px solid hsl(218, 96%, 48%);
-}
-[role="tab"][aria-selected="true"]::after {
-  position: absolute;
-  z-index: 3;
-  bottom: -1px;
-  right: 0;
-  left: 0;
-  height: 0.3em;
-  background: hsl(220, 43%, 99%);
-  box-shadow: none;
-  content: '';
-}
-[role="tab"]:hover,
-[role="tab"]:focus,
-[role="tab"]:active {
-  outline: 0;
-  border-radius: 0;
-  color: inherit;
-}
-[role="tab"]:hover::before,
-[role="tab"]:focus::before {
-  border-color: hsl(218, 96%, 48%);
-}
-[role="tabpanel"] {
-  position: relative;
-  z-index: 2;
-  padding: 1em;
-  border: 1px solid hsl(219, 1%, 72%);
-  border-radius: 0 0.2em 0.2em 0.2em;
-  box-shadow: 0 0 0.2em hsl(219, 1%, 72%);
-  background: hsl(220, 43%, 99%);
-  margin-bottom: 1em;
-}
-[role="tabpanel"] p {
-  margin: 0;
-}
-[role="tabpanel"] * + p {
-  margin-top: 1em;
-}
-</style>
-<script>
-window.addEventListener("DOMContentLoaded", () => {
-  const tabs = document.querySelectorAll('[role="tab"]');
-  const tabList = document.querySelector('[role="tablist"]');
-  // Add a click event handler to each tab
-  tabs.forEach(tab => {
-    tab.addEventListener("click", changeTabs);
-  });
-  // Enable arrow navigation between tabs in the tab list
-  let tabFocus = 0;
-  tabList.addEventListener("keydown", e => {
-    // Move right
-    if (e.keyCode === 39 || e.keyCode === 37) {
-      tabs[tabFocus].setAttribute("tabindex", -1);
-      if (e.keyCode === 39) {
-        tabFocus++;
-        // If we're at the end, go to the start
-        if (tabFocus >= tabs.length) {
-          tabFocus = 0;
-        }
-        // Move left
-      } else if (e.keyCode === 37) {
-        tabFocus--;
-        // If we're at the start, move to the end
-        if (tabFocus < 0) {
-          tabFocus = tabs.length - 1;
-        }
-      }
-      tabs[tabFocus].setAttribute("tabindex", 0);
-      tabs[tabFocus].focus();
-    }
-  });
-});
-function setActiveTab(target) {
-  const parent = target.parentNode;
-  const grandparent = parent.parentNode;
-  // console.log(grandparent);
-  // Remove all current selected tabs
-  parent
-    .querySelectorAll('[aria-selected="true"]')
-    .forEach(t => t.setAttribute("aria-selected", false));
-  // Set this tab as selected
-  target.setAttribute("aria-selected", true);
-  // Hide all tab panels
-  grandparent
-    .querySelectorAll('[role="tabpanel"]')
-    .forEach(p => p.setAttribute("hidden", true));
-  // Show the selected panel
-  grandparent.parentNode
-    .querySelector(`#${target.getAttribute("aria-controls")}`)
-    .removeAttribute("hidden");
-}
-function changeTabs(e) {
-  // get the containing list of the tab that was just clicked
-  const tabList = e.target.parentNode;
-  
-  // get all of the sibling tabs
-  const buttons = Array.apply(null, tabList.querySelectorAll('button'));
-  
-  // loop over the siblings to discover which index thje clicked one was
-  const { index } = buttons.reduce(({ found, index }, button) => {
-    if (!found && buttons[index] === e.target) {
-      return { found: true, index };
-    } else if (!found) {
-      return { found, index: index + 1 };
-    } else {
-      return { found, index };
-    }
-  }, { found: false, index: 0 });
-  
-  // get the tab container
-  const container = tabList.parentNode;
-  // read the data-tab-group value from the container, e.g. "os"
-  const { tabGroup } = container.dataset;
-  // get a list of all the tab groups that match this value on the page
-  const groups = document.querySelectorAll('[data-tab-group=' + tabGroup + ']');
-  
-  // for each of the found tab groups, find the tab button at the previously discovered index and select it for each group
-  groups.forEach((group) => {
-    const target = group.querySelectorAll('button')[index];
-    setActiveTab(target);
-  });
-}
-</script>
-++++
\ No newline at end of file

From fdd199dfdd720358895c34e832f3f4292e579e92 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Wed, 3 Aug 2022 23:37:26 -0400
Subject: [PATCH 11/17] minor edits

---
 docs/cases/cases-ui-integrations.asciidoc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 268b12681c..5699b4e490 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -24,7 +24,7 @@ https://www.elastic.co/subscriptions[appropriate license], and your role needs *
 [role="screenshot"]
 image::images/cases-ui-connector.png[Shows the page for creating connectors]
 . From the *Incident management system* list, select *Add new connector*.
-. Select the system to send cases to: *{sn}*, *{jira}*, *{ibm-r}*, or *{swimlane}*.
+. Select the system to send cases to *{sn}*, *{jira}*, *{ibm-r}*, or *{swimlane}*.
 
