From 8036225bce06ecde6f61596bef763e3d8be091e7 Mon Sep 17 00:00:00 2001
From: Benjamin Ironside Goldstein
 <91905639+benironside@users.noreply.github.com>
Date: Tue, 26 Nov 2024 17:24:17 -0500
Subject: [PATCH 1/2] Creates agentless troubleshooting page (#6184)

* create agentless troubleshooting steps

* incorporates Omolola's comment

* incorporates Nastasha's review and adds serverless version

* fixes typo

* fix fleet refs

* minor edit

* incorporates Janeen's review and updates fleet refs in ESS version

(cherry picked from commit db188fa3c82d2611f9c8a61c0345a9b53e70cf92)

# Conflicts:
#	docs/serverless/index.asciidoc
---
 .../agentless-troubleshooting.asciidoc        |  47 ++++
 docs/getting-started/index.asciidoc           |   1 +
 docs/serverless/index.asciidoc                | 203 ++++++++++++++++++
 .../ingest/agentless-troubleshooting.asciidoc |  47 ++++
 4 files changed, 298 insertions(+)
 create mode 100644 docs/getting-started/agentless-troubleshooting.asciidoc
 create mode 100644 docs/serverless/index.asciidoc
 create mode 100644 docs/serverless/ingest/agentless-troubleshooting.asciidoc

diff --git a/docs/getting-started/agentless-troubleshooting.asciidoc b/docs/getting-started/agentless-troubleshooting.asciidoc
new file mode 100644
index 0000000000..6629458449
--- /dev/null
+++ b/docs/getting-started/agentless-troubleshooting.asciidoc
@@ -0,0 +1,47 @@
+[[agentless-integration-troubleshooting]]
+= Agentless integrations FAQ
+
+Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration.
+
+[discrete]
+== When I make a new integration, when will I see the agent appear on the Integration Policies page?
+
+After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.
+
+[discrete]
+== How do I troubleshoot an `Offline` agent?
+
+For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. 
+
+To troubleshoot this issue:
+
+. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab.
+. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again.
+
+NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again.
+
+[discrete]
+== How do I troubleshoot an `Unhealthy` agent?
+
+On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent:
+
+* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials:
++ 
+```
+[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX
+```
+
+For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. 
+
+[discrete]
+== How do I delete an agentless integration?
+
+NOTE: Deleting your integration will remove all associated resources and stop data ingestion.
+
+When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. 
+
+. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`.
+. Go to the CSPM Integration's **Integration policies** tab.
+. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**.
+. Confirm by clicking **Delete integration** again.
+
diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc
index 64daa518ae..68e7ab74c1 100644
--- a/docs/getting-started/index.asciidoc
+++ b/docs/getting-started/index.asciidoc
@@ -14,6 +14,7 @@ include::ingest-data.asciidoc[leveloffset=+1]
 include::threat-intel-integrations.asciidoc[leveloffset=+2]
 include::automatic-import.asciidoc[leveloffset=+2]
 include::agentless-integrations.asciidoc[leveloffset=+2]
+include::agentless-troubleshooting.asciidoc[leveloffset=+3]
 
 include::security-spaces.asciidoc[leveloffset=+1]
 
diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc
new file mode 100644
index 0000000000..5ccd27d722
--- /dev/null
+++ b/docs/serverless/index.asciidoc
@@ -0,0 +1,203 @@
+:doctype: book
+
+include::{asciidoc-dir}/../../shared/versions/stack/master.asciidoc[]
+include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
+
+[[what-is-security-serverless]]
+== Elastic Security serverless
+
+++++
+<titleabbrev>Elastic Security</titleabbrev>
+++++
+
+include::./what-is-security-serverless.asciidoc[leveloffset=+2]
+
+include::./security-overview.asciidoc[leveloffset=+2]
+
+include::./billing.asciidoc[leveloffset=+2]
+
+include::./projects-create/create-project.asciidoc[leveloffset=+2]
+
+include::./sec-requirements.asciidoc[leveloffset=+2]
+
+include::./security-ui.asciidoc[leveloffset=+2]
+include::./security-spaces.asciidoc[leveloffset=+3]
+
+include::./AI-for-security/ai-for-security-landing-pg.asciidoc[leveloffset=+2]
+include::./AI-for-security/ai-assistant.asciidoc[leveloffset=+3]
+include::./AI-for-security/knowledge-base.asciidoc[leveloffset=+4]
+include::./AI-for-security/attack-discovery.asciidoc[leveloffset=+3]
+include::./AI-for-security/llm-connector-guides.asciidoc[leveloffset=+3]
+include::./AI-for-security/llm-performance-matrix.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-azure-openai.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-bedrock.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-openai.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-vertex.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-byo-llm.asciidoc[leveloffset=+4]
+include::./AI-for-security/ai-use-cases.asciidoc[leveloffset=+3]
+include::./AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc[leveloffset=+4]
+include::./AI-for-security/ai-assistant-alert-triage.asciidoc[leveloffset=+4]
+include::./AI-for-security/ai-assistant-esql-queries.asciidoc[leveloffset=+4]
+
+include::./ingest/ingest-data.asciidoc[leveloffset=+2]
+include::./ingest/threat-intelligence.asciidoc[leveloffset=+3]
+include::./ingest/auto-import.asciidoc[leveloffset=+3]
+include::./ingest/agentless-integrations.asciidoc[leveloffset=+3]
+include::./ingest/agentless-troubleshooting.asciidoc[leveloffset=+4]
+
+include::./edr-install-config/endpoint-protection-intro.asciidoc[leveloffset=+2]
+include::./edr-install-config/deploy-endpoint-reqs.asciidoc[leveloffset=+3]
+include::./edr-install-config/install-elastic-defend.asciidoc[leveloffset=+3]
+include::./edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc[leveloffset=+4]
+include::./edr-install-config/deploy-endpoint-macos-ven.asciidoc[leveloffset=+4]
+include::./edr-install-config/deploy-with-mdm.asciidoc[leveloffset=+4]
+include::./edr-install-config/agent-tamper-protection.asciidoc[leveloffset=+4]
+include::./edr-install-config/defend-feature-privs.asciidoc[leveloffset=+3]
+include::./edr-install-config/configure-endpoint-integration-policy.asciidoc[leveloffset=+3]
+include::./edr-install-config/artifact-control.asciidoc[leveloffset=+4]
+include::./edr-install-config/endpoint-diagnostic-data.asciidoc[leveloffset=+4]
+include::./edr-install-config/self-healing-rollback.asciidoc[leveloffset=+4]
+include::./edr-install-config/linux-file-monitoring.asciidoc[leveloffset=+4]
+include::./edr-install-config/endpoint-data-volume.asciidoc[leveloffset=+4]
+include::./edr-install-config/uninstall-agent.asciidoc[leveloffset=+3]
+
+include::./edr-manage/manage-endpoint-protection.asciidoc[leveloffset=+2]
+include::./edr-manage/endpoints-page.asciidoc[leveloffset=+3]
+include::./edr-manage/policies-page-ov.asciidoc[leveloffset=+3]
+include::./edr-manage/trusted-apps-ov.asciidoc[leveloffset=+3]
+include::./edr-manage/event-filters.asciidoc[leveloffset=+3]
+include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3]
+include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
+include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
+include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]
+
+include::./endpoint-response-actions/response-actions.asciidoc[leveloffset=+2]
+include::./endpoint-response-actions/automated-response-actions.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/host-isolation-ov.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/response-actions-history.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/third-party-actions.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/response-actions-config.asciidoc[leveloffset=+3]
