Merge branch 'main' into issue-5441-the-notes-expansion

README.md

@@ -9,36 +9,32 @@ Documentation Manager: Janeen Roberts (Github: `@jmikell821`)
 
 ## Contributing to Elastic Security docs
 
-You can open an issue using the appropriate [template](https://github.com/elastic/security-docs/issues/new/choose). 
+You can open an issue using the appropriate [template](https://github.com/elastic/security-docs/issues/new/choose).
 
 > [!NOTE]
-> Please report any **known issues** that need to be documented by creating an issue in our [private repo](https://github.com/elastic/security-docs-internal/issues) using the known issue template. 
+> Please report any **known issues** that need to be documented by creating an issue in our [private repo](https://github.com/elastic/security-docs-internal/issues) using the known issue template.
 
 To contribute directly to Elastic Security documentation:
 
-1. Please fork and clone the `security-docs` repo. 
-1. Check out the `main` branch and fetch the latest changes. 
-1. Check out a new branch and make your changes. 
-1. Save your changes and open a pull request. 
-1. Add all appropriate Github users as reviewers.  
-1. Add the appropriate release version label, backport version label if appropriate, and team label to the PR. 
-1. If your PR changes any [serverless docs content](https://github.com/elastic/security-docs/tree/main/docs/serverless), add the label `ci:doc-build` to generate a preview of the serverless docs on the PR.
-1. Once the docs team approves all changes, you can merge it. If a backport version label was added to a PR for stack versions 7.14.0 and newer, mergify will automatically open a backport PR. 
-1. Merge the backport PR once it passes all CI checks. 
+1. Please fork and clone the `security-docs` repo.
+1. Check out the `main` branch and fetch the latest changes.
+1. Check out a new branch and make your changes.
+1. Save your changes and open a pull request.
+1. Add all appropriate Github users as reviewers.
+1. Add the appropriate release version label, backport version label if appropriate, and team label to the PR.
+1. Once the docs team approves all changes, you can merge it. If a backport version label was added to a PR for stack versions 7.14.0 and newer, mergify will automatically open a backport PR.
+1. Merge the backport PR once it passes all CI checks.
 
 ### Preview documentation changes
 
 When you open a pull request, preview links are automatically added as a comment in the PR. Once the CI check builds successfully, the links will be live and you can click them to preview your changes.
 
-For stateful docs, you also might want to add targeted links to help reviewers find specific pages related to your PR. Preview URLs include the following pattern (replace `<YOUR_PR_NUMBER_HERE>` with the PR number):
+You also might want to add targeted links to help reviewers find specific pages related to your PR. Preview URLs include the following pattern (replace `<YOUR_PR_NUMBER_HERE>` with the PR number):
 
 ```
 https://security-docs_bk_<YOUR_PR_NUMBER_HERE>.docs-preview.app.elstc.co/guide/en/security/master/
 ```
 
-> [!NOTE]
-> Serverless docs previews don't allow targeted links, because the id in the URL changes with each rebuild.
-
 ## License
 
 Shield: [![CC BY-NC-ND 4.0][cc-by-nc-nd-shield]][cc-by-nc-nd]

docs/advanced-entity-analytics/machine-learning.asciidoc

@@ -49,13 +49,12 @@ interface. They are available when either:
 
 * You ship data using https://www.elastic.co/products/beats[Beats] or the
 <<install-endpoint,{agent}>>, and {kib} is configured with the required index
-patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*`
-in *{kib}* -> *{stack-manage-app}* -> *Data Views*).
+patterns (such as `auditbeat-*`, `filebeat-*`, `packetbeat-*`, or `winlogbeat-*`) on the **Data Views** page. To find this page, navigate to **Data Views** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 
 Or
 
 * Your shipped data is ECS-compliant, and {kib} is configured with the shipped
-data's index patterns in *{kib}* -> *{stack-manage-app}* -> *Data Views*.
+data's index patterns on the **Data Views** page.
 
 Or
 
@@ -78,6 +77,5 @@ To view the `Anomalies` table widget and `Max Anomaly Score By Job` details,
 the user must have the `machine_learning_admin` or `machine_learning_user` role.
 
