From 92cc9458848a80e42b1df9dcd4b249192e8c8d9d Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Wed, 30 Oct 2024 10:00:04 +0000
Subject: [PATCH 1/3] Asset criticality advanced setting removed (#5991)

(cherry picked from commit 2390859c9f149126f049baa61606f7842f1eec09)

# Conflicts:
#	docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
#	docs/serverless/advanced-entity-analytics/asset-criticality.mdx
#	docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
#	docs/serverless/advanced-entity-analytics/ers-req.mdx
#	docs/serverless/explore/hosts-overview.mdx
#	docs/serverless/explore/users-page.mdx
#	docs/serverless/settings/advanced-settings.mdx
---
 .../asset-criticality-api-overview.asciidoc   |  12 +-
 .../asset-criticality.asciidoc                |   7 +-
 .../entity-risk-scoring.asciidoc              |   6 +-
 .../ers-req.asciidoc                          |   2 -
 .../getting-started/advanced-setting.asciidoc |   5 -
 docs/getting-started/users-page.asciidoc      |   8 +-
 docs/management/hosts/hosts-overview.asciidoc |   8 +-
 .../asset-criticality.mdx                     | 111 ++++++++++
 .../entity-risk-scoring.mdx                   | 114 ++++++++++
 .../advanced-entity-analytics/ers-req.mdx     |  92 ++++++++
 docs/serverless/explore/hosts-overview.mdx    | 112 ++++++++++
 docs/serverless/explore/users-page.mdx        | 106 +++++++++
 .../serverless/settings/advanced-settings.mdx | 202 ++++++++++++++++++
 13 files changed, 752 insertions(+), 33 deletions(-)
 create mode 100644 docs/serverless/advanced-entity-analytics/asset-criticality.mdx
 create mode 100644 docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
 create mode 100644 docs/serverless/advanced-entity-analytics/ers-req.mdx
 create mode 100644 docs/serverless/explore/hosts-overview.mdx
 create mode 100644 docs/serverless/explore/users-page.mdx
 create mode 100644 docs/serverless/settings/advanced-settings.mdx

diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
index 22c657b031..1ed6c40948 100644
--- a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
+++ b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
@@ -2,4 +2,14 @@
 [role="xpack"]
 == Asset criticality API
 
-You can manage <<asset-criticality, asset criticality>> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
\ No newline at end of file
+<<<<<<< HEAD
+You can manage <<asset-criticality, asset criticality>> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
+=======
+.New API Reference
+[sidebar]
+--
+For the most up-to-date API details, refer to {api-kibana}/group/endpoint-security-entity-analytics-api[Entity Analytics APIs].
+--
+
+You can manage <<asset-criticality, asset criticality>> records through the API.
+>>>>>>> 2390859c (Asset criticality advanced setting removed (#5991))
diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc
index 1ee6cb2670..55437a3c56 100644
--- a/docs/advanced-entity-analytics/asset-criticality.asciidoc
+++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc
@@ -4,12 +4,7 @@
 .Requirements
 [sidebar]
 --
-To view and assign asset criticality, you must:
-
-* Have the appropriate user role.
-* Turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-
-For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
+To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <<ers-requirements, Entity risk scoring prerequisites>>.
 --
 
 The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
diff --git a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
index 932e6b07fb..8b9be7a266 100644
--- a/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
+++ b/docs/advanced-entity-analytics/entity-risk-scoring.asciidoc
@@ -30,11 +30,7 @@ Entity risk scores are determined by the following risk inputs:
 
 The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
 
-[NOTE]
-======
-* Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
-* To use asset criticality, you must enable the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-======
+NOTE: Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
 
 [discrete]
 [[how-is-risk-score-calculated]]
diff --git a/docs/advanced-entity-analytics/ers-req.asciidoc b/docs/advanced-entity-analytics/ers-req.asciidoc
index 90b6ffa961..35f0a0a588 100644
--- a/docs/advanced-entity-analytics/ers-req.asciidoc
+++ b/docs/advanced-entity-analytics/ers-req.asciidoc
@@ -45,8 +45,6 @@ The risk scoring engine uses an internal user role to score all hosts and users,
 [discrete]
 == Asset criticality
 
-To use the asset criticality feature, turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-
 [discrete]
 === Privileges
 
diff --git a/docs/getting-started/advanced-setting.asciidoc b/docs/getting-started/advanced-setting.asciidoc
index 2298fbc483..afde06a108 100644
--- a/docs/getting-started/advanced-setting.asciidoc
+++ b/docs/getting-started/advanced-setting.asciidoc
@@ -102,11 +102,6 @@ Security *Overview* page.
 * `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
 retrieved.
 
-[discrete]
-[[enable-asset-criticality]]
-== Enable asset criticality workflows
-The `securitySolution:enableAssetCriticality` setting determines whether asset criticality is included as a risk input to entity risk scoring. This setting is turned off by default. Turn it on to enable asset criticality workflows and to use asset criticality as part of entity risk scoring.
-
 [discrete]
 [[exclude-cold-frozen-tiers]]
 == Exclude cold and frozen tier data from analyzer queries
diff --git a/docs/getting-started/users-page.asciidoc b/docs/getting-started/users-page.asciidoc
index f7df997574..56218a3019 100644
--- a/docs/getting-started/users-page.asciidoc
+++ b/docs/getting-started/users-page.asciidoc
@@ -36,7 +36,7 @@ A user's details page displays all relevant information for the selected user. T
 
 The user details page includes the following sections: 
 
-* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>> is on, this section displays the user's current <<asset-criticality, asset criticality level>>.
+* **Asset Criticality**: This section displays the user's current <<asset-criticality, asset criticality level>>.
 
 * *Summary*: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the user risk score feature is enabled, this section also displays user risk score data. 
 
@@ -99,12 +99,6 @@ image::images/users/user-risk-inputs.png[User risk inputs]
 [[user-asset-criticality-section]]
 === Asset Criticality
 
-.Requirements
-[sidebar]
---
-The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>> is on.
---
-
 The **Asset Criticality** section displays the selected user's <<asset-criticality, asset criticality level>>. Asset criticality contributes to the overall <<entity-risk-scoring, user risk score>>. The criticality level defines how impactful the user is when calculating the risk score.
 
 [role="screenshot"]
diff --git a/docs/management/hosts/hosts-overview.asciidoc b/docs/management/hosts/hosts-overview.asciidoc
index b8d12049cb..4e78ad68d7 100644
--- a/docs/management/hosts/hosts-overview.asciidoc
+++ b/docs/management/hosts/hosts-overview.asciidoc
@@ -42,7 +42,7 @@ A host's details page displays all relevant information for the selected host. T
 
 The host details page includes the following sections: 
 
-* **Asset Criticality**: If the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>> is on, this section displays the host's current <<asset-criticality, asset criticality level>>.
+* **Asset Criticality**: This section displays the host's current <<asset-criticality, asset criticality level>>.
 * *Summary*: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the host risk score feature is enabled, this section also displays host risk score data. 
 * *Alert metrics*: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`).  
 * *Data tables*: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. 
@@ -102,12 +102,6 @@ image::images/host-risk-inputs.png[Host risk inputs]
 [[host-asset-criticality-section]]
 === Asset Criticality
 
-.Requirements
-[sidebar]
---
-The **Asset Criticality** section is only available if the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>> is on.
---
-
 The **Asset Criticality** section displays the selected host's <<asset-criticality, asset criticality level>>. Asset criticality contributes to the overall <<entity-risk-scoring, host risk score>>. The criticality level defines how impactful the host is when calculating the risk score.
 