+
+include::./cloud-native-security/cloud-native-security-overview.asciidoc[leveloffset=+2]
+include::./cloud-native-security/security-posture-management.asciidoc[leveloffset=+3]
+include::./cloud-native-security/enable-cloudsec.asciidoc[leveloffset=+3]
+include::./cloud-native-security/cspm.asciidoc[leveloffset=+3]
+include::./cloud-native-security/cspm-get-started.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-get-started-gcp.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-get-started-azure.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-findings-page.asciidoc[leveloffset=+4]
+include::./cloud-native-security/benchmark-rules.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-security-posture-faq.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm.asciidoc[leveloffset=+3]
+include::./cloud-native-security/get-started-with-kspm.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm-cspm-findings-page.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm-benchmark-rules.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/security-posture-faq.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-overview.asciidoc[leveloffset=+3]
+include::./cloud-native-security/vuln-management-get-started.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-findings.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-faq.asciidoc[leveloffset=+4]
+include::./cloud-native-security/d4c-overview.asciidoc[leveloffset=+3]
+include::./cloud-native-security/d4c-get-started.asciidoc[leveloffset=+4]
+include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4]
+include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3]
+include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4]
+include::./cloud-native-security/ingest-cncf-data.asciidoc[leveloffset=+3]
+include::./cloud-native-security/falco-setup.asciidoc[leveloffset=+4]
+include::./cloud-native-security/aws-securityhub.asciidoc[leveloffset=+4]
+include::./cloud-native-security/wiz.asciidoc[leveloffset=+4]
+
+include::./explore/explore-your-data.asciidoc[leveloffset=+2]
+include::./explore/hosts-overview.asciidoc[leveloffset=+3]
+include::./explore/network-page-overview.asciidoc[leveloffset=+3]
+include::./explore/conf-map-ui.asciidoc[leveloffset=+4]
+include::./explore/users-page.asciidoc[leveloffset=+3]
+include::./explore/data-views-in-sec.asciidoc[leveloffset=+3]
+include::./explore/runtime-fields.asciidoc[leveloffset=+3]
+include::./explore/siem-field-reference.asciidoc[leveloffset=+3]
+
+include::./dashboards/dashboards-overview.asciidoc[leveloffset=+2]
+include::./dashboards/overview-dashboard.asciidoc[leveloffset=+3]
+include::./dashboards/detection-response-dashboard.asciidoc[leveloffset=+3]
+include::./dashboards/kubernetes-dashboard-dash.asciidoc[leveloffset=+3]
+include::./dashboards/cloud-posture-dashboard-dash.asciidoc[leveloffset=+3]
+include::./dashboards/detection-entity-dashboard.asciidoc[leveloffset=+3]
+include::./dashboards/data-quality-dash.asciidoc[leveloffset=+3]
+include::./dashboards/vuln-management-dashboard-dash.asciidoc[leveloffset=+3]
+include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3]
+
+include::./rules/detection-engine-overview.asciidoc[leveloffset=+2]
+include::./rules/detections-permissions-section.asciidoc[leveloffset=+3]
+
+include::./rules/about-rules.asciidoc[leveloffset=+2]
+include::./rules/rules-ui-create.asciidoc[leveloffset=+3]
+include::./rules/interactive-investigation-guides.asciidoc[leveloffset=+4]
+include::./rules/building-block-rule.asciidoc[leveloffset=+4]
+include::./rules/prebuilt-rules/prebuilt-rules-management.asciidoc[leveloffset=+3]
+include::./rules/rules-ui-management.asciidoc[leveloffset=+3]
+include::./rules/alerts-ui-monitor.asciidoc[leveloffset=+3]
+include::./rules/detections-ui-exceptions.asciidoc[leveloffset=+3]
+include::./rules/value-lists-exceptions.asciidoc[leveloffset=+4]
+include::./rules/add-exceptions.asciidoc[leveloffset=+4]
+include::./rules/shared-exception-lists.asciidoc[leveloffset=+4]
+include::./rules/rules-coverage.asciidoc[leveloffset=+3]
+include::./rules/tuning-detection-signals.asciidoc[leveloffset=+3]
+include::./rules/prebuilt-rules/prebuilt-rules.asciidoc[leveloffset=+3]
+
+include::./alerts/alerts-ui-manage.asciidoc[leveloffset=+2]