 . Enter a name for the connector, provide the required settings, and then save it.
 +
@@ -81,7 +81,7 @@ This is the personal access token for your user role.
 [[mapped-case-fields]]
 === Mapped case fields
 
-To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems and mapped fields are overwritten or appended. Pulling data in is not supported.
+To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems and mapped fields are overwritten or appended. Retrieving data from external systems in is not supported.
 
 |===
 

From 26093f103fa2b7b5ad75031b6904d6f57aff731d Mon Sep 17 00:00:00 2001
From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Thu, 4 Aug 2022 15:45:52 -0400
Subject: [PATCH 12/17] Update docs/cases/cases-ui-integrations.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
---
 docs/cases/cases-ui-integrations.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 5699b4e490..76970ebf92 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -40,7 +40,7 @@ image::images/cases-ui-connector.png[Shows the page for creating connectors]
 * *URL*: The URL of the external system to which you want to send cases.
 * *Organization ID*: Your organization’s {ibm-r} ID number.
 * *API key ID*: The API key is used to authenticate {ibm-r} updates.
-* *API key secret*: The API key secret is used to authenticate {ibm-r} updates.
+* *API key secret*: The API key secret used to authenticate {ibm-r} updates.
 
 ** For {sn} connectors:
 +

From f4ec729bceab4520825551fbc1ecbd088f9f562d Mon Sep 17 00:00:00 2001
From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Thu, 4 Aug 2022 15:45:59 -0400
Subject: [PATCH 13/17] Update docs/cases/cases-ui-integrations.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
---
 docs/cases/cases-ui-integrations.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 76970ebf92..2bd0600ead 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -39,7 +39,7 @@ image::images/cases-ui-connector.png[Shows the page for creating connectors]
 
 * *URL*: The URL of the external system to which you want to send cases.
 * *Organization ID*: Your organization’s {ibm-r} ID number.
-* *API key ID*: The API key is used to authenticate {ibm-r} updates.
+* *API key ID*: The API key used to authenticate {ibm-r} updates.
 * *API key secret*: The API key secret used to authenticate {ibm-r} updates.
 
 ** For {sn} connectors:

From ee9762c2046419653fa1c1e3d99720a5fbe90489 Mon Sep 17 00:00:00 2001
From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Thu, 4 Aug 2022 15:46:04 -0400
Subject: [PATCH 14/17] Update docs/cases/cases-ui-integrations.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
---
 docs/cases/cases-ui-integrations.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 2bd0600ead..7642ee2fe9 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -69,7 +69,7 @@ The RSA private key generated when you created an RSA keypair.
 * *API URL*: The URL of the {swimlane} instance to which you want to send cases.
 * *Application ID*: The application ID of your {swimlane} application. From {swimlane}, you can find the application
 ID by checking your application’s settings or at the end of your application’s URL after you’ve opened it.
-* *API token*: The {swimlane} API authentication token is used for HTTP Basic authentication.
+* *API token*: The {swimlane} API authentication token used for HTTP Basic authentication.
 This is the personal access token for your user role.
 * *Connector Type*: Select a connector type:
 *** *All*: You can choose to set all or no field mappings when creating your new {swimlane} connector. However, note that if you don’t set field mappings now, you’ll be prompted to do so if you want to use the connector for a case or a rule.

From b46d7f6a44f3a7aae7d56724fdb76b5374839dcd Mon Sep 17 00:00:00 2001
From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Thu, 4 Aug 2022 15:46:13 -0400
Subject: [PATCH 15/17] Update docs/cases/cases-ui-integrations.asciidoc

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
---
 docs/cases/cases-ui-integrations.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 7642ee2fe9..56b20249ca 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -81,7 +81,7 @@ This is the personal access token for your user role.
 [[mapped-case-fields]]
 === Mapped case fields
 
-To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems and mapped fields are overwritten or appended. Retrieving data from external systems in is not supported.
+To represent an {es-sec} case in an external system, {es-sec} case fields are mapped to existing fields in {sn}, {jira}, {ibm-r}, and {swimlane}. Once fields are mapped, you can push updates to external systems and mapped fields are overwritten or appended. Retrieving data from external systems is not supported.
 
 |===
 

From 6789eeb22b80363259573f07dda9c52652978b12 Mon Sep 17 00:00:00 2001
From: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Thu, 4 Aug 2022 16:13:38 -0400
Subject: [PATCH 16/17] Update docs/cases/cases-ui-integrations.asciidoc

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
---
 docs/cases/cases-ui-integrations.asciidoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/cases/cases-ui-integrations.asciidoc b/docs/cases/cases-ui-integrations.asciidoc
index 56b20249ca..6616cedbef 100644
--- a/docs/cases/cases-ui-integrations.asciidoc
+++ b/docs/cases/cases-ui-integrations.asciidoc
@@ -62,7 +62,7 @@ The key ID assigned to the JWT Verifier Map of your OAuth application.
 * *Client Secret*: (Displays if *Use OAuth authentication* is turned _on_.) The client secret assigned to your OAuth application.
 * *Private Key*: (Displays if *Use OAuth authentication* is turned _on_.)
 The RSA private key generated when you created an RSA keypair.
-* *Private Key Password*: (Displays only if *Use OAuth authentication* is turned _on_.) The password for the RSA private key generated during setup, if set.
+* *Private Key Password*: (Displays if *Use OAuth authentication* is turned _on_.) The password for the RSA private key generated during setup, if set.
 