 [role="screenshot"]
diff --git a/docs/serverless/advanced-entity-analytics/asset-criticality.mdx b/docs/serverless/advanced-entity-analytics/asset-criticality.mdx
new file mode 100644
index 0000000000..c2213d0c59
--- /dev/null
+++ b/docs/serverless/advanced-entity-analytics/asset-criticality.mdx
@@ -0,0 +1,111 @@
+---
+slug: /serverless/security/asset-criticality
+title: Asset criticality
+description: Learn how to use asset criticality to improve your security operations.
+tags: [ 'serverless', 'security', 'overview', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+<DocCallOut title="Requirements">
+To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <DocLink slug="/serverless/security/ers-requirements">Entity risk scoring prerequisites</DocLink>.
+</DocCallOut>
+
+The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
+
+You can assign one of the following asset criticality levels to your entities, based on their impact:
+
+* Low impact
+* Medium impact
+* High impact
+* Extreme impact
+
+For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture.
+
+## View and assign asset criticality
+
+Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <DocLink slug="/serverless/security/asset-criticality" section="bulk-assign-asset-criticality">bulk assign</DocLink> it to multiple entities by importing a text file.
+
+When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated.
+
+<DocCallOut title="Note">
+If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
+</DocCallOut>
+
+You can view, assign, change, or unassign asset criticality from the following places in the ((elastic-sec)) app:
+
+* The <DocLink slug="/serverless/security/hosts-overview" section="host-details-page">host details page</DocLink> and <DocLink slug="/serverless/security/users-page" section="user-details-page">user details page</DocLink>:
+
+  ![Assign asset criticality from the host details page](../images/asset-criticality/-assign-asset-criticality-host-details.png) 
+
+* The <DocLink slug="/serverless/security/hosts-overview" section="host-details-flyout">host details flyout</DocLink> and <DocLink slug="/serverless/security/users-page" section="user-details-flyout">user details flyout</DocLink>:
+
+  ![Assign asset criticality from the host details flyout](../images/asset-criticality/-assign-asset-criticality-host-flyout.png)
+
+* The host details flyout and user details flyout in <DocLink slug="/serverless/security/timelines-ui">Timeline</DocLink>:
+
+  ![Assign asset criticality from the host details flyout in Timeline](../images/asset-criticality/-assign-asset-criticality-timeline.png)
+
+### Bulk assign asset criticality
+
+You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools.
+
+The file must contain three columns, with each entity record listed on a separate row:
+
+1. The first column should indicate whether the entity is a `host` or a `user`.
+1. The second column should specify the entity's `host.name` or `user.name`.
+1. The third column should specify one of the following asset criticality levels:
+    * `extreme_impact`
+    * `high_impact`
+    * `medium_impact`
+    * `low_impact`
+
+The maximum file size is 1 MB.
+
+File structure example:
+
+```
+user,user-001,low_impact
+user,user-002,medium_impact
+host,host-001,extreme_impact
+````
+
+To import a file:
+1. Go to **Project Settings** → **Stack Management** → **Entity Store**.
+1. Select or drag and drop the file you want to import.
+
+    <DocCallOut title="Note">
+    The file validation step highlights any lines that don't follow the required file structure. The asset criticality levels for those entities won't be assigned. We recommend that you fix any invalid lines and re-upload the file.
+    </DocCallOut>
+
+1. Click **Assign**. 
+
+This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows.
+
+You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
+
+## Improve your security operations
+
+With asset criticality, you can improve your security operations by:
+
+* <DocLink slug="/serverless/security/asset-criticality" section="prioritize-open-alerts">Prioritizing open alerts</DocLink>
+* <DocLink slug="/serverless/security/asset-criticality" section="monitor-an-entitys-risk">Monitoring an entity's risk</DocLink>
+
+### Prioritize open alerts
+
+You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities.
+
+Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to  <DocLink slug="/serverless/security/analyze-risk-score-data" section="triage-alerts-associated-with-high-risk-or-business-critical-entities">prioritize alerts associated with business-critical entities</DocLink>.
+
+### Monitor an entity's risk
+
+The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to <DocLink slug="/serverless/security/entity-risk-scoring" section="how-is-risk-score-calculated">calculate the entity's overall risk score</DocLink>. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. 
+
+To view the impact of asset criticality on an entity's risk score, follow these steps:
+
+1. Open the <DocLink slug="/serverless/security/hosts-overview" section="host-details-flyout">host details flyout</DocLink> or <DocLink slug="/serverless/security/users-page" section="user-details-flyout">user details flyout</DocLink>. The risk summary section shows asset criticality's contribution to the overall risk score.
+1. Click **View risk contributions** to open the flyout's left panel.
+1. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated.
+
+![View asset criticality impact on host risk score](../images/asset-criticality/-asset-criticality-impact.png)
diff --git a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
new file mode 100644
index 0000000000..3b0bc0fd36
--- /dev/null
+++ b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
@@ -0,0 +1,114 @@
+---
+slug: /serverless/security/entity-risk-scoring
+title: Entity risk scoring
+description: Learn about the risk scoring engine and its features.
+tags: [ 'serverless', 'security', 'overview', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+Entity risk scoring is an advanced ((elastic-sec)) analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response.
+
+Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.
+
+It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all ((elastic-sec)) use cases, and allows you to customize and control how and when risk is calculated.
+
+## Risk scoring inputs
+
+Entity risk scores are determined by the following risk inputs:
+
+<DocTable columns={[
+  {
+    "title": "Risk input",
+    "width": "30%"
+  },
+  {
+    "title": "Storage location",
+    "width": "70%"
+  }
+]}>
+  <DocRow>
+    <DocCell><DocLink slug="/serverless/security/alerts-manage">Alerts</DocLink></DocCell>
+    <DocCell>`.alerts-security.alerts-<space-id>` index alias</DocCell>
+  </DocRow>
+  <DocRow>
+    <DocCell><DocLink slug="/serverless/security/asset-criticality">Asset criticality level</DocLink></DocCell>
+    <DocCell>`.asset-criticality.asset-criticality-<space-id>` index alias</DocCell>
+  </DocRow>
+</DocTable>
+
+The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
+
+<DocCallOut title="Note">
+
+Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
+
+</DocCallOut>
+
+## How is risk score calculated?
+
+1. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
+
+1. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <DocLink slug="/serverless/security/hosts-overview" section="host-risk-summary">risk summary</DocLink>.
+
+1. The engine then verifies the entity's <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
+
+    | Asset criticality level | Default risk weight |
+    |-------------------------|---------------------|
+    | Low impact              | 0.5                 |
+    | Medium impact           | 1                   |
+    | High impact             | 1.5                 |
+    | Extreme impact          | 2                   |
+
+    <DocCallOut title="Note">
+    Asset criticality levels and default risk weights are subject to change.
+    </DocCallOut>
+
+1. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:
+
+    | Risk level    | Risk score    |
+    | ------------- |---------------|
+    | Unknown       | < 20          |
+    | Low           | 20-40         |
+    | Moderate      | 40-70         |
+    | High          | 70-90         |
+    | Critical      | > 90          |
+
+<DocAccordion buttonContent="Click for a risk score calculation example">
+
+This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
+
+There are 5 open alerts associated with `User_A`:
+
+* Alert 1 with alert risk score 21
+* Alert 2 with alert risk score 45
+* Alert 3 with alert risk score 21
+* Alert 4 with alert risk score 70
+* Alert 5 with alert risk score 21
+
+---
+
+To calculate the user risk score, the risk scoring engine:
+
+1. Sorts the associated alerts in descending order of alert risk score:
+
+    * Alert 4 with alert risk score 70
+    * Alert 2 with alert risk score 45
+    * Alert 1 with alert risk score 21
+    * Alert 3 with alert risk score 21
+    * Alert 5 with alert risk score 21
+
+1. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
+
+1. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
+
+1. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
+
+1. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
+
+If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
+
+</DocAccordion>
+ 
+Learn how to <DocLink slug="/serverless/security/turn-on-risk-engine">turn on the risk scoring engine</DocLink>.
diff --git a/docs/serverless/advanced-entity-analytics/ers-req.mdx b/docs/serverless/advanced-entity-analytics/ers-req.mdx
new file mode 100644
index 0000000000..b902a51861
--- /dev/null
+++ b/docs/serverless/advanced-entity-analytics/ers-req.mdx
@@ -0,0 +1,92 @@
+---
+slug: /serverless/security/ers-requirements
+title: Entity risk scoring requirements
+description: Requirements for using entity risk scoring and asset criticality.
+tags: [ 'serverless', 'security', 'reference', 'manage' ]
+---
+
+To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete <DocLink slug="/serverless/elasticsearch/manage-project">project feature</DocLink>.
+
+This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.
+
+## Entity risk scoring
+
+### User roles
+
+To turn on the risk scoring engine, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
+
+**Predefined roles**
+
+* Platform engineer
+* Detections admin
+* Admin
+
+**Custom role privileges**
+
+<DocTable columns={[{ title: "Cluster" }, { title: "Index" }, { title: "((kib))" }]}>
+    <DocRow>
+        <DocCell>
+            * `manage_index_templates`
+            * `manage_transform`
+        </DocCell>
+        <DocCell>`all` privilege for `risk-score.risk-score-*`</DocCell>
+        <DocCell>**Read** for the **Security** feature</DocCell>
+    </DocRow>
+</DocTable>
+
+### Known limitations
+
+* The risk scoring engine uses an internal user role to score all hosts and users. After you turn on the risk scoring engine, all alerts in the project will contribute to host and user risk scores.
+* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
+
+## Asset criticality
+
+### User roles
+
+To use asset criticality, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
+
+**Predefined roles**
+
+<DocTable columns={[{ title: "Action" }, { title: "Predefined role" }]}>
+    <DocRow>
+        <DocCell>View asset criticality</DocCell>
+        <DocCell>
+            * Viewer
+            * Tier 1 analyst
+        </DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>View, assign, change, or unassign asset criticality</DocCell>
+        <DocCell>
+            * Editor
+            * Tier 2 analyst
+            * Tier 3 analyst
+            * Threat intelligence analyst
+            * Rule author
+            * SOC manager
+            * Endpoint operations analyst
+            * Platform engineer
+            * Detections admin
+            * Endpoint policy manager
+        </DocCell>
+    </DocRow>
+</DocTable>
+
+**Custom role privileges**
+
+Custom roles need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
+