+include::./alerts/visualize-alerts.asciidoc[leveloffset=+3]
+include::./alerts/view-alert-details.asciidoc[leveloffset=+3]
+include::./alerts/signals-to-cases.asciidoc[leveloffset=+3]
+include::./alerts/alert-suppression.asciidoc[leveloffset=+3]
+include::./alerts/reduce-notifications-alerts.asciidoc[leveloffset=+3]
+include::./alerts/query-alert-indices.asciidoc[leveloffset=+3]
+include::./alerts/alert-schema.asciidoc[leveloffset=+3]
+
+include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2]
+include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3]
+include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3]
+include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/machine-learning.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/tuning-anomaly-results.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/behavioral-detection-use-cases.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/prebuilt-ml-jobs.asciidoc[leveloffset=+4]
+
+include::./investigate/investigate-events.asciidoc[leveloffset=+2]
+include::./investigate/timelines-ui.asciidoc[leveloffset=+3]
+include::./investigate/timeline-templates-ui.asciidoc[leveloffset=+4]
+include::./investigate/timeline-object-schema.asciidoc[leveloffset=+4]
+include::./alerts/visual-event-analyzer.asciidoc[leveloffset=+3]
+include::./cloud-native-security/session-view.asciidoc[leveloffset=+3]
+include::./osquery/use-osquery.asciidoc[leveloffset=+3]
+include::./osquery/osquery-response-action.asciidoc[leveloffset=+4]
+include::./osquery/invest-guide-run-osquery.asciidoc[leveloffset=+4]
+include::./osquery/alerts-run-osquery.asciidoc[leveloffset=+4]
+include::./osquery/view-osquery-results.asciidoc[leveloffset=+4]
+include::./osquery/osquery-placeholder-fields.asciidoc[leveloffset=+4]
+include::./investigate/add-manage-notes.asciidoc[leveloffset=+3]
+include::./investigate/indicators-of-compromise.asciidoc[leveloffset=+3]
+include::./investigate/cases-overview.asciidoc[leveloffset=+3]
+include::./investigate/case-permissions.asciidoc[leveloffset=+4]
+include::./investigate/cases-open-manage.asciidoc[leveloffset=+4]
+include::./investigate/cases-settings.asciidoc[leveloffset=+4]
+
+include::./assets/asset-management.asciidoc[leveloffset=+2]
+
+include::./settings/manage-settings.asciidoc[leveloffset=+2]
+include::./settings/project-settings.asciidoc[leveloffset=+3]
+include::./settings/advanced-settings.asciidoc[leveloffset=+3]
+
+include::./troubleshooting/troubleshooting-intro.asciidoc[leveloffset=+2]
+include::./troubleshooting/ts-detection-rules.asciidoc[leveloffset=+3]
+include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3]
\ No newline at end of file
diff --git a/docs/serverless/ingest/agentless-troubleshooting.asciidoc b/docs/serverless/ingest/agentless-troubleshooting.asciidoc
new file mode 100644
index 0000000000..6629458449
--- /dev/null
+++ b/docs/serverless/ingest/agentless-troubleshooting.asciidoc
@@ -0,0 +1,47 @@
+[[agentless-integration-troubleshooting]]
+= Agentless integrations FAQ
+
+Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration.
+
+[discrete]
+== When I make a new integration, when will I see the agent appear on the Integration Policies page?
+
+After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.
+
+[discrete]
+== How do I troubleshoot an `Offline` agent?
+
+For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. 
+
+To troubleshoot this issue:
+
+. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab.
+. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again.
+
+NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again.
+
+[discrete]
+== How do I troubleshoot an `Unhealthy` agent?
+
+On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent:
+
+* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials:
++ 
+```
+[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX
+```
+
+For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. 
+
+[discrete]
+== How do I delete an agentless integration?
+
+NOTE: Deleting your integration will remove all associated resources and stop data ingestion.
+
+When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. 
+
+. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`.
+. Go to the CSPM Integration's **Integration policies** tab.
+. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**.
+. Confirm by clicking **Delete integration** again.
+