 ** For {swimlane} connectors:
 

From aa49fb5cb54b164715d6b5371014045876403810 Mon Sep 17 00:00:00 2001
From: "nastasha.solomon" <nastasha.solomon@elastic.co>
Date: Thu, 18 Aug 2022 17:11:48 -0400
Subject: [PATCH 17/17] Revert "Merge branch 'main' into issue-2097-widget"

This reverts commit d15a5403ad78234a0dd06f3a80bcb81cd2c7bc8e, reversing
changes made to 80089bf3455b3d1d5ce9bfd2005b8572655a9580.
---
 README.md                                     | 15 +------
 docs/detections/alerts-ui-manage.asciidoc     |  2 +-
 .../api/rules/rules-api-create.asciidoc       |  5 ++-
 .../api/rules/rules-api-export.asciidoc       |  2 +-
 .../api/rules/rules-api-import.asciidoc       |  2 +-
 .../api/rules/rules-api-update.asciidoc       |  5 ++-
 docs/detections/building-block-rule.asciidoc  |  2 +-
 .../detection-engine-intro.asciidoc           | 40 +++++++++----------
 .../detections-ui-exceptions.asciidoc         | 14 +++----
 .../machine-learning.asciidoc                 |  4 +-
 .../prebuilt-rules/tune-rule-signals.asciidoc |  2 +-
 docs/detections/rules-ui-create.asciidoc      |  4 +-
 docs/detections/rules-ui-manage.asciidoc      | 10 ++---
 docs/detections/rules-ui-monitor.asciidoc     |  6 +--
 docs/detections/session-view.asciidoc         |  2 +-
 .../detections/visual-event-analyzer.asciidoc |  2 +-
 .../getting-started/install-endpoint.asciidoc |  2 +-
 docs/getting-started/ml-req.asciidoc          | 21 ++--------
 .../admin/host-isolation-ov.asciidoc          |  4 +-
 19 files changed, 60 insertions(+), 84 deletions(-)

diff --git a/README.md b/README.md
index a44f2a06b3..c9c52b0d6f 100644
--- a/README.md
+++ b/README.md
@@ -9,23 +9,10 @@ Please view this template for guidance on creating issues: https://github.com/el
 ## Contributing to Elastic Security docs
 
 If you are an Elastic employee and would like to contribute to Elastic Security documentation: 
-
 1. Please clone and fork the `security-docs` repo. 
 2. Open an issue using the appropriate [template](https://github.com/elastic/security-docs/tree/master/.github/ISSUE_TEMPLATE).
 3. Check out the `main` branch and fetch the latest changes. 
 4. Check out a new branch and make your changes. 
 5. Save your changes and open a pull request. 
-6. Add the `[@elastic/security-docs](https://github.com/orgs/elastic/teams/security-docs)` team and any other appropriate members as reviewers. 
-7. Add the appropriate release version label, backport version label if appropriate, and team label to the PR. 
-8. Once the docs team approves all changes, you can merge it. If a backport version label was added to a PR for stack versions 7.14.0 and newer, mergify will automatically open a backport PR. 
-9. Merge the backport PR once it passes all CI checks. 
-
-### Preview documentation changes
-
-Once the PR is opened, and the build complete, the changes can be previewed via this URL (replace `<YOUR_PR_NUMBER_HERE>` with the PR number):
-
-```
-https://security-docs_<YOUR_PR_NUMBER_HERE>.docs-preview.app.elstc.co/guide/en/security/master
-```
-
+6. Tag the the `@security-docs` team and any other appropriate reviewers. We'll take care of merging and backporting.  
 
diff --git a/docs/detections/alerts-ui-manage.asciidoc b/docs/detections/alerts-ui-manage.asciidoc
index da30814d0c..9c82b63157 100644
--- a/docs/detections/alerts-ui-manage.asciidoc
+++ b/docs/detections/alerts-ui-manage.asciidoc
@@ -39,7 +39,7 @@ NOTE: When updating alert results to include building block alerts, the Security
 [role="screenshot"]
 image::images/additional-filters.png[Alerts table with Additional filters menu highlighted]
 
-* View detection alerts generated by a specific rule. Go to *Manage* -> *Rules*, then select a rule name in the table. The rule details page displays a comprehensive view of the rule's settings, and the Alerts table under the Trend histogram displays the alerts associated with the rule, including alerts from any previous or deleted revision of that rule.
+* View detection alerts generated by a specific rule. Go to *Detect* -> *Rules*, then select a rule name in the table. The rule details page displays a comprehensive view of the rule's settings, and the Alerts table under the Trend histogram displays the alerts associated with the rule, including alerts from any previous or deleted revision of that rule.
 