+<DocTable columns={[{ title: "Action" }, { title: "Index privilege" }]}>
+    <DocRow>
+        <DocCell>View asset criticality</DocCell>
+        <DocCell>`read`</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>View, assign, or change asset criticality</DocCell>
+        <DocCell>`read` and `write`</DocCell>
+    </DocRow>
+    <DocRow>
+        <DocCell>Unassign asset criticality</DocCell>
+        <DocCell>`delete`</DocCell>
+    </DocRow>    
+</DocTable>
diff --git a/docs/serverless/explore/hosts-overview.mdx b/docs/serverless/explore/hosts-overview.mdx
new file mode 100644
index 0000000000..21eb840909
--- /dev/null
+++ b/docs/serverless/explore/hosts-overview.mdx
@@ -0,0 +1,112 @@
+---
+slug: /serverless/security/hosts-overview
+title: Hosts page
+description: Explore the Hosts page to analyze hosts and related security events.
+tags: [ 'serverless', 'security', 'how-to', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+<div id="hosts-overview"></div>
+
+The Hosts page provides a comprehensive overview of all hosts and host-related security events. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data, drill down for deeper insights, and interact with Timeline for further investigation.
+
+![Hosts page](../images/hosts-overview/-management-hosts-hosts-ov-pg.png)
+
+The Hosts page has the following sections:
+
+<div id="host-KPI-charts"></div>
+
+## Host KPI (key performance indicator) charts
+
+KPI charts show metrics for hosts and unique IPs within the time range specified in the date picker. This data is visualized using linear or bar graphs.
+
+<DocCallOut title="Tip">
+Hover inside a KPI chart to display the actions menu (<DocIcon type="boxesHorizontal" title="Actions menu icon" />), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.
+</DocCallOut>
+
+<div id="host-data-tables"></div>
+
+## Data tables
+
+Beneath the KPI charts are data tables, categorized by individual tabs, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following data:
+
+* **Events**: All host events. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right.
+* **All hosts**: High-level host details.
+* **Uncommon processes**: Uncommon processes running on hosts.
+* **Anomalies**: Anomalies discovered by machine learning jobs.
+* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires the Security Analytics Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature"/> and must be enabled to display the data. To learn more, refer to our <DocLink slug="/serverless/security/entity-risk-scoring">entity risk scoring documentation</DocLink>.  
+* **Sessions**: Linux process events that you can open in <DocLink slug="/serverless/security/session-view">Session View</DocLink>, an investigation tool that allows you to examine Linux process data at a hierarchal level.
+
+The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <DocLink slug="/serverless/security/alerts-manage">Manage detection alerts</DocLink>.
+
+![Events table](../images/hosts-overview/-getting-started-users-events-table.png)
+
+<div id="host-details-page"></div>
+
+## Host details page
+
+A host's details page displays all relevant information for the selected host. To view a host's details page, click its **Host name** link in the **All hosts** table.
+
+The host details page includes the following sections: 
+
+* **Asset Criticality**: This section displays the host's current <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>.
+* **Summary**: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the entity risk score feature is enabled, this section also displays host risk score data. 
+* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`).  
+* **Data tables**: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. 
+
+![Host's details page](../images/hosts-overview/-management-hosts-hosts-detail-pg.png)
+
+## Host details flyout
+
+In addition to the host details page, relevant host information is also available in the host details flyout throughout the ((elastic-sec)) app. You can access this flyout from the following places:
+
+* The Alerts page, by clicking on a host name in the Alerts table
+* The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table
+* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table
+* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table
+* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table
+* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table
+
+The host details flyout includes the following sections:
+
+* <DocLink slug="/serverless/security/hosts-overview" section="host-risk-summary">Host risk summary</DocLink>, which displays host risk data and inputs.
+* <DocLink slug="/serverless/security/hosts-overview" section="asset-criticality">Asset Criticality</DocLink>, which allows you to view and assign asset criticality.
+* <DocLink slug="/serverless/security/hosts-overview" section="observed-data">Observed data</DocLink>, which displays host details.
+
+![Host details flyout](../images/hosts-overview/-host-details-flyout.png)
+
+### Host risk summary
+
+<DocCallOut title="Requirements">
+The **Host risk summary** section is only available if the <DocLink slug="/serverless/security/turn-on-risk-engine" >risk scoring engine is turned on</DocLink>.
+</DocCallOut>
+
+The **Host risk summary** section contains a risk summary visualization and table.
+
+The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu (<DocIcon type="boxesHorizontal" title="Options menu" />). Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.
+
+The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button (<DocIcon type="inspect" title="Inspect" />), which allows you to inspect the table's queries.
+
+To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host's risk inputs:
+
+* The asset criticality level and contribution score from the latest risk scoring calculation.
+* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score.
+
+If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table.
+
+![Host risk inputs](../images/hosts-overview/-host-risk-inputs.png)
+
+### Asset Criticality
+
+The **Asset Criticality** section displays the selected host's <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>. Asset criticality contributes to the overall <DocLink slug="/serverless/security/entity-risk-scoring" >host risk score</DocLink>. The criticality level defines how impactful the host is when calculating the risk score.
+
+![Asset criticality](../images/hosts-overview/-host-asset-criticality.png)
+
+Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level.
+
+### Observed data
+
+This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information.
+
+![Host observed data](../images/hosts-overview/-host-observed-data.png)
\ No newline at end of file
diff --git a/docs/serverless/explore/users-page.mdx b/docs/serverless/explore/users-page.mdx
new file mode 100644
index 0000000000..b1b4ae1df4
--- /dev/null
+++ b/docs/serverless/explore/users-page.mdx
@@ -0,0 +1,106 @@
+---
+slug: /serverless/security/users-page
+title: Users page
+description: Analyze authentication and user behavior within your environment.
+tags: [ 'serverless', 'security', 'how-to', 'analyze' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+<div id="users-page"></div>
+
+The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. 
+
+![User's page](../images/users-page/-getting-started-users-users-page.png)
+
+The Users page has the following sections:
+
+## User KPI (key performance indicator) charts
+
+KPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs.
+
+<DocCallOut title="Tip">
+Hover inside a KPI chart to display the actions menu (<DocIcon type="boxesHorizontal" title="Actions menu icon" />), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.
+</DocCallOut>
+
+## Data tables
+
+Beneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details:
+
+* **Events**: Ingested events that contain the `user.name` field. You can stack by the `event.action`, `event.dataset`, or `event.module` field. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right.
+* **All users**: A chronological list of unique user names, when they were last active, and the associated domains.
+* **Authentications**: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination.
+* **Anomalies**: Unusual activity discovered by machine learning jobs that contain user data.
+* **User risk**: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature"/> and must be enabled to display the data. To learn more, refer to our <DocLink slug="/serverless/security/entity-risk-scoring">entity risk scoring documentation</DocLink>.  
+
+The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <DocLink slug="/serverless/security/alerts-manage">Manage detection alerts</DocLink>.
+
+## User details page
+
+A user's details page displays all relevant information for the selected user. To view a user's details page, click its **User name** link from the **All users** table.
+
+The user details page includes the following sections: 
+
+* **Asset Criticality**: This section displays the user's current <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>.
+
+* **Summary**: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the entity risk score feature is enabled, this section also displays user risk score data. 
+
+* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`).    
+
+* **Data tables**: The same data tables as on the main Users page, except with values for the selected user instead of for all users. 
+
+<DocImage flatImage alt="User details page" url="../images/users-page/-getting-started-users-user-details-pg.png" /> 
+
+## User details flyout
+
+In addition to the user details page, relevant user information is also available in the user details flyout throughout the ((elastic-sec)) app. You can access this flyout from the following places:
+
+* The Alerts page, by clicking on a user name in the Alerts table
+* The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table
+* The **Events** tab on the Users and user details pages, by clicking on a user name in the Events table
+* The **User risk** tab on the user details page, by clicking on a user name in the Top risk score contributors table
+* The **Events** tab on the Hosts and host details pages, by clicking on a user name in the Events table
+* The **Host risk** tab on the host details page, by clicking on a user name in the Top risk score contributors table
+
+The user details flyout includes the following sections:
+
+* <DocLink slug="/serverless/security/users-page" section="user-risk-summary">User risk summary</DocLink>, which displays user risk data and inputs.
+* <DocLink slug="/serverless/security/users-page" section="asset-criticality">Asset Criticality</DocLink>, which allows you to view and assign asset criticality.
+* <DocLink slug="/serverless/security/users-page" section="observed-data">Observed data</DocLink>, which displays user details.
+
+![User details flyout](../images/users-page/-user-details-flyout.png)
+
+### User risk summary
+
+<DocCallOut title="Requirement">
+The **User risk summary** section is only available if the <DocLink slug="/serverless/security/turn-on-risk-engine" >risk scoring engine is turned on</DocLink>.
+</DocCallOut>
+
+The **User risk summary** section contains a risk summary visualization and table.
+
+The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the **Options** menu (<DocIcon type="boxesHorizontal" title="Options menu" />). Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.
+
+The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the **Inspect** button (<DocIcon type="inspect" title="Inspect" />), which allows you to inspect the table's queries.
+
+To expand the **User risk summary** section, click **View risk contributions**. The left panel displays additional details about the user's risk inputs:
+
+* The asset criticality level and contribution score from the latest risk scoring calculation.
+* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score.
+
+If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table.
+
+![User risk inputs](../images/users-page/-user-risk-inputs.png)