From 83f7c0b810fff26f1b3ce54ced2743ff954911d6 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 26 Nov 2024 22:26:23 +0000
Subject: [PATCH 2/2] Delete docs/serverless directory and its contents

---
 docs/serverless/index.asciidoc                | 203 ------------------
 .../ingest/agentless-troubleshooting.asciidoc |  47 ----
 2 files changed, 250 deletions(-)
 delete mode 100644 docs/serverless/index.asciidoc
 delete mode 100644 docs/serverless/ingest/agentless-troubleshooting.asciidoc

diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc
deleted file mode 100644
index 5ccd27d722..0000000000
--- a/docs/serverless/index.asciidoc
+++ /dev/null
@@ -1,203 +0,0 @@
-:doctype: book
-
-include::{asciidoc-dir}/../../shared/versions/stack/master.asciidoc[]
-include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
-
-[[what-is-security-serverless]]
-== Elastic Security serverless
-
-++++
-<titleabbrev>Elastic Security</titleabbrev>
-++++
-
-include::./what-is-security-serverless.asciidoc[leveloffset=+2]
-
-include::./security-overview.asciidoc[leveloffset=+2]
-
-include::./billing.asciidoc[leveloffset=+2]
-
-include::./projects-create/create-project.asciidoc[leveloffset=+2]
-
-include::./sec-requirements.asciidoc[leveloffset=+2]
-
-include::./security-ui.asciidoc[leveloffset=+2]
-include::./security-spaces.asciidoc[leveloffset=+3]
-
-include::./AI-for-security/ai-for-security-landing-pg.asciidoc[leveloffset=+2]
-include::./AI-for-security/ai-assistant.asciidoc[leveloffset=+3]
-include::./AI-for-security/knowledge-base.asciidoc[leveloffset=+4]
-include::./AI-for-security/attack-discovery.asciidoc[leveloffset=+3]
-include::./AI-for-security/llm-connector-guides.asciidoc[leveloffset=+3]
-include::./AI-for-security/llm-performance-matrix.asciidoc[leveloffset=+4]
-include::./AI-for-security/connect-to-azure-openai.asciidoc[leveloffset=+4]
-include::./AI-for-security/connect-to-bedrock.asciidoc[leveloffset=+4]
-include::./AI-for-security/connect-to-openai.asciidoc[leveloffset=+4]
-include::./AI-for-security/connect-to-vertex.asciidoc[leveloffset=+4]
-include::./AI-for-security/connect-to-byo-llm.asciidoc[leveloffset=+4]
-include::./AI-for-security/ai-use-cases.asciidoc[leveloffset=+3]
-include::./AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc[leveloffset=+4]
-include::./AI-for-security/ai-assistant-alert-triage.asciidoc[leveloffset=+4]
-include::./AI-for-security/ai-assistant-esql-queries.asciidoc[leveloffset=+4]
-
-include::./ingest/ingest-data.asciidoc[leveloffset=+2]
-include::./ingest/threat-intelligence.asciidoc[leveloffset=+3]
-include::./ingest/auto-import.asciidoc[leveloffset=+3]
-include::./ingest/agentless-integrations.asciidoc[leveloffset=+3]
-include::./ingest/agentless-troubleshooting.asciidoc[leveloffset=+4]
-
-include::./edr-install-config/endpoint-protection-intro.asciidoc[leveloffset=+2]
-include::./edr-install-config/deploy-endpoint-reqs.asciidoc[leveloffset=+3]
-include::./edr-install-config/install-elastic-defend.asciidoc[leveloffset=+3]
-include::./edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc[leveloffset=+4]
-include::./edr-install-config/deploy-endpoint-macos-ven.asciidoc[leveloffset=+4]
-include::./edr-install-config/deploy-with-mdm.asciidoc[leveloffset=+4]
-include::./edr-install-config/agent-tamper-protection.asciidoc[leveloffset=+4]
-include::./edr-install-config/defend-feature-privs.asciidoc[leveloffset=+3]
-include::./edr-install-config/configure-endpoint-integration-policy.asciidoc[leveloffset=+3]
-include::./edr-install-config/artifact-control.asciidoc[leveloffset=+4]