 [float]
 [[customize-the-alerts-table]]
diff --git a/docs/detections/api/rules/rules-api-create.asciidoc b/docs/detections/api/rules/rules-api-create.asciidoc
index 2213a79abb..55ba07b896 100644
--- a/docs/detections/api/rules/rules-api-create.asciidoc
+++ b/docs/detections/api/rules/rules-api-create.asciidoc
@@ -394,7 +394,7 @@ a value from the source event:
 
 |rule_name_override |String |Sets which field in the source event is used to
 populate the alert's `signal.rule.name` value (in the UI, this value is
-displayed on the *Rules* page in the *Rule* column). When unspecified, the
+displayed in the *Rule* column on the Detections page). When unspecified, the
 rule's `name` value is used. The source field must be a string data type.
 
 |severity_mapping |Object[] a|Overrides generated alerts' `severity` with
@@ -550,7 +550,8 @@ All fields are required:
 |==============================================
 
 NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed
-in the UI (*Manage* -> *Rules* -> *_Rule name_*).
+in the UI (*Detections* -> *Manage detection rules* -> <rule
+name>).
 
 ===== Example requests
 
diff --git a/docs/detections/api/rules/rules-api-export.asciidoc b/docs/detections/api/rules/rules-api-export.asciidoc
index 3c1370f219..c6c53cc21b 100644
--- a/docs/detections/api/rules/rules-api-export.asciidoc
+++ b/docs/detections/api/rules/rules-api-export.asciidoc
@@ -12,7 +12,7 @@ You cannot export prebuilt rules, but they are available at https://github.com/e
 =================
 Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) or the Saved Objects APIs (experimental) to {kibana-ref}/saved-objects-api-export.html[export] and {kibana-ref}/saved-objects-api-import.html[import] any necessary connectors _before_ you export and import the detection rules.
 
-Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <<edit-value-lists, Upload value lists>> UI (*Manage* -> *Rules* -> *Upload value lists*) to export and import value lists separately.
+Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <<edit-value-lists, Upload value lists>> UI (*Detect* -> *Rules* -> *Upload value lists*) to export and import value lists separately.
 =================
 
 ==== Request URL
diff --git a/docs/detections/api/rules/rules-api-import.asciidoc b/docs/detections/api/rules/rules-api-import.asciidoc
index de11902f14..ef1428e223 100644
--- a/docs/detections/api/rules/rules-api-import.asciidoc
+++ b/docs/detections/api/rules/rules-api-import.asciidoc
@@ -14,7 +14,7 @@ NOTE: You need at least `Read` privileges for the `Action and Connectors` featur
 =================
 Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-export-objects[Saved Objects] UI in Kibana (*Stack Management* -> *Kibana* -> *Saved Objects*) or the Saved Objects APIs (experimental) to {kibana-ref}/saved-objects-api-export.html[export] and {kibana-ref}/saved-objects-api-import.html[import] any necessary connectors _before_ you export and import the detection rules.
 
-Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <<edit-value-lists, Upload value lists>> UI (*Manage* -> *Rules* -> *Upload value lists*) to export and import value lists separately.
+Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the <<edit-value-lists, Upload value lists>> UI (*Detect* -> *Rules* -> *Upload value lists*) to export and import value lists separately.
 =================
 
 ==== Request URL
diff --git a/docs/detections/api/rules/rules-api-update.asciidoc b/docs/detections/api/rules/rules-api-update.asciidoc
index fe4dced8fd..ee05e91a18 100644
--- a/docs/detections/api/rules/rules-api-update.asciidoc
+++ b/docs/detections/api/rules/rules-api-update.asciidoc
@@ -310,7 +310,7 @@ a value from the source event:
 
 |rule_name_override |String |Sets which field in the source event is used to
 populate the alert's `signal.rule.name` value (in the UI, this value is
-displayed on the *Rules* page in the *Rule* column). When unspecified, the
+displayed in the *Rule* column on the Detections page). When unspecified, the
 rule's `name` value is used. The source field must be a string data type.
 
 |severity_mapping |Object[] a|Overrides generated alerts' `severity` with
@@ -427,7 +427,8 @@ technique:
 |==============================================
 
 NOTE: Only threats described using the MITRE ATT&CK^TM^ framework are displayed
-in the UI (*Manage* -> *Rules* -> *_Rule name_*).
+in the UI (*Security* -> *Detections* -> *Manage detection rules* -> <rule
+name>).
 
 ===== Example request
 
diff --git a/docs/detections/building-block-rule.asciidoc b/docs/detections/building-block-rule.asciidoc
index c4afa52d90..4a3af7527d 100644
--- a/docs/detections/building-block-rule.asciidoc
+++ b/docs/detections/building-block-rule.asciidoc
@@ -26,7 +26,7 @@ image::images/alert-indices-ui.png[]
 By default, building block alerts are excluded from the Overview and Alerts pages.
 You can choose to include building block alerts on the Alerts page, which expands the number of alerts.
 