+
+### Asset Criticality
+
+The **Asset Criticality** section displays the selected user's <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>. Asset criticality contributes to the overall <DocLink slug="/serverless/security/entity-risk-scoring" >user risk score</DocLink>. The criticality level defines how impactful the user is when calculating the risk score.
+
+![Asset criticality](../images/users-page/-user-asset-criticality.png)
+
+Click **Assign** to assign a criticality level to the selected user, or **Change** to change the currently assigned criticality level.
+
+### Observed data
+
+This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system.
+
+![User observed data](../images/users-page/-user-observed-data.png)
\ No newline at end of file
diff --git a/docs/serverless/settings/advanced-settings.mdx b/docs/serverless/settings/advanced-settings.mdx
new file mode 100644
index 0000000000..f3d091076e
--- /dev/null
+++ b/docs/serverless/settings/advanced-settings.mdx
@@ -0,0 +1,202 @@
+---
+slug: /serverless/security/advanced-settings
+title: Advanced settings
+description: Update advanced ((elastic-sec)) settings.
+tags: [ 'serverless','security','reference','manage' ]
+status: in review
+---
+
+<DocBadge template="technical preview" />
+
+<div id="advanced-settings"></div>
+
+The advanced settings determine:
+
+* Which indices ((elastic-sec)) uses to retrieve data
+* ((ml-cap)) anomaly score display threshold
+* The navigation menu style used throughout the ((security-app))
+* Whether the news feed is displayed on the <DocLink slug="/serverless/security/overview-dashboard">Overview dashboard</DocLink>
+* The default time interval used to filter ((elastic-sec)) pages
+* The default ((elastic-sec)) pages refresh time
+* Which IP reputation links appear on <DocLink slug="/serverless/security/network-page-overview">IP detail</DocLink> pages
+* Whether cross-cluster search (CCS) privilege warnings are displayed
+* Whether related integrations are displayed on the Rules page tables
+* The options provided in the alert tag menu  
+
+To change these settings, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with `All` privileges for the **Advanced Settings** feature.
+
+<DocCallOut title="Warning" color="warning">
+Modifying advanced settings can affect performance and cause
+problems that are difficult to diagnose. Setting a property value to a blank
+field reverts to the default behavior, which might not be compatible with other
+configuration settings. Deleting a custom setting removes it 
+permanently.
+</DocCallOut>
+
+## Access advanced settings
+
+To access advanced settings, go to **Project Settings** → **Management** → **Advanced Settings**, then scroll down to **Security Solution** settings.
+
+<DocCallOut title="Tip">
+For more information on non-Security settings, refer to [Advanced Settings](((kibana-ref))/advanced-options.html). Some settings might not be available in ((serverless-short)) projects.
+</DocCallOut>
+
+![](../images/advanced-settings/-getting-started-solution-advanced-settings.png)
+
+<div id="update-sec-indices"></div>
+
+## Update default Elastic Security indices
+
+The `securitySolution:defaultIndex` field defines which ((es)) indices the
+((security-app)) uses to collect data. By default, index patterns are used to
+match sets of ((es)) indices:
+
+* `apm-*-transaction*`
+* `auditbeat-*`
+* `endgame-*`
+* `filebeat-*`
+* `logs-*`
+* `packetbeat-*`
+* `winlogbeat-*`
+
+<DocCallOut title="Note">
+Index patterns use wildcards to specify a set of indices. For example, the
+`filebeat-*` index pattern means all indices starting with `filebeat-` are
+available in the ((security-app)).
+</DocCallOut>
+
+All of the default index patterns match [((beats))](((beats-ref))/beats-reference.html) and
+[((agent))](((fleet-guide))/fleet-overview.html) indices. This means all
+data shipped via ((beats)) and the ((agent)) is automatically added to the
+((security-app)).
+
+You can add or remove any indices and index patterns as required, with a maximum of 50 items in the comma-delimited list. For background information on ((es)) indices, refer to [Data in: documents and indices](((ref))/documents-indices.html).
+
+<DocCallOut title="Note">
+If you leave the `-*elastic-cloud-logs-*` index pattern selected, all Elastic cloud logs are excluded from all queries in the ((security-app)) by default. This is to avoid adding data from cloud monitoring to the app.
+</DocCallOut>
+
+<DocCallOut title="Important" color="warning">
+((elastic-sec)) requires [ECS-compliant data](((ecs-ref))). If you use third-party data
+collectors to ship data to ((es)), the data must be mapped to ECS.
+<DocLink slug="/serverless/security/siem-field-reference" /> lists ECS fields used in ((elastic-sec)).
+</DocCallOut>
+
+<div id="update-threat-intel-indices"></div>
+
+## Update default Elastic Security threat intelligence indices
+
+The `securitySolution:defaultThreatIndex` advanced setting specifies threat intelligence indices that ((elastic-sec)) features query for ingested threat indicators. This setting affects features that query threat intelligence indices, such as the Threat Intelligence view on the Overview page, indicator match rules, and the alert enrichment query. 
+
+You can specify a maximum of 10 threat intelligence indices; multiple indices must be separated by commas. By default, only the `logs-ti*` index pattern is specified. Do not remove or overwrite this index pattern, as it is used by ((agent)) integrations.
+
+<DocCallOut title="Important" color="warning">
+Threat intelligence indices aren't required to be ECS-compatible for use in indicator match rules. However, we strongly recommend compatibility if you want your alerts to be enriched with relevant threat indicator information. When searching for threat indicator data, indicator match rules use the threat indicator path specified in the **Indicator prefix override** advanced setting. Visit <DocLink slug="/serverless/security/rules-create" section="configure-advanced-rule-settings-optional">Configure advanced rule settings</DocLink> for more information.
+</DocCallOut>
+
+<div id="telemetry-settings"></div>
+
+## Telemetry settings
+
+Elastic transmits certain information about Elastic Security when users interact with the ((security-app)), detailed below. Elastic redacts or obfuscates personal data (IP addresses, host names, usernames, etc.) before transmitting messages. Security-specific telemetry events include:
+
+* **Detection rule security alerts:** Information about Elastic-authored prebuilt detection rules using the detection engine. Examples of alert data include machine learning job influencers, process names, and cloud audit events.
+* **((elastic-endpoint)) Security alerts:** Information about malicious activity detected using ((elastic-endpoint)) detection engines. Examples of alert data include malicious process names, digital signatures, and file names written by the malicious software. Examples of alert metadata include the time of the alert, the ((elastic-endpoint)) version and related detection engine versions.
+* **Configuration data for ((elastic-endpoint)):** Information about the configuration of ((elastic-endpoint)) deployments. Examples of configuration data include the Endpoint versions, operating system versions, and performance counters for Endpoint.
+* **Exception list entries for Elastic rules:** Information about exceptions added for Elastic rules. Examples include trusted applications, detection exceptions, and rule exceptions.
+* **Security alert activity records:** Information about actions taken on alerts generated in the ((security-app)), such as acknowledged or closed.
+
+To learn more, refer to our [Privacy Statement](https://www.elastic.co/legal/privacy-statement).
+
+## Set machine learning score threshold
+
+When security <DocLink slug="/serverless/security/machine-learning">((ml)) jobs</DocLink> are enabled, this setting
+determines the threshold above which anomaly scores appear in ((elastic-sec)):
+
+* `securitySolution:defaultAnomalyScore`
+
+## Modify news feed settings
+
+You can change these settings, which affect the news feed displayed on the
+((elastic-sec)) **Overview** page:
+
+* `securitySolution:enableNewsFeed`: Enables the security news feed on the
+    Security **Overview** page.
+
+* `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
+    retrieved.
+
+## Exclude cold and frozen tier data from analyzer queries
+
+Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in <DocLink slug="/serverless/security/visual-event-analyzer">visual event analyzer</DocLink> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
+
+<div id="visualizations-in-flyout"></div>
+
+## Access the event analyzer and session view from the event or alert details flyout 
+
+<DocCallOut template="technical_preview" />
+
+The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** <DocLink slug="/serverless/security/view-alert-details" section="expanded-visualizations-view">tab</DocLink> on the alert or event details flyout. This setting is turned off by default. 
+
+## Change the default search interval and data refresh time
+
+These settings determine the default time interval and refresh rate ((elastic-sec))
+pages use to display data when you open the app:
+
+* `securitySolution:timeDefaults`: Default time interval
+* `securitySolution:refreshIntervalDefaults`: Default refresh rate
+
+<DocCallOut title="Note">
+Refer to [Date Math](((ref))/common-options.html) for information about the
+syntax. The UI [time filter](((kibana-ref))/set-time-filter.html) overrides the
+default values.
+</DocCallOut>
+
+<div id="ip-reputation-links"></div>
+
+## Display reputation links on IP detail pages
+
+On IP details pages (**Network** → **_IP address_**), links to
+external sites for verifying the IP address's reputation are displayed. By
+default, links to these sites are listed: [TALOS](https://talosintelligence.com/)
+and [VIRUSTOTAL](https://www.virustotal.com/).
+
+The `securitySolution:ipReputationLinks` field determines which IP reputation
+sites are listed. To modify the listed sites, edit the field's JSON array. These
+fields must be defined in each array element:
+
+* `name`: The link's UI display name.
+* `url_template`: The link's URL. It can include `{{ip}}`, which is placeholder
+    for the IP address you are viewing on the **IP detail** page.
+
+**Example**
+
+Adds a link to https://www.dnschecker.org on **IP detail** pages:
+
+```json
+[
+  { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}" },
+  { "name": "dnschecker.org", "url_template": "https://www.dnschecker.org/ip-location.php?ip={{ip}}" },
+  { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}" }
+]
+```
+
+<div id="enable-ccs-warning"></div>
+
+## Configure cross-cluster search privilege warnings
+
+Each time a detection rule runs using a remote cross-cluster search (CCS) index pattern, it will return a warning saying that the rule may not have the required `read` privileges to the remote index. Because privileges cannot be checked across remote indices, this warning displays even when the rule actually does have `read` privileges to the remote index.
+
+If you've ensured that your detection rules have the required privileges across your remote indices, you can use the `securitySolution:enableCcsWarning` setting to disable this warning and reduce noise.
+
+<div id="show-related-integrations"></div>
+
+## Show/hide related integrations in Rules page tables
+
+By default, Elastic prebuilt rules in the **Rules** and **Rule Monitoring** tables include a badge showing how many related integrations have been installed. Turn off `securitySolution:showRelatedIntegrations` to hide this in the rules tables (related integrations will still appear on rule details pages).
+
+<div id="manage-alert-tags"></div>
+
+## Manage alert tag options
+
+The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <DocLink slug="/serverless/security/alerts-manage" section="apply-and-filter-alert-tags">Apply and filter alert tags</DocLink>.