-include::./edr-install-config/endpoint-diagnostic-data.asciidoc[leveloffset=+4]
-include::./edr-install-config/self-healing-rollback.asciidoc[leveloffset=+4]
-include::./edr-install-config/linux-file-monitoring.asciidoc[leveloffset=+4]
-include::./edr-install-config/endpoint-data-volume.asciidoc[leveloffset=+4]
-include::./edr-install-config/uninstall-agent.asciidoc[leveloffset=+3]
-
-include::./edr-manage/manage-endpoint-protection.asciidoc[leveloffset=+2]
-include::./edr-manage/endpoints-page.asciidoc[leveloffset=+3]
-include::./edr-manage/policies-page-ov.asciidoc[leveloffset=+3]
-include::./edr-manage/trusted-apps-ov.asciidoc[leveloffset=+3]
-include::./edr-manage/event-filters.asciidoc[leveloffset=+3]
-include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3]
-include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
-include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
-include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
-include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
-include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
-include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]
-
-include::./endpoint-response-actions/response-actions.asciidoc[leveloffset=+2]
-include::./endpoint-response-actions/automated-response-actions.asciidoc[leveloffset=+3]
-include::./endpoint-response-actions/host-isolation-ov.asciidoc[leveloffset=+3]
-include::./endpoint-response-actions/response-actions-history.asciidoc[leveloffset=+3]
-include::./endpoint-response-actions/third-party-actions.asciidoc[leveloffset=+3]
-include::./endpoint-response-actions/response-actions-config.asciidoc[leveloffset=+3]
-
-include::./cloud-native-security/cloud-native-security-overview.asciidoc[leveloffset=+2]
-include::./cloud-native-security/security-posture-management.asciidoc[leveloffset=+3]
-include::./cloud-native-security/enable-cloudsec.asciidoc[leveloffset=+3]
-include::./cloud-native-security/cspm.asciidoc[leveloffset=+3]
-include::./cloud-native-security/cspm-get-started.asciidoc[leveloffset=+4]
-include::./cloud-native-security/cspm-get-started-gcp.asciidoc[leveloffset=+4]
-include::./cloud-native-security/cspm-get-started-azure.asciidoc[leveloffset=+4]
-include::./cloud-native-security/cspm-findings-page.asciidoc[leveloffset=+4]
-include::./cloud-native-security/benchmark-rules.asciidoc[leveloffset=+4]
-include::./cloud-native-security/cspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
-include::./cloud-native-security/cspm-security-posture-faq.asciidoc[leveloffset=+4]
-include::./cloud-native-security/kspm.asciidoc[leveloffset=+3]
-include::./cloud-native-security/get-started-with-kspm.asciidoc[leveloffset=+4]
-include::./cloud-native-security/kspm-cspm-findings-page.asciidoc[leveloffset=+4]
-include::./cloud-native-security/kspm-benchmark-rules.asciidoc[leveloffset=+4]
-include::./cloud-native-security/kspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
-include::./cloud-native-security/security-posture-faq.asciidoc[leveloffset=+4]
-include::./cloud-native-security/vuln-management-overview.asciidoc[leveloffset=+3]
-include::./cloud-native-security/vuln-management-get-started.asciidoc[leveloffset=+4]
-include::./cloud-native-security/vuln-management-findings.asciidoc[leveloffset=+4]
-include::./cloud-native-security/vuln-management-dashboard-dash.asciidoc[leveloffset=+4]
-include::./cloud-native-security/vuln-management-faq.asciidoc[leveloffset=+4]
-include::./cloud-native-security/d4c-overview.asciidoc[leveloffset=+3]
-include::./cloud-native-security/d4c-get-started.asciidoc[leveloffset=+4]