 NOTE: To adjust the `score` threshold that determines which anomalies are shown,
-you can modify
-*{kib}* -> *{stack-manage-app}* -> *Advanced Settings* -> *`securitySolution:defaultAnomalyScore`*.
+you can modify the `securitySolution:defaultAnomalyScore` <<advanced-settings,advanced setting>>.
 

docs/advanced-entity-analytics/tune-anomaly-results.asciidoc

@@ -24,7 +24,8 @@ For example, to filter out results from a housekeeping process, named
 [[create-fiter-list]]
 === Create a filter list
 
-. Go to *Machine Learning* -> *Anomaly Detection* -> *Settings*.
+. Find **Machine Learning** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Under **Anomaly Detection**, select **Settings**.
 . Click *Filter Lists* and then *New*.
 +
 The *Create new filter list* pane is displayed.
@@ -44,7 +45,8 @@ The new filter appears in the Filter List and can be added to relevant jobs.
 [[add-job-filter]]
 === Add the filter to the relevant job
 
-. Go to *Machine Learning* -> *Anomaly Detection* -> *Anomaly Explorer*.
+. Find **Machine Learning** in the navigation menu.
+. Under **Anomaly Detection**, select **Anomaly Explorer**.
 . Navigate to the job results for which the filter is required. If the job results
 are not listed, click *Edit job selection* and select the relevant job.
 . In the *actions* column, click the gear icon and then select _Configure rules_.
@@ -78,7 +80,8 @@ must clone and run the cloned job.
 IMPORTANT: Running the cloned job can take some time. Only run the job after you
 have completed all job rule changes.
 
-. Go to *Machine Learning* -> *Anomaly Detection* -> *Job Management*.
+. Find **Machine Learning** in the navigation menu.
+. Under **Anomaly Detection**, select **Jobs**.
 . Navigate to the job for which you configured the rule.
 . Optionally, expand the job row and click *JSON* to verify the configured filter
 appears under `custom rules` in the JSON code.
@@ -121,7 +124,8 @@ Depending on your anomaly detection results, you may want to set a
 minimum event count threshold for the `packetbeat_dns_tunneling` job:
 
 
-. Go to *Machine Learning* -> *Anomaly Detection* -> *Anomaly Explorer*.
+. Find **Machine Learning** in the navigation menu.
+. Under **Anomaly Detection**, select **Anomaly Explorer**.
 . Navigate to the job results for the `packetbeat_dns_tunneling` job. If the 
 job results are not listed, click *Edit job selection* and select 
 `packetbeat_dns_tunneling`.
@@ -139,5 +143,5 @@ _WHEN actual IS GREATER THAN <X>_
 +
 Where `<X>` is the threshold above which anomalies are detected.
 . Click *Save*.
-. To apply the new threshold, rerun the job (*Job Management* -> *Actions* ->
-*Start datafeed*).
+. To apply the new threshold, rerun the job by selecting *Actions* ->
+*Start datafeed* on the **Anomaly Detection Jobs** page.

docs/advanced-entity-analytics/turn-on-risk-engine.asciidoc

@@ -12,7 +12,7 @@ You can preview risky entities before installing the latest risk engine. The pre
 
 NOTE: The preview is limited to two risk scores per {kib} instance.
 
-To preview risky entities, go to **Manage** -> **Entity Risk Score**:
+To preview risky entities, find **Entity Risk Score** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 
 [role="screenshot"]
 image::images/preview-risky-entities.png[Preview of risky entities]
@@ -28,7 +28,7 @@ image::images/preview-risky-entities.png[Preview of risky entities]
 
 If you're installing the risk scoring engine for the first time:
 
-. Go to **Manage** -> **Entity Risk Score**.
+. Find **Entity Risk Score** in the navigation menu.
 . Turn the **Entity risk score** toggle on.
 
 [role="screenshot"]
@@ -49,7 +49,7 @@ If you upgraded to 8.11 from an earlier {stack} version, and you have the origin
 [role="screenshot"]
 image::images/risk-engine-upgrade-prompt.png[Prompt to upgrade to the latest risk engine]
 
-. Click **Manage** in the upgrade prompt, or go to **Manage** -> **Entity Risk Score**.
+. Click **Manage** in the upgrade prompt, or find **Entity Risk Score** in the navigation menu.
 . On the Entity Risk Score page, click **Start update** next to the **Update available** label.
 +
 [role="screenshot"]

docs/events/timeline-templates.asciidoc

@@ -136,7 +136,7 @@ NOTE: You cannot delete prebuilt templates.
 == Export and import Timeline templates
 
 You can import and export Timeline templates, which enables importing templates
-from one {kib} space or instance to another. Exported templates are saved in an `ndjson` file.
+from one space or {elastic-sec} instance to another. Exported templates are saved in an `ndjson` file.
 