-. Go to *Alerts*.
+. Go to *Detect* -> *Alerts*.
 . In the Alerts table, select *Additional filters* ->
 *Include building block alerts*, located on the far-right.
 
diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc
index 8c3972c85c..046cc87884 100644
--- a/docs/detections/detection-engine-intro.asciidoc
+++ b/docs/detections/detection-engine-intro.asciidoc
@@ -3,15 +3,15 @@
 
 = Detections and alerts
 
-Use the detection engine to create and manage rules and view the alerts
-these rules create. Rules periodically search indices (such as `logs-*` and
-`filebeat-*`) for suspicious source events and create alerts when a rule's
+Use the Detections feature to create and manage rules, and view the alerts
+these rules create. Rules periodically search indices (such as `endgame-*` and
+`filebeat-*`) for suspicious source events, and create alerts when a rule's
 conditions are met. When an alert is created, its status is `Open`. To help
-track investigations, an alert's <<detection-alert-status,status>> can be set as 
-`Open`, `Acknowledged`, or `Closed`.
+track investigations, an alert's status can be set as `Open`, `Acknowledged`, or
+`Closed` (see <<detection-alert-status>>).
 
 [role="screenshot"]
-image::images/alert-page.png[Alerts page]
+image::images/alert-page.png[Shows the Alerts page]
 
 In addition to creating <<rules-ui-create, your own rules>>, enable
 <<load-prebuilt-rules, Elastic prebuilt rules>> to immediately start detecting
@@ -195,26 +195,26 @@ NOTE: Ransomware prevention is a paid feature and is enabled by default if you h
 === Resolve UI error messages
 
 Depending on your privileges and whether detection system indices have already
-been created for the {kib} space, you might get one of these error messages when you 
-open the *Alerts* or *Rules* page:
+been created for the {kib} space, you might see an error message  when you try
+to open the *Detections* page.
+
+*`Let’s set up your detection engine`*
+
+If you see this message, a user with specific privileges must visit the
+*Detections* page before you can view detection rules and alerts.
+See <<enable-detections-ui>> for a list of all the requirements.
 
-* *`Let’s set up your detection engine`*
-+
-If you get this message, a user with specific privileges must visit the
-*Alerts* or *Rules* page before you can view detection alerts and rules.
-Refer to <<enable-detections-ui>> for a list of all the requirements.
-+
 NOTE: For *self-managed* {stack} deployments only, this message may be displayed
 when the
 <<detections-permissions, `xpack.encryptedSavedObjects.encryptionKey`>>
-setting has not been added to the `kibana.yml` file. For more information, refer to <<detections-on-prem-requirements>>.
+setting has not been added to the `kibana.yml` file. For more information, see <<detections-on-prem-requirements>>.
 
-* *`Detection engine permissions required`*
-+
-If you get this message, you do not have the
+*`Detection engine permissions required`*
+
+If you see this message, you do not have the
 <<detections-permissions, required privileges>> to view the *Detections* feature,
 and you should contact your {kib} administrator.
-+
+
 NOTE: For *self-managed* {stack} deployments only, this message may be
 displayed when the <<detections-permissions, `xpack.security.enabled`>>
-setting is not enabled in the `elasticsearch.yml` file. For more information, refer to <<detections-on-prem-requirements>>.
+setting is not enabled in the `elasticsearch.yml` file. For more information, see <<detections-on-prem-requirements>>.
diff --git a/docs/detections/detections-ui-exceptions.asciidoc b/docs/detections/detections-ui-exceptions.asciidoc
index 155662c785..15fd1bb28e 100644
--- a/docs/detections/detections-ui-exceptions.asciidoc
+++ b/docs/detections/detections-ui-exceptions.asciidoc
@@ -41,7 +41,7 @@ act as value delimiters.
 * Wildcards are not supported in rule exceptions or value lists. Values must be literal values.
 =========================
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect* -> *Rules*.
 . Click *Upload value lists*. The *Upload value lists* window opens.
 +
 [role="screenshot"]
@@ -60,7 +60,7 @@ the new file are appended to the previously uploaded values.
 
 To view, delete, or export existing value lists:
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect* -> *Rules*.
 . Click *Upload value lists*. The *Upload value lists* window opens.
 . In the *Value lists* table, click the required action button.
 
@@ -101,7 +101,7 @@ specific event in the sequence, update the rule's EQL statement. For example:
 --
 * To add an exception from the rule details page:
 .. Go to the rule details page of the rule to which you want to add an
-exception (*Manage* -> *Rules* -> *_<Rule name>_*).
+exception (*Detect* -> *Rules* -> *_<Rule name>_*).
 .. Scroll down below the rule details and select the *Exceptions* tab.
 +
 [role="screenshot"]
@@ -109,7 +109,7 @@ image::images/exception-histogram.png[Detail of Exceptions tab, 75%]
 .. Click *Add new exception* -> *Add rule exception*.
 