-include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4]
-include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4]
-include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3]
-include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4]
-include::./cloud-native-security/ingest-cncf-data.asciidoc[leveloffset=+3]
-include::./cloud-native-security/falco-setup.asciidoc[leveloffset=+4]
-include::./cloud-native-security/aws-securityhub.asciidoc[leveloffset=+4]
-include::./cloud-native-security/wiz.asciidoc[leveloffset=+4]
-
-include::./explore/explore-your-data.asciidoc[leveloffset=+2]
-include::./explore/hosts-overview.asciidoc[leveloffset=+3]
-include::./explore/network-page-overview.asciidoc[leveloffset=+3]
-include::./explore/conf-map-ui.asciidoc[leveloffset=+4]
-include::./explore/users-page.asciidoc[leveloffset=+3]
-include::./explore/data-views-in-sec.asciidoc[leveloffset=+3]
-include::./explore/runtime-fields.asciidoc[leveloffset=+3]
-include::./explore/siem-field-reference.asciidoc[leveloffset=+3]
-
-include::./dashboards/dashboards-overview.asciidoc[leveloffset=+2]
-include::./dashboards/overview-dashboard.asciidoc[leveloffset=+3]
-include::./dashboards/detection-response-dashboard.asciidoc[leveloffset=+3]
-include::./dashboards/kubernetes-dashboard-dash.asciidoc[leveloffset=+3]
-include::./dashboards/cloud-posture-dashboard-dash.asciidoc[leveloffset=+3]
-include::./dashboards/detection-entity-dashboard.asciidoc[leveloffset=+3]
-include::./dashboards/data-quality-dash.asciidoc[leveloffset=+3]
-include::./dashboards/vuln-management-dashboard-dash.asciidoc[leveloffset=+3]
-include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3]
-
-include::./rules/detection-engine-overview.asciidoc[leveloffset=+2]
-include::./rules/detections-permissions-section.asciidoc[leveloffset=+3]
-
-include::./rules/about-rules.asciidoc[leveloffset=+2]
-include::./rules/rules-ui-create.asciidoc[leveloffset=+3]
-include::./rules/interactive-investigation-guides.asciidoc[leveloffset=+4]
-include::./rules/building-block-rule.asciidoc[leveloffset=+4]
-include::./rules/prebuilt-rules/prebuilt-rules-management.asciidoc[leveloffset=+3]
-include::./rules/rules-ui-management.asciidoc[leveloffset=+3]
-include::./rules/alerts-ui-monitor.asciidoc[leveloffset=+3]
-include::./rules/detections-ui-exceptions.asciidoc[leveloffset=+3]
-include::./rules/value-lists-exceptions.asciidoc[leveloffset=+4]
-include::./rules/add-exceptions.asciidoc[leveloffset=+4]
-include::./rules/shared-exception-lists.asciidoc[leveloffset=+4]
-include::./rules/rules-coverage.asciidoc[leveloffset=+3]
-include::./rules/tuning-detection-signals.asciidoc[leveloffset=+3]
-include::./rules/prebuilt-rules/prebuilt-rules.asciidoc[leveloffset=+3]
-
-include::./alerts/alerts-ui-manage.asciidoc[leveloffset=+2]
-include::./alerts/visualize-alerts.asciidoc[leveloffset=+3]
-include::./alerts/view-alert-details.asciidoc[leveloffset=+3]
-include::./alerts/signals-to-cases.asciidoc[leveloffset=+3]
-include::./alerts/alert-suppression.asciidoc[leveloffset=+3]
-include::./alerts/reduce-notifications-alerts.asciidoc[leveloffset=+3]
-include::./alerts/query-alert-indices.asciidoc[leveloffset=+3]
-include::./alerts/alert-schema.asciidoc[leveloffset=+3]
-
-include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2]
-include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3]
-include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3]
-include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/machine-learning.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/tuning-anomaly-results.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/behavioral-detection-use-cases.asciidoc[leveloffset=+4]
