Merge branch 'main' into issue-5-value-list-constraints-pt2

Author: nastasha-solomon

.backportrc.json

@@ -1,5 +1,5 @@
 {
   "upstream": "elastic/security-docs",
-  "branches": [{ "name": "7.x", "checked": true }, "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
+  "branches": [{ "name": "7.x", "checked": true }, "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
   "labels": ["backport"]
 }

.mergify.yml

@@ -13,6 +13,20 @@ pull_request_rules:
             git merge upstream/{{base}}
             git push upstream {{head}}
             ```
+  - name: backport patches to 8.14 branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.14.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.14"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.13 branch
     conditions:
       - merged

docs/advanced-entity-analytics/analyze-risk-score-data.asciidoc

@@ -48,65 +48,50 @@ Learn more about <<customize-the-alerts-table, customizing the Alerts table>>.
 image::images/alerts-table-rs.png[Risk scores in the Alerts table]
 
 [discrete]
-==== Triage alerts associated