From 0ae43b3112074374dce4ef66c165b71fe3330a1e Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 30 Oct 2024 10:01:45 +0000
Subject: [PATCH 2/3] Delete docs/serverless directory and its contents

---
 .../asset-criticality.mdx                     | 111 ----------
 .../entity-risk-scoring.mdx                   | 114 ----------
 .../advanced-entity-analytics/ers-req.mdx     |  92 --------
 docs/serverless/explore/hosts-overview.mdx    | 112 ----------
 docs/serverless/explore/users-page.mdx        | 106 ---------
 .../serverless/settings/advanced-settings.mdx | 202 ------------------
 6 files changed, 737 deletions(-)
 delete mode 100644 docs/serverless/advanced-entity-analytics/asset-criticality.mdx
 delete mode 100644 docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
 delete mode 100644 docs/serverless/advanced-entity-analytics/ers-req.mdx
 delete mode 100644 docs/serverless/explore/hosts-overview.mdx
 delete mode 100644 docs/serverless/explore/users-page.mdx
 delete mode 100644 docs/serverless/settings/advanced-settings.mdx

diff --git a/docs/serverless/advanced-entity-analytics/asset-criticality.mdx b/docs/serverless/advanced-entity-analytics/asset-criticality.mdx
deleted file mode 100644
index c2213d0c59..0000000000
--- a/docs/serverless/advanced-entity-analytics/asset-criticality.mdx
+++ /dev/null
@@ -1,111 +0,0 @@
----
-slug: /serverless/security/asset-criticality
-title: Asset criticality
-description: Learn how to use asset criticality to improve your security operations.
-tags: [ 'serverless', 'security', 'overview', 'analyze' ]
-status: in review
----
-
-<DocBadge template="technical preview" />
-
-<DocCallOut title="Requirements">
-To view and assign asset criticality, you must have the appropriate user role. For more information, refer to <DocLink slug="/serverless/security/ers-requirements">Entity risk scoring prerequisites</DocLink>.
-</DocCallOut>
-
-The asset criticality feature allows you to classify your organization's entities based on various operational factors that are important to your organization. Through this classification, you can improve your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
-
-You can assign one of the following asset criticality levels to your entities, based on their impact:
-
-* Low impact
-* Medium impact
-* High impact
-* Extreme impact
-
-For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture.
-
-## View and assign asset criticality
-
-Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <DocLink slug="/serverless/security/asset-criticality" section="bulk-assign-asset-criticality">bulk assign</DocLink> it to multiple entities by importing a text file.
-
-When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated.
-
-<DocCallOut title="Note">
-If you assign asset criticality using the file import feature, risk scores are **not** immediately recalculated. However, you can trigger an immediate recalculation by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
-</DocCallOut>
-
-You can view, assign, change, or unassign asset criticality from the following places in the ((elastic-sec)) app:
-
-* The <DocLink slug="/serverless/security/hosts-overview" section="host-details-page">host details page</DocLink> and <DocLink slug="/serverless/security/users-page" section="user-details-page">user details page</DocLink>:
-
-  ![Assign asset criticality from the host details page](../images/asset-criticality/-assign-asset-criticality-host-details.png) 
-
-* The <DocLink slug="/serverless/security/hosts-overview" section="host-details-flyout">host details flyout</DocLink> and <DocLink slug="/serverless/security/users-page" section="user-details-flyout">user details flyout</DocLink>:
-
-  ![Assign asset criticality from the host details flyout](../images/asset-criticality/-assign-asset-criticality-host-flyout.png)
-
-* The host details flyout and user details flyout in <DocLink slug="/serverless/security/timelines-ui">Timeline</DocLink>:
-
-  ![Assign asset criticality from the host details flyout in Timeline](../images/asset-criticality/-assign-asset-criticality-timeline.png)
-
-### Bulk assign asset criticality
-
-You can bulk assign asset criticality to multiple entities by importing a CSV, TXT or TSV file from your asset management tools.
-
-The file must contain three columns, with each entity record listed on a separate row:
-
-1. The first column should indicate whether the entity is a `host` or a `user`.
-1. The second column should specify the entity's `host.name` or `user.name`.
-1. The third column should specify one of the following asset criticality levels:
-    * `extreme_impact`
-    * `high_impact`
-    * `medium_impact`
-    * `low_impact`
-
-The maximum file size is 1 MB.
-
-File structure example:
-
-```
-user,user-001,low_impact
-user,user-002,medium_impact
-host,host-001,extreme_impact
-````
-
-To import a file:
-1. Go to **Project Settings** → **Stack Management** → **Entity Store**.
-1. Select or drag and drop the file you want to import.
-
-    <DocCallOut title="Note">
-    The file validation step highlights any lines that don't follow the required file structure. The asset criticality levels for those entities won't be assigned. We recommend that you fix any invalid lines and re-upload the file.
-    </DocCallOut>
-
-1. Click **Assign**. 
-
-This process overwrites any previously assigned asset criticality levels for the entities included in the imported file. The newly assigned or updated asset criticality levels are immediately visible within all asset criticality workflows.
-
-You can trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now**. Otherwise, the newly assigned or updated asset criticality levels will be factored in during the next hourly risk scoring calculation.
-
-## Improve your security operations
-
-With asset criticality, you can improve your security operations by:
-
-* <DocLink slug="/serverless/security/asset-criticality" section="prioritize-open-alerts">Prioritizing open alerts</DocLink>
-* <DocLink slug="/serverless/security/asset-criticality" section="monitor-an-entitys-risk">Monitoring an entity's risk</DocLink>
-
-### Prioritize open alerts
-
-You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities.
-
-Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to  <DocLink slug="/serverless/security/analyze-risk-score-data" section="triage-alerts-associated-with-high-risk-or-business-critical-entities">prioritize alerts associated with business-critical entities</DocLink>.
-
-### Monitor an entity's risk
-
-The risk scoring engine dynamically factors in an entity's asset criticality, along with `Open` and `Acknowledged` detection alerts to <DocLink slug="/serverless/security/entity-risk-scoring" section="how-is-risk-score-calculated">calculate the entity's overall risk score</DocLink>. This dynamic risk scoring allows you to monitor changes in the risk profiles of your most sensitive entities, and quickly escalate high-risk threats. 
-
-To view the impact of asset criticality on an entity's risk score, follow these steps:
-
-1. Open the <DocLink slug="/serverless/security/hosts-overview" section="host-details-flyout">host details flyout</DocLink> or <DocLink slug="/serverless/security/users-page" section="user-details-flyout">user details flyout</DocLink>. The risk summary section shows asset criticality's contribution to the overall risk score.
-1. Click **View risk contributions** to open the flyout's left panel.
-1. In the **Risk contributions** section, verify the entity's criticality level from the time the alert was generated.
-
-![View asset criticality impact on host risk score](../images/asset-criticality/-asset-criticality-impact.png)
diff --git a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
deleted file mode 100644
index 3b0bc0fd36..0000000000
--- a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.mdx
+++ /dev/null
@@ -1,114 +0,0 @@
----
-slug: /serverless/security/entity-risk-scoring
-title: Entity risk scoring
-description: Learn about the risk scoring engine and its features.
-tags: [ 'serverless', 'security', 'overview', 'analyze' ]
-status: in review
----
-
-<DocBadge template="technical preview" />
-
-Entity risk scoring is an advanced ((elastic-sec)) analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response.
-
-Entity risk scoring allows you to monitor risk score changes of hosts and users in your environment. When generating advanced scoring analytics, the risk scoring engine utilizes threats from its end-to-end XDR use cases, such as SIEM, cloud, and endpoint. It leverages the Elastic SIEM detection engine to generate host and user risk scores from the last 30 days.
-
-It also generates risk scores on a recurring interval, and allows for easy onboarding and management. The engine is built to factor in risks from all ((elastic-sec)) use cases, and allows you to customize and control how and when risk is calculated.
-
-## Risk scoring inputs
-
-Entity risk scores are determined by the following risk inputs:
-
-<DocTable columns={[
-  {
-    "title": "Risk input",
-    "width": "30%"
-  },
-  {
-    "title": "Storage location",
-    "width": "70%"
-  }
-]}>
-  <DocRow>
-    <DocCell><DocLink slug="/serverless/security/alerts-manage">Alerts</DocLink></DocCell>
-    <DocCell>`.alerts-security.alerts-<space-id>` index alias</DocCell>
-  </DocRow>
-  <DocRow>
-    <DocCell><DocLink slug="/serverless/security/asset-criticality">Asset criticality level</DocLink></DocCell>
-    <DocCell>`.asset-criticality.asset-criticality-<space-id>` index alias</DocCell>
-  </DocRow>
-</DocTable>
-
-The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
-
-<DocCallOut title="Note">
-
-Entities without any alerts, or with only `Closed` alerts, are not assigned a risk score.
-
-</DocCallOut>
-
-## How is risk score calculated?
-
-1. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
-
-1. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <DocLink slug="/serverless/security/hosts-overview" section="host-risk-summary">risk summary</DocLink>.
-
-1. The engine then verifies the entity's <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
-
-    | Asset criticality level | Default risk weight |
-    |-------------------------|---------------------|
-    | Low impact              | 0.5                 |
-    | Medium impact           | 1                   |