-include::./advanced-entity-analytics/prebuilt-ml-jobs.asciidoc[leveloffset=+4]
-
-include::./investigate/investigate-events.asciidoc[leveloffset=+2]
-include::./investigate/timelines-ui.asciidoc[leveloffset=+3]
-include::./investigate/timeline-templates-ui.asciidoc[leveloffset=+4]
-include::./investigate/timeline-object-schema.asciidoc[leveloffset=+4]
-include::./alerts/visual-event-analyzer.asciidoc[leveloffset=+3]
-include::./cloud-native-security/session-view.asciidoc[leveloffset=+3]
-include::./osquery/use-osquery.asciidoc[leveloffset=+3]
-include::./osquery/osquery-response-action.asciidoc[leveloffset=+4]
-include::./osquery/invest-guide-run-osquery.asciidoc[leveloffset=+4]
-include::./osquery/alerts-run-osquery.asciidoc[leveloffset=+4]
-include::./osquery/view-osquery-results.asciidoc[leveloffset=+4]
-include::./osquery/osquery-placeholder-fields.asciidoc[leveloffset=+4]
-include::./investigate/add-manage-notes.asciidoc[leveloffset=+3]
-include::./investigate/indicators-of-compromise.asciidoc[leveloffset=+3]
-include::./investigate/cases-overview.asciidoc[leveloffset=+3]
-include::./investigate/case-permissions.asciidoc[leveloffset=+4]
-include::./investigate/cases-open-manage.asciidoc[leveloffset=+4]
-include::./investigate/cases-settings.asciidoc[leveloffset=+4]
-
-include::./assets/asset-management.asciidoc[leveloffset=+2]
-
-include::./settings/manage-settings.asciidoc[leveloffset=+2]
-include::./settings/project-settings.asciidoc[leveloffset=+3]
-include::./settings/advanced-settings.asciidoc[leveloffset=+3]
-
-include::./troubleshooting/troubleshooting-intro.asciidoc[leveloffset=+2]
-include::./troubleshooting/ts-detection-rules.asciidoc[leveloffset=+3]
-include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3]
\ No newline at end of file
diff --git a/docs/serverless/ingest/agentless-troubleshooting.asciidoc b/docs/serverless/ingest/agentless-troubleshooting.asciidoc
deleted file mode 100644
index 6629458449..0000000000
--- a/docs/serverless/ingest/agentless-troubleshooting.asciidoc
+++ /dev/null
@@ -1,47 +0,0 @@
-[[agentless-integration-troubleshooting]]
-= Agentless integrations FAQ
-
-Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration.
-
-[discrete]
-== When I make a new integration, when will I see the agent appear on the Integration Policies page?
-
-After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.
-
-[discrete]
-== How do I troubleshoot an `Offline` agent?
-
-For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. 
-
-To troubleshoot this issue:
-
-. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab.
-. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again.
-
-NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again.
-
-[discrete]
-== How do I troubleshoot an `Unhealthy` agent?
-
-On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent:
-
-* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials:
-+ 
-```
-[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX
-```
-
-For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. 
-
-[discrete]
-== How do I delete an agentless integration?
-
-NOTE: Deleting your integration will remove all associated resources and stop data ingestion.
-
-When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. 
-
-. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`.
-. Go to the CSPM Integration's **Integration policies** tab.
-. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**.
-. Confirm by clicking **Delete integration** again.
-