 * To add an exception from the Alerts table:
-.. Go to *Alerts*.
+.. Go to *Detect* -> *Alerts*.
 .. Scroll down to the Alerts table, go to the alert you want to create an exception for, click the *More Actions* menu (*...*), then select *Add rule exception*.
 
 The *Add Rule Exception* flyout opens (the example below was opened from the Alerts table):
@@ -182,11 +182,11 @@ Additionally, to add an Endpoint exception to the Elastic Endpoint Security rule
 +
 --
 * To add an Endpoint exception from the rule details page:
-.. Go to the rule details page (*Manage* -> *Rules*), and then search for and  select the Elastic *Endpoint Security* rule.
+.. Go to the rule details page (*Detect* -> *Rules*), and then search for and  select the Elastic *Endpoint Security* rule.
 .. Scroll down to the *Trend* histogram and select the *Exceptions* tab.
 .. Click *Add new exception* -> *Add Endpoint exception*.
 * To add an Endpoint exception from the Alerts table:
-.. Go to *Alerts*.
+.. Go to *Detect* -> *Alerts*.
 .. Scroll down to the Alerts table, and from an {elastic-endpoint} 
 alert, click the *More actions* menu (*...*), then select *Add Endpoint exception*.
 --
@@ -275,7 +275,7 @@ image::images/nested-exp.png[]
 [[manage-exceptions]]
 === View and manage exception lists
 
-The Exception lists table enables you to view and manage all exceptions that have been assigned to rules. To view the Exception lists table, go to *Manage* -> *Exception lists*.
+The Exception lists table enables you to view and manage all exceptions that have been assigned to rules. To view the Exception lists table, go to *Detect* -> *Exception lists*.
 
 [role="screenshot"]
 image::images/exceptions-page.png[]
diff --git a/docs/detections/machine-learning/machine-learning.asciidoc b/docs/detections/machine-learning/machine-learning.asciidoc
index 93eb30cab0..79a9447be9 100644
--- a/docs/detections/machine-learning/machine-learning.asciidoc
+++ b/docs/detections/machine-learning/machine-learning.asciidoc
@@ -3,8 +3,8 @@
 = Anomaly Detection with Machine Learning
 
 {ml-docs}/ml-ad-overview.html[{ml-cap}] functionality is available when
-you have the appropriate subscription, are using a *{ess-trial}[cloud deployment]*,
-or are testing out a *Free Trial*. Refer to <<ml-requirements>>.
+you have the *{subscriptions}[appropriate license]*, are
+using a *{ess-trial}[cloud deployment]*, or are testing out a *Free Trial*.
 
 You can view the details of detected anomalies within the `Anomalies` table
 widget shown on the Hosts, Network, and associated details pages, or even narrow
diff --git a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc
index 7bfb8f6312..d41f62cc3c 100644
--- a/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc
+++ b/docs/detections/prebuilt-rules/tune-rule-signals.asciidoc
@@ -33,7 +33,7 @@ add an exception for the required application.
 For example, to prevent the <<unusual-process-execution-temp>> rule from
 producing alerts for an in-house application named `myautomatedbuild`:
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect* -> *Rules*.
 . Search for and then click on the *Unusual Process Execution - Temp* rule.
 +
 The *Unusual Process Execution - Temp* rule details page is displayed.
diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc
index 5fe3f0ef4e..73f37bb615 100644
--- a/docs/detections/rules-ui-create.asciidoc
+++ b/docs/detections/rules-ui-create.asciidoc
@@ -81,7 +81,7 @@ If a rule requires certain privileges to run, such as index privileges, keep in
 [[create-rule-ui]]
 === Select rule type and scope
 
-. Go to *Manage* -> *Rules* -> *Create new rule*. The *Create new rule* page displays.
+. Go to *Detect* -> *Rules* -> *Create new rule*. The *Create new rule* page displays.
 +
 [role="screenshot"]
 image::images/create-new-rule.png[]
@@ -554,7 +554,7 @@ You uploaded a value list of known ransomware domains, and you want to be notifi
 * *Field*: Enter the field from the Elastic Security event indices to be used for comparing values.
 * *Indicator index field*: Enter the type of value list you created (i.e., `keyword`, `text`, or `IP`).
 +
-TIP: If you don't remember this information, go to *Manage* -> *Rules* -> *Upload value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.)
+TIP: If you don't remember this information, go to *Detect* -> *Rules > Upload value lists*. Locate the appropriate value list and note the field in the corresponding `Type` column. (Examples include keyword, text, and IP.)
 