-    | High impact             | 1.5                 |
-    | Extreme impact          | 2                   |
-
-    <DocCallOut title="Note">
-    Asset criticality levels and default risk weights are subject to change.
-    </DocCallOut>
-
-1. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:
-
-    | Risk level    | Risk score    |
-    | ------------- |---------------|
-    | Unknown       | < 20          |
-    | Low           | 20-40         |
-    | Moderate      | 40-70         |
-    | High          | 70-90         |
-    | Critical      | > 90          |
-
-<DocAccordion buttonContent="Click for a risk score calculation example">
-
-This example shows how the risk scoring engine calculates the user risk score for `User_A`, whose asset criticality level is **Extreme impact**.
-
-There are 5 open alerts associated with `User_A`:
-
-* Alert 1 with alert risk score 21
-* Alert 2 with alert risk score 45
-* Alert 3 with alert risk score 21
-* Alert 4 with alert risk score 70
-* Alert 5 with alert risk score 21
-
----
-
-To calculate the user risk score, the risk scoring engine:
-
-1. Sorts the associated alerts in descending order of alert risk score:
-
-    * Alert 4 with alert risk score 70
-    * Alert 2 with alert risk score 45
-    * Alert 1 with alert risk score 21
-    * Alert 3 with alert risk score 21
-    * Alert 5 with alert risk score 21
-
-1. Generates an aggregated risk score of 36.16, and assigns it to `User_A`'s **Alerts** risk category.
-
-1. Looks up `User_A`'s asset criticality level, and identifies it as **Extreme impact**.
-
-1. Generates a new risk input under the **Asset Criticality** risk category, with a risk contribution score of 16.95.
-
-1. Increases the user risk score to 53.11, and assigns `User_A` a **Moderate** user risk level.
-
-If `User_A` had no asset criticality level assigned, the user risk score would remain unchanged at 36.16.
-
-</DocAccordion>
- 
-Learn how to <DocLink slug="/serverless/security/turn-on-risk-engine">turn on the risk scoring engine</DocLink>.
diff --git a/docs/serverless/advanced-entity-analytics/ers-req.mdx b/docs/serverless/advanced-entity-analytics/ers-req.mdx
deleted file mode 100644
index b902a51861..0000000000
--- a/docs/serverless/advanced-entity-analytics/ers-req.mdx
+++ /dev/null
@@ -1,92 +0,0 @@
----
-slug: /serverless/security/ers-requirements
-title: Entity risk scoring requirements
-description: Requirements for using entity risk scoring and asset criticality.
-tags: [ 'serverless', 'security', 'reference', 'manage' ]
----
-
-To use entity risk scoring and asset criticality, you need the appropriate user roles. These features require the Security Analytics Complete <DocLink slug="/serverless/elasticsearch/manage-project">project feature</DocLink>.
-
-This page covers the requirements for using the entity risk scoring and asset criticality features, as well as their known limitations.
-
-## Entity risk scoring
-
-### User roles
-
-To turn on the risk scoring engine, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
-
-**Predefined roles**
-
-* Platform engineer
-* Detections admin
-* Admin
-
-**Custom role privileges**
-
-<DocTable columns={[{ title: "Cluster" }, { title: "Index" }, { title: "((kib))" }]}>
-    <DocRow>
-        <DocCell>
-            * `manage_index_templates`
-            * `manage_transform`
-        </DocCell>
-        <DocCell>`all` privilege for `risk-score.risk-score-*`</DocCell>
-        <DocCell>**Read** for the **Security** feature</DocCell>
-    </DocRow>
-</DocTable>
-
-### Known limitations
-
-* The risk scoring engine uses an internal user role to score all hosts and users. After you turn on the risk scoring engine, all alerts in the project will contribute to host and user risk scores.
-* You cannot customize alert data views or risk weights associated with alerts and asset criticality levels.
-
-## Asset criticality
-
-### User roles
-
-To use asset criticality, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with the right privileges:
-
-**Predefined roles**
-
-<DocTable columns={[{ title: "Action" }, { title: "Predefined role" }]}>
-    <DocRow>
-        <DocCell>View asset criticality</DocCell>
-        <DocCell>
-            * Viewer
-            * Tier 1 analyst
-        </DocCell>
-    </DocRow>
-    <DocRow>
-        <DocCell>View, assign, change, or unassign asset criticality</DocCell>
-        <DocCell>
-            * Editor
-            * Tier 2 analyst
-            * Tier 3 analyst
-            * Threat intelligence analyst
-            * Rule author
-            * SOC manager
-            * Endpoint operations analyst
-            * Platform engineer
-            * Detections admin
-            * Endpoint policy manager
-        </DocCell>
-    </DocRow>
-</DocTable>
-
-**Custom role privileges**
-
-Custom roles need the following privileges for the `.asset-criticality.asset-criticality-<space-id>` index:
-
-<DocTable columns={[{ title: "Action" }, { title: "Index privilege" }]}>
-    <DocRow>
-        <DocCell>View asset criticality</DocCell>
-        <DocCell>`read`</DocCell>
-    </DocRow>
-    <DocRow>
-        <DocCell>View, assign, or change asset criticality</DocCell>
-        <DocCell>`read` and `write`</DocCell>
-    </DocRow>
-    <DocRow>
-        <DocCell>Unassign asset criticality</DocCell>
-        <DocCell>`delete`</DocCell>
-    </DocRow>    
-</DocTable>
diff --git a/docs/serverless/explore/hosts-overview.mdx b/docs/serverless/explore/hosts-overview.mdx
deleted file mode 100644
index 21eb840909..0000000000
--- a/docs/serverless/explore/hosts-overview.mdx
+++ /dev/null
@@ -1,112 +0,0 @@
----
-slug: /serverless/security/hosts-overview
-title: Hosts page
-description: Explore the Hosts page to analyze hosts and related security events.
-tags: [ 'serverless', 'security', 'how-to', 'analyze' ]
-status: in review
----
-
-<DocBadge template="technical preview" />
-<div id="hosts-overview"></div>
-
-The Hosts page provides a comprehensive overview of all hosts and host-related security events. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data, drill down for deeper insights, and interact with Timeline for further investigation.
-
-![Hosts page](../images/hosts-overview/-management-hosts-hosts-ov-pg.png)
-
-The Hosts page has the following sections:
-
-<div id="host-KPI-charts"></div>
-
-## Host KPI (key performance indicator) charts
-
-KPI charts show metrics for hosts and unique IPs within the time range specified in the date picker. This data is visualized using linear or bar graphs.
-
-<DocCallOut title="Tip">
-Hover inside a KPI chart to display the actions menu (<DocIcon type="boxesHorizontal" title="Actions menu icon" />), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.
-</DocCallOut>
-
-<div id="host-data-tables"></div>
-
-## Data tables
-
-Beneath the KPI charts are data tables, categorized by individual tabs, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following data:
-
-* **Events**: All host events. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right.
-* **All hosts**: High-level host details.
-* **Uncommon processes**: Uncommon processes running on hosts.
-* **Anomalies**: Anomalies discovered by machine learning jobs.
-* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires the Security Analytics Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature"/> and must be enabled to display the data. To learn more, refer to our <DocLink slug="/serverless/security/entity-risk-scoring">entity risk scoring documentation</DocLink>.  
-* **Sessions**: Linux process events that you can open in <DocLink slug="/serverless/security/session-view">Session View</DocLink>, an investigation tool that allows you to examine Linux process data at a hierarchal level.
-
-The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <DocLink slug="/serverless/security/alerts-manage">Manage detection alerts</DocLink>.
-
-![Events table](../images/hosts-overview/-getting-started-users-events-table.png)
-
-<div id="host-details-page"></div>
-
-## Host details page
-
-A host's details page displays all relevant information for the selected host. To view a host's details page, click its **Host name** link in the **All hosts** table.
-
-The host details page includes the following sections: 
-
-* **Asset Criticality**: This section displays the host's current <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>.
-* **Summary**: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the entity risk score feature is enabled, this section also displays host risk score data. 
-* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`).  
-* **Data tables**: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. 
-
-![Host's details page](../images/hosts-overview/-management-hosts-hosts-detail-pg.png)
-
-## Host details flyout
-
-In addition to the host details page, relevant host information is also available in the host details flyout throughout the ((elastic-sec)) app. You can access this flyout from the following places:
-
-* The Alerts page, by clicking on a host name in the Alerts table
-* The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table
-* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table
-* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table
-* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table
-* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table
-
-The host details flyout includes the following sections:
-
-* <DocLink slug="/serverless/security/hosts-overview" section="host-risk-summary">Host risk summary</DocLink>, which displays host risk data and inputs.
-* <DocLink slug="/serverless/security/hosts-overview" section="asset-criticality">Asset Criticality</DocLink>, which allows you to view and assign asset criticality.
-* <DocLink slug="/serverless/security/hosts-overview" section="observed-data">Observed data</DocLink>, which displays host details.
-
-![Host details flyout](../images/hosts-overview/-host-details-flyout.png)
-
-### Host risk summary
-
-<DocCallOut title="Requirements">
-The **Host risk summary** section is only available if the <DocLink slug="/serverless/security/turn-on-risk-engine" >risk scoring engine is turned on</DocLink>.
-</DocCallOut>
-
-The **Host risk summary** section contains a risk summary visualization and table.
-