 . Go to *Timelines* -> *Templates*.
 . To export templates, do one of the following:

docs/events/timeline-ui-overview.asciidoc

@@ -170,7 +170,7 @@ then select an action from the *Bulk actions* menu.
 == Export and import Timelines
 
 You can export and import Timelines, which enables you to share Timelines from one
-{kib} space or instance to another. Exported Timelines are saved as `.ndjson` files.
+space or {elastic-sec} instance to another. Exported Timelines are saved as `.ndjson` files.
 
 To export Timelines:
 

docs/getting-started/agent-tamper-protection.asciidoc

@@ -26,7 +26,8 @@ image::images/agent-tamper-protection.png[Agent tamper protection setting highli
 
 You can enable Agent tamper protection by configuring the {agent} policy.
 
-. Go to *{fleet}* -> *Agent policies*, then select the Agent policy you want to configure.
+. Find *{fleet}* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Select *Agent policies*, then select the Agent policy you want to configure.
 . Select the *Settings* tab on the policy details page.
 . In the *Agent tamper protection* section, turn on the *Prevent agent tampering* setting.
 +
@@ -43,7 +44,7 @@ If you need the uninstall token to remove {agent} from an endpoint, you can find
 
 * *On the Agent policy* — Go to the Agent policy's *Settings* tab, then click the *Get uninstall command* link. The *Uninstall agent* flyout opens, containing the full uninstall command with the token.
 
-* *On the {fleet} page* — Go to *{fleet}* -> *Uninstall tokens* for a list of the uninstall tokens generated for your Agent policies. You can:
+* *On the {fleet} page* — Select *Uninstall tokens* for a list of the uninstall tokens generated for your Agent policies. You can:
 
 ** Click the *Show token* icon in the *Token* column to reveal a specific token.
 ** Click the *View uninstall command* icon in the *Actions* column to open the *Uninstall agent* flyout, containing the full uninstall command with the token.

docs/getting-started/artifact-control.asciidoc

@@ -16,7 +16,8 @@ CAUTION: It is strongly advised to keep automatic updates enabled to ensure the
 
 To configure the protection artifacts version deployed in your environment:
 
-. Go to **Manage** → **Policies**, select an {elastic-defend} integration policy, then select the **Protection updates** tab.
+. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
+. Select an {elastic-defend} integration policy, then select the **Protection updates** tab.
 . Turn off the **Enable automatic updates** toggle.
 . Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment.
 . (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts.

docs/getting-started/configure-integration-policy.asciidoc

@@ -7,7 +7,7 @@ on protected hosts (some features require a Platinum or Enterprise license). If
 integration policy to configure protection settings, event collection, antivirus settings, trusted applications,
 event filters, host isolation exceptions, and blocked applications to meet your organization's security needs.
 
-You can also create multiple {elastic-defend} integration policies to maintain unique configuration profiles. To create an additional {elastic-defend} integration policy, go to **Management** -> **Integrations**, then follow the steps for <<add-security-integration, adding the {elastic-defend} integration>>.
+You can also create multiple {elastic-defend} integration policies to maintain unique configuration profiles. To create an additional {elastic-defend} integration policy, find **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then follow the steps for <<add-security-integration, adding the {elastic-defend} integration>>.
 
 .Requirements
 [sidebar]
@@ -19,7 +19,7 @@ TIP: In addition to configuring an {elastic-defend} policy through the {elastic-
 
 To configure an integration policy:
 
-1. In the {security-app}, go to **Manage** -> **Policies** to view the **Policies** page.
+1. Find **Policies** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 2. Select the integration policy you want to configure. The integration policy configuration page appears.
 3. On the **Policy settings** tab, review and configure the following settings as appropriate:
 * <<malware-protection>>
@@ -47,7 +47,7 @@ then select an item from the flyout. This view lists any existing artifacts that
 +
 NOTE: You can't create a new endpoint policy artifact while configuring an integration policy.
 To create a new artifact, go to its main page in the {security-app} (for example,
-to create a new trusted application, go to **Manage** -> **Trusted applications**).
+to create a new trusted application, find **Trusted applications** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]).
 