 [role="screenshot"]
 image::images/indicator_value_list.png[]
diff --git a/docs/detections/rules-ui-manage.asciidoc b/docs/detections/rules-ui-manage.asciidoc
index 346c2ca5ff..13251a89d1 100644
--- a/docs/detections/rules-ui-manage.asciidoc
+++ b/docs/detections/rules-ui-manage.asciidoc
@@ -38,7 +38,7 @@ NOTE: Searches for index patterns and MITRE ATT&CK tactics and techniques must m
 [[load-prebuilt-rules]]
 === Load and activate prebuilt Elastic rules
 
-To load the {es-sec-app}'s <<prebuilt-rules, prebuilt rules>>, go to *Manage* -> *Rules* -> *Load Elastic prebuilt rules and Timeline templates*.
+To load the {es-sec-app}'s <<prebuilt-rules, prebuilt rules>>, go to *Detect -> Rules -> Load Elastic prebuilt rules and Timeline templates*).
 
 You can then activate whichever rules you want. If you delete any prebuilt rules, a button appears that enables you to reload all of the deleted ones.
 
@@ -54,7 +54,7 @@ To learn how to enable detection rules in Elastic Security, watch the <<enable-d
 [[select-all-prebuilt-rules]]
 === Select and duplicate all prebuilt rules
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect -> Rules*.
 . Click *Select all _x_ rules* above the rules table.
 . Click *Bulk actions* -> *Duplicate*.
 . Select the *Custom rules* tab.
@@ -90,7 +90,7 @@ You can edit an existing rule's settings, and can bulk edit index patterns, tags
 
 NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only edit <<rule-schedule, rule actions>> and <<detections-ui-exceptions, add exceptions>>.
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect* -> *Rules*.
 . Do one of the following:
 * Edit a single rule: Select the *All actions* menu (*...*) on a rule, then select *Edit rule settings*. The *Edit rule settings* view opens, where you can modify the <<rules-ui-create, rule's settings>>.
 * Bulk edit multiple rules: Select the rules you want to edit, then select an action from the *Bulk actions* menu:
@@ -107,7 +107,7 @@ NOTE: For prebuilt Elastic rules, you can't modify most settings. You can only e
 
 You can duplicate, enable, disable, and delete rules:
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect* -> *Rules*.
 . Do one of the following:
 * Select the *All actions* menu (*...*) on a rule, then select an action.
 * Select all the rules you want to modify, then select an action from the *Bulk actions* menu.
@@ -131,7 +131,7 @@ Similarly, any value lists used for rule exceptions are not included in rule exp
 
 To export and import detection rules:
 
-. Go to *Manage* -> *Rules*.
+. Go to *Detect* -> *Rules*.
 . To export rules:
 .. In the rules table, select the rules you want to export.
 .. Select *Bulk actions* -> *Export*, then save the exported file.
diff --git a/docs/detections/rules-ui-monitor.asciidoc b/docs/detections/rules-ui-monitor.asciidoc
index d44cf319eb..587982e0e4 100644
--- a/docs/detections/rules-ui-monitor.asciidoc
+++ b/docs/detections/rules-ui-monitor.asciidoc
@@ -15,7 +15,7 @@ Refer to the <<troubleshoot-signals>> section below for strategies on using thes
 === Rule Monitoring tab
 
 To view a summary of all rule executions, including the most recent failures and execution
-times, select the *Rule Monitoring* tab on the *Rules* page (*Manage* ->
+times, select the *Rule Monitoring* tab on the *Rules* page (*Detect* ->
 *Rules* -> *Rule Monitoring*).
 
 [role="screenshot"]
@@ -33,7 +33,7 @@ For detailed information on a rule, the alerts it generated, and associated erro
 
 Each detection rule execution is logged, including its success or failure, any warning or error messages, and how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn't behaving as expected (for example, if it isn't creating alerts or takes a long time to run).
 
-To access a rule's execution log, go to *Manage* -> *Rules*, click the rule's name to open its details, then scroll down and select the *Rule execution logs* tab.
+To access a rule's execution log, go to *Detect* -> *Rules*, click the rule's name to open its details, then scroll down and select the *Rule execution logs* tab.
 
 [role="screenshot"]
 image::images/rule-execution-logs.png[Rule execution logs table]
@@ -75,7 +75,7 @@ You can also use Task Manager in {kib} to troubleshoot background tasks and proc
 
 If you see values in the Gaps column in the Rule Monitoring table or on the Rule details page
 for a small number of rules, you can increase those rules'
-Additional look-back time (*Manage* -> *Rules* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*).
+Additional look-back time (*Detect* -> *Rules* -> the rule's *All actions* menu (*...*) -> *Edit rule settings* -> *Schedule* -> *Additional look-back time*).
 