-The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu (<DocIcon type="boxesHorizontal" title="Options menu" />). Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.
-
-The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button (<DocIcon type="inspect" title="Inspect" />), which allows you to inspect the table's queries.
-
-To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host's risk inputs:
-
-* The asset criticality level and contribution score from the latest risk scoring calculation.
-* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score.
-
-If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table.
-
-![Host risk inputs](../images/hosts-overview/-host-risk-inputs.png)
-
-### Asset Criticality
-
-The **Asset Criticality** section displays the selected host's <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>. Asset criticality contributes to the overall <DocLink slug="/serverless/security/entity-risk-scoring" >host risk score</DocLink>. The criticality level defines how impactful the host is when calculating the risk score.
-
-![Asset criticality](../images/hosts-overview/-host-asset-criticality.png)
-
-Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level.
-
-### Observed data
-
-This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information.
-
-![Host observed data](../images/hosts-overview/-host-observed-data.png)
\ No newline at end of file
diff --git a/docs/serverless/explore/users-page.mdx b/docs/serverless/explore/users-page.mdx
deleted file mode 100644
index b1b4ae1df4..0000000000
--- a/docs/serverless/explore/users-page.mdx
+++ /dev/null
@@ -1,106 +0,0 @@
----
-slug: /serverless/security/users-page
-title: Users page
-description: Analyze authentication and user behavior within your environment.
-tags: [ 'serverless', 'security', 'how-to', 'analyze' ]
-status: in review
----
-
-<DocBadge template="technical preview" />
-<div id="users-page"></div>
-
-The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. 
-
-![User's page](../images/users-page/-getting-started-users-users-page.png)
-
-The Users page has the following sections:
-
-## User KPI (key performance indicator) charts
-
-KPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs.
-
-<DocCallOut title="Tip">
-Hover inside a KPI chart to display the actions menu (<DocIcon type="boxesHorizontal" title="Actions menu icon" />), where you can perform these actions: inspect, open in Lens, and add to a new or existing case.
-</DocCallOut>
-
-## Data tables
-
-Beneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details:
-
-* **Events**: Ingested events that contain the `user.name` field. You can stack by the `event.action`, `event.dataset`, or `event.module` field. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right.
-* **All users**: A chronological list of unique user names, when they were last active, and the associated domains.
-* **Authentications**: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination.
-* **Anomalies**: Unusual activity discovered by machine learning jobs that contain user data.
-* **User risk**: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature"/> and must be enabled to display the data. To learn more, refer to our <DocLink slug="/serverless/security/entity-risk-scoring">entity risk scoring documentation</DocLink>.  
-
-The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to <DocLink slug="/serverless/security/alerts-manage">Manage detection alerts</DocLink>.
-
-## User details page
-
-A user's details page displays all relevant information for the selected user. To view a user's details page, click its **User name** link from the **All users** table.
-
-The user details page includes the following sections: 
-
-* **Asset Criticality**: This section displays the user's current <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>.
-
-* **Summary**: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the entity risk score feature is enabled, this section also displays user risk score data. 
-
-* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`).    
-
-* **Data tables**: The same data tables as on the main Users page, except with values for the selected user instead of for all users. 
-
-<DocImage flatImage alt="User details page" url="../images/users-page/-getting-started-users-user-details-pg.png" /> 
-
-## User details flyout
-
-In addition to the user details page, relevant user information is also available in the user details flyout throughout the ((elastic-sec)) app. You can access this flyout from the following places:
-
-* The Alerts page, by clicking on a user name in the Alerts table
-* The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table
-* The **Events** tab on the Users and user details pages, by clicking on a user name in the Events table
-* The **User risk** tab on the user details page, by clicking on a user name in the Top risk score contributors table
-* The **Events** tab on the Hosts and host details pages, by clicking on a user name in the Events table
-* The **Host risk** tab on the host details page, by clicking on a user name in the Top risk score contributors table
-
-The user details flyout includes the following sections:
-
-* <DocLink slug="/serverless/security/users-page" section="user-risk-summary">User risk summary</DocLink>, which displays user risk data and inputs.
-* <DocLink slug="/serverless/security/users-page" section="asset-criticality">Asset Criticality</DocLink>, which allows you to view and assign asset criticality.
-* <DocLink slug="/serverless/security/users-page" section="observed-data">Observed data</DocLink>, which displays user details.
-
-![User details flyout](../images/users-page/-user-details-flyout.png)
-
-### User risk summary
-
-<DocCallOut title="Requirement">
-The **User risk summary** section is only available if the <DocLink slug="/serverless/security/turn-on-risk-engine" >risk scoring engine is turned on</DocLink>.
-</DocCallOut>
-
-The **User risk summary** section contains a risk summary visualization and table.
-
-The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the **Options** menu (<DocIcon type="boxesHorizontal" title="Options menu" />). Use this menu to inspect the visualization's queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization.
-
-The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the **Inspect** button (<DocIcon type="inspect" title="Inspect" />), which allows you to inspect the table's queries.
-
-To expand the **User risk summary** section, click **View risk contributions**. The left panel displays additional details about the user's risk inputs:
-
-* The asset criticality level and contribution score from the latest risk scoring calculation.
-* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert's contribution score.
-
-If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table.
-
-![User risk inputs](../images/users-page/-user-risk-inputs.png)
-
-### Asset Criticality
-
-The **Asset Criticality** section displays the selected user's <DocLink slug="/serverless/security/asset-criticality">asset criticality level</DocLink>. Asset criticality contributes to the overall <DocLink slug="/serverless/security/entity-risk-scoring" >user risk score</DocLink>. The criticality level defines how impactful the user is when calculating the risk score.
-
-![Asset criticality](../images/users-page/-user-asset-criticality.png)
-
-Click **Assign** to assign a criticality level to the selected user, or **Change** to change the currently assigned criticality level.
-
-### Observed data
-
-This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system.
-
-![User observed data](../images/users-page/-user-observed-data.png)
\ No newline at end of file
diff --git a/docs/serverless/settings/advanced-settings.mdx b/docs/serverless/settings/advanced-settings.mdx
deleted file mode 100644
index f3d091076e..0000000000
--- a/docs/serverless/settings/advanced-settings.mdx
+++ /dev/null
@@ -1,202 +0,0 @@
----
-slug: /serverless/security/advanced-settings
-title: Advanced settings
-description: Update advanced ((elastic-sec)) settings.
-tags: [ 'serverless','security','reference','manage' ]
-status: in review
----
-
-<DocBadge template="technical preview" />
-
-<div id="advanced-settings"></div>
-
-The advanced settings determine:
-
-* Which indices ((elastic-sec)) uses to retrieve data
-* ((ml-cap)) anomaly score display threshold
-* The navigation menu style used throughout the ((security-app))
-* Whether the news feed is displayed on the <DocLink slug="/serverless/security/overview-dashboard">Overview dashboard</DocLink>
-* The default time interval used to filter ((elastic-sec)) pages
-* The default ((elastic-sec)) pages refresh time
-* Which IP reputation links appear on <DocLink slug="/serverless/security/network-page-overview">IP detail</DocLink> pages
-* Whether cross-cluster search (CCS) privilege warnings are displayed
-* Whether related integrations are displayed on the Rules page tables
-* The options provided in the alert tag menu  
-
-To change these settings, you need either the appropriate <DocLink slug="/serverless/general/assign-user-roles">predefined Security user role</DocLink> or a <DocLink slug="/serverless/custom-roles">custom role</DocLink> with `All` privileges for the **Advanced Settings** feature.
-
-<DocCallOut title="Warning" color="warning">
-Modifying advanced settings can affect performance and cause
-problems that are difficult to diagnose. Setting a property value to a blank
-field reverts to the default behavior, which might not be compatible with other
-configuration settings. Deleting a custom setting removes it 
-permanently.
-</DocCallOut>
-
-## Access advanced settings
-
-To access advanced settings, go to **Project Settings** → **Management** → **Advanced Settings**, then scroll down to **Security Solution** settings.
-
-<DocCallOut title="Tip">
-For more information on non-Security settings, refer to [Advanced Settings](((kibana-ref))/advanced-options.html). Some settings might not be available in ((serverless-short)) projects.
-</DocCallOut>
-
-![](../images/advanced-settings/-getting-started-solution-advanced-settings.png)
-
-<div id="update-sec-indices"></div>
-
-## Update default Elastic Security indices
-
-The `securitySolution:defaultIndex` field defines which ((es)) indices the