 5. Click the *Protection updates* tab to configure how {elastic-defend} receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to <<artifact-control>> for more information.
 

docs/getting-started/create-defend-policy-api.asciidoc

@@ -80,7 +80,7 @@ Replace these values:
 
 . `<KIBANA-VERSION>` with your version of {kib}.
 . `<POLICY-ID>` with the agent policy ID you received in step 1.
-. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, go to **Management** -> **Integrations** and select *{elastic-defend}*.
+. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, navigate to **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select *{elastic-defend}*.
 
 This adds the {elastic-defend} integration to your agent policy with the default settings.
 
@@ -490,7 +490,7 @@ Include the resulting JSON object in the following call to save your customized
 
 . `<PACKAGE-POLICY-ID>` with the {elastic-defend} policy ID you received in step 2.
 . `<KIBANA-VERSION>` with your version of {kib}.
-. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, go to **Management** -> **Integrations** and select *{elastic-defend}*.
+. `<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, navigate to **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select *{elastic-defend}*.
 
 [source,console]
 ----

docs/getting-started/data-views-in-sec.asciidoc

@@ -33,7 +33,7 @@ NOTE: You cannot update the data view for the Alerts page. This includes referen
 [[default-data-view-security]]
 == The default {data-source}
 
-The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {kib}'s advanced settings (**Stack Management** > **Advanced Settings** > **Security Solution**). To learn more about this setting, including its default value, refer to {security-guide}/advanced-settings.html#update-sec-indices[Advanced settings].
+The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {security-guide}/advanced-settings.html#update-sec-indices[advanced settings].
 
 The first time a user visits {elastic-sec} within a given {kib} {kibana-ref}/xpack-spaces.html[space], the default {data-source} generates in that space and becomes active. 
 

docs/getting-started/defend-feature-privs.asciidoc

@@ -8,7 +8,7 @@
 
 You can create user roles and define privileges to manage feature access in {elastic-sec}. This allows you to use the principle of least privilege while managing access to {elastic-defend}'s features.
 
-Configure roles and privileges in *Stack Management* → *Roles* in {kib}. For more details on using this UI, refer to {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges]. 
+To configure roles and privileges, find **Roles** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. For more details on using this UI, refer to {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} privileges]. 
 
 NOTE: {elastic-defend}'s feature privileges must be assigned to *All Spaces*. You can't assign them to an individual space. 
 

docs/getting-started/endpoint-diagnostic-data.asciidoc

@@ -5,7 +5,7 @@ By default, {elastic-defend} streams diagnostic data to your cluster, which Elas
 
 NOTE: {kib} also collects usage telemetry, which includes {elastic-defend} diagnostic data. You can modify telemetry preferences in {kibana-ref}/telemetry-settings-kbn.html[Advanced Settings].
 
-. In the {security-app}, go to *Manage* -> *Endpoints* to view the Endpoints list.
+. To view the Endpoints list, find **Endpoints** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Locate the endpoint for which you want to disable diagnostic data, then click the integration policy in the *Policy* column.
 . Scroll down to the bottom of the policy and click *Show advanced settings*.
 . Enter `false` for these settings:

docs/getting-started/install-endpoint.asciidoc

@@ -28,11 +28,7 @@ NOTE: {elastic-defend} does not support deployment within an {agent} DaemonSet i
 [[add-security-integration]]
 == Add the {elastic-defend} integration
 
-. Go to the *Integrations* page, which you can access in several ways:
-
-* In {kib}: *Management* -> *Integrations*
-* In the {security-app}: *Get started* -> *Add security integrations*
-
+. Find **Integrations** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 +
 [role="screenshot"]
 image::images/install-endpoint/endpoint-cloud-sec-integrations-page.png[Search result for "{elastic-defend}" on the Integrations page.]
@@ -100,7 +96,7 @@ If you have upgraded to an {stack} version that includes {fleet-server} 7.13.0 o
 [[enroll-agent]]
 === Add the {agent}
 
-. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to *{fleet}* -> *Agents* -> **Add agent**.
+. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, find **{fleet}** in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], and select **Agents** → **Add agent**.
 +
 [role="screenshot"]
 image::images/install-endpoint/endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.]