 It's recommended to set the `Additional look-back time` to at
 least 1 minute. This ensures there are no missing alerts when a rule doesn't
diff --git a/docs/detections/session-view.asciidoc b/docs/detections/session-view.asciidoc
index 00f5c2c9e7..e4f6465b5f 100644
--- a/docs/detections/session-view.asciidoc
+++ b/docs/detections/session-view.asciidoc
@@ -35,7 +35,7 @@ Session View is accessible from the **Hosts**, **Alerts**, and **Timelines** pag
 Events and sessions that you can investigate in Session View have a rectangular
 *Open Session View* button in the *Actions* column. For example:
 
-* On the Alerts page, scroll down to view the Alerts table.
+* On the Alerts page (*Detect* -> *Alerts*), scroll down to view the Alerts table.
 Look for alerts that have the **Open Session View** button in the **Actions** column:
 [role="screenshot"]
 image::images/session-view-action-icon-detail.png[Detail of the Open Session View icon,width=75%]
diff --git a/docs/detections/visual-event-analyzer.asciidoc b/docs/detections/visual-event-analyzer.asciidoc
index c9ed998d59..0f9bf856f1 100644
--- a/docs/detections/visual-event-analyzer.asciidoc
+++ b/docs/detections/visual-event-analyzer.asciidoc
@@ -19,7 +19,7 @@ To find events that can be visually analyzed:
 
 . First, view a list of events by doing one of the following:
 * Go to *Explore* -> *Hosts*, then select the *Events* tab. A list of all your hosts' events appears at the bottom of the page.
-* Go to *Alerts*, then scroll down to view the Alerts table.
+* Go to *Detect* -> *Alerts*, then scroll down to view the Alerts table.
 . Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting *Enter*:
 ** `agent.type:"endpoint" and process.entity_id :*`
 +
diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc
index 3272709ffc..9f8bff3098 100644
--- a/docs/getting-started/install-endpoint.asciidoc
+++ b/docs/getting-started/install-endpoint.asciidoc
@@ -16,7 +16,7 @@ If you're using macOS, some versions may require you to grant Full Disk Access t
 [[add-security-integration]]
 == Add the {endpoint-cloud-sec} integration
 
-. In {kib}, select **Security** -> **Manage** -> **Endpoints**. If this is not your first time using {es-sec}, select **Management** -> **Integrations**, then search for and select **{endpoint-cloud-sec}**.
+. In {kib}, select **Security** -> **Endpoints**. If this is not your first time using {es-sec}, select **Management** -> **Integrations**, then search for and select **{endpoint-cloud-sec}**.
 +
 [role="screenshot"]
 image::images/install-endpoint/endpoint-cloud-sec-integrations-page.png[Search result for "Endpoint and Cloud Security" on the Integrations page.]
diff --git a/docs/getting-started/ml-req.asciidoc b/docs/getting-started/ml-req.asciidoc
index f42f61e513..337c00b747 100644
--- a/docs/getting-started/ml-req.asciidoc
+++ b/docs/getting-started/ml-req.asciidoc
@@ -3,20 +3,7 @@
 
 To run and create {ml} jobs and rules, you need all of these:
 
-* The {subscriptions}[appropriate license]
-* There must be at least one {ml} node in your cluster
-* The `machine_learning_admin` user role
-
-For more information, go to {ml-docs}/setup.html[Set up {ml-features}].
-
-[IMPORTANT]
-====
-The `machine_learning_admin` and `machine_learning_user` built-in roles give
-access to the results of _all_ {anomaly-jobs}, irrespective of whether the user
-has access to the source indices. Likewise, a user who has full or read-only
-access to {ml-features} within a given {kib} space can view the results of _all_
-{anomaly-jobs} that are visible in that space. You must carefully consider who
-is given these roles and feature privileges; {anomaly-job} results may propagate
-field values that contain sensitive information from the source indices to the
-results.
-====
\ No newline at end of file
+* The *https://www.elastic.co/subscriptions[appropriate license]*
+* There must be at least one {ml} node in your cluster (see {ml-docs}/setup.html[Set up {ml} features])
+* The `machine_learning_admin` user role (see
+{ref}/built-in-roles.html[Built-in roles])
diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc
index 4fa72555f7..74cda0e1e6 100644
--- a/docs/management/admin/host-isolation-ov.asciidoc
+++ b/docs/management/admin/host-isolation-ov.asciidoc
@@ -35,7 +35,7 @@ All actions executed on a host are tracked in the host’s activity log, which y
 
 To isolate a host from a case alert:
 
-. Go to *Cases*, then select the appropriate case to view the case activity. Ensure you are viewing a case with at least one alert attached to it.
+. Go to *Investigate -> Cases*, then select the appropriate case to view the case activity. Ensure you are viewing a case with at least one alert attached to it.
 . Find the appropriate alert, then click the *Show alert details* button (*>*). The alert details flyout opens.
 . Click *Take action -> Isolate host*.
 . Enter a comment describing why you’re isolating the host (optional).
@@ -60,7 +60,7 @@ image::images/host-isolated-notif.png[Host isolated notification message,350]
 
 To release a host from a case alert:
 
-. Go to *Cases*, then click on the appropriate case to view the case activity its details.
+. Go to *Investigate -> Cases*, then click on the appropriate case to view the case activity its details.
 . Find the appropriate alert, then click the *Show alert details* button (*>*). The alert details flyout opens.
 . From the alert details flyout, click *Take action -> Release host*.
 . Enter a comment describing why you're releasing the host (optional).