-((security-app)) uses to collect data. By default, index patterns are used to
-match sets of ((es)) indices:
-
-* `apm-*-transaction*`
-* `auditbeat-*`
-* `endgame-*`
-* `filebeat-*`
-* `logs-*`
-* `packetbeat-*`
-* `winlogbeat-*`
-
-<DocCallOut title="Note">
-Index patterns use wildcards to specify a set of indices. For example, the
-`filebeat-*` index pattern means all indices starting with `filebeat-` are
-available in the ((security-app)).
-</DocCallOut>
-
-All of the default index patterns match [((beats))](((beats-ref))/beats-reference.html) and
-[((agent))](((fleet-guide))/fleet-overview.html) indices. This means all
-data shipped via ((beats)) and the ((agent)) is automatically added to the
-((security-app)).
-
-You can add or remove any indices and index patterns as required, with a maximum of 50 items in the comma-delimited list. For background information on ((es)) indices, refer to [Data in: documents and indices](((ref))/documents-indices.html).
-
-<DocCallOut title="Note">
-If you leave the `-*elastic-cloud-logs-*` index pattern selected, all Elastic cloud logs are excluded from all queries in the ((security-app)) by default. This is to avoid adding data from cloud monitoring to the app.
-</DocCallOut>
-
-<DocCallOut title="Important" color="warning">
-((elastic-sec)) requires [ECS-compliant data](((ecs-ref))). If you use third-party data
-collectors to ship data to ((es)), the data must be mapped to ECS.
-<DocLink slug="/serverless/security/siem-field-reference" /> lists ECS fields used in ((elastic-sec)).
-</DocCallOut>
-
-<div id="update-threat-intel-indices"></div>
-
-## Update default Elastic Security threat intelligence indices
-
-The `securitySolution:defaultThreatIndex` advanced setting specifies threat intelligence indices that ((elastic-sec)) features query for ingested threat indicators. This setting affects features that query threat intelligence indices, such as the Threat Intelligence view on the Overview page, indicator match rules, and the alert enrichment query. 
-
-You can specify a maximum of 10 threat intelligence indices; multiple indices must be separated by commas. By default, only the `logs-ti*` index pattern is specified. Do not remove or overwrite this index pattern, as it is used by ((agent)) integrations.
-
-<DocCallOut title="Important" color="warning">
-Threat intelligence indices aren't required to be ECS-compatible for use in indicator match rules. However, we strongly recommend compatibility if you want your alerts to be enriched with relevant threat indicator information. When searching for threat indicator data, indicator match rules use the threat indicator path specified in the **Indicator prefix override** advanced setting. Visit <DocLink slug="/serverless/security/rules-create" section="configure-advanced-rule-settings-optional">Configure advanced rule settings</DocLink> for more information.
-</DocCallOut>
-
-<div id="telemetry-settings"></div>
-
-## Telemetry settings
-
-Elastic transmits certain information about Elastic Security when users interact with the ((security-app)), detailed below. Elastic redacts or obfuscates personal data (IP addresses, host names, usernames, etc.) before transmitting messages. Security-specific telemetry events include:
-
-* **Detection rule security alerts:** Information about Elastic-authored prebuilt detection rules using the detection engine. Examples of alert data include machine learning job influencers, process names, and cloud audit events.
-* **((elastic-endpoint)) Security alerts:** Information about malicious activity detected using ((elastic-endpoint)) detection engines. Examples of alert data include malicious process names, digital signatures, and file names written by the malicious software. Examples of alert metadata include the time of the alert, the ((elastic-endpoint)) version and related detection engine versions.
-* **Configuration data for ((elastic-endpoint)):** Information about the configuration of ((elastic-endpoint)) deployments. Examples of configuration data include the Endpoint versions, operating system versions, and performance counters for Endpoint.
-* **Exception list entries for Elastic rules:** Information about exceptions added for Elastic rules. Examples include trusted applications, detection exceptions, and rule exceptions.
-* **Security alert activity records:** Information about actions taken on alerts generated in the ((security-app)), such as acknowledged or closed.
-
-To learn more, refer to our [Privacy Statement](https://www.elastic.co/legal/privacy-statement).
-
-## Set machine learning score threshold
-
-When security <DocLink slug="/serverless/security/machine-learning">((ml)) jobs</DocLink> are enabled, this setting
-determines the threshold above which anomaly scores appear in ((elastic-sec)):
-
-* `securitySolution:defaultAnomalyScore`
-
-## Modify news feed settings
-
-You can change these settings, which affect the news feed displayed on the
-((elastic-sec)) **Overview** page:
-
-* `securitySolution:enableNewsFeed`: Enables the security news feed on the
-    Security **Overview** page.
-
-* `securitySolution:newsFeedUrl`: The URL from which the security news feed content is
-    retrieved.
-
-## Exclude cold and frozen tier data from analyzer queries
-
-Including data from cold and frozen [data tiers](((ref))/data-tiers.html) in <DocLink slug="/serverless/security/visual-event-analyzer">visual event analyzer</DocLink> queries may result in performance degradation. The `securitySolution:excludeColdAndFrozenTiersInAnalyzer` setting allows you to exclude this data from analyzer queries. This setting is turned off by default.
-
-<div id="visualizations-in-flyout"></div>
-
-## Access the event analyzer and session view from the event or alert details flyout 
-
-<DocCallOut template="technical_preview" />
-
-The `securitySolution:enableVisualizationsInFlyout` setting allows you to access the event analyzer and Session View in the **Visualize** <DocLink slug="/serverless/security/view-alert-details" section="expanded-visualizations-view">tab</DocLink> on the alert or event details flyout. This setting is turned off by default. 
-
-## Change the default search interval and data refresh time
-
-These settings determine the default time interval and refresh rate ((elastic-sec))
-pages use to display data when you open the app:
-
-* `securitySolution:timeDefaults`: Default time interval
-* `securitySolution:refreshIntervalDefaults`: Default refresh rate
-
-<DocCallOut title="Note">
-Refer to [Date Math](((ref))/common-options.html) for information about the
-syntax. The UI [time filter](((kibana-ref))/set-time-filter.html) overrides the
-default values.
-</DocCallOut>
-
-<div id="ip-reputation-links"></div>
-
-## Display reputation links on IP detail pages
-
-On IP details pages (**Network** → **_IP address_**), links to
-external sites for verifying the IP address's reputation are displayed. By
-default, links to these sites are listed: [TALOS](https://talosintelligence.com/)
-and [VIRUSTOTAL](https://www.virustotal.com/).
-
-The `securitySolution:ipReputationLinks` field determines which IP reputation
-sites are listed. To modify the listed sites, edit the field's JSON array. These
-fields must be defined in each array element:
-
-* `name`: The link's UI display name.
-* `url_template`: The link's URL. It can include `{{ip}}`, which is placeholder
-    for the IP address you are viewing on the **IP detail** page.
-
-**Example**
-
-Adds a link to https://www.dnschecker.org on **IP detail** pages:
-
-```json
-[
-  { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}" },
-  { "name": "dnschecker.org", "url_template": "https://www.dnschecker.org/ip-location.php?ip={{ip}}" },
-  { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}" }
-]
-```
-
-<div id="enable-ccs-warning"></div>
-
-## Configure cross-cluster search privilege warnings
-
-Each time a detection rule runs using a remote cross-cluster search (CCS) index pattern, it will return a warning saying that the rule may not have the required `read` privileges to the remote index. Because privileges cannot be checked across remote indices, this warning displays even when the rule actually does have `read` privileges to the remote index.
-
-If you've ensured that your detection rules have the required privileges across your remote indices, you can use the `securitySolution:enableCcsWarning` setting to disable this warning and reduce noise.
-
-<div id="show-related-integrations"></div>
-
-## Show/hide related integrations in Rules page tables
-
-By default, Elastic prebuilt rules in the **Rules** and **Rule Monitoring** tables include a badge showing how many related integrations have been installed. Turn off `securitySolution:showRelatedIntegrations` to hide this in the rules tables (related integrations will still appear on rule details pages).
-
-<div id="manage-alert-tags"></div>
-
-## Manage alert tag options
-
-The `securitySolution:alertTags` field determines which options display in the alert tag menu. The default alert tag options are `Duplicate`, `False Positive`, and `Further investigation required`. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer to <DocLink slug="/serverless/security/alerts-manage" section="apply-and-filter-alert-tags">Apply and filter alert tags</DocLink>.

From 204356011763dcc92ee463102358001ff8f08af4 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Wed, 30 Oct 2024 11:33:19 +0000
Subject: [PATCH 3/3] Update
 docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc

---
 .../api/asset-criticality-api-overview.asciidoc               | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
index 1ed6c40948..e83fb00fd2 100644
--- a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
+++ b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc
@@ -2,9 +2,6 @@
 [role="xpack"]
 == Asset criticality API
 
-<<<<<<< HEAD
-You can manage <<asset-criticality, asset criticality>> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <<enable-asset-criticality, advanced setting>>.
-=======
 .New API Reference
 [sidebar]
 --
@@ -12,4 +9,3 @@ For the most up-to-date API details, refer to {api-kibana}/group/endpoint-securi
 --
 
 You can manage <<asset-criticality, asset criticality>> records through the API.
->>>>>>> 2390859c (Asset criticality advanced setting removed (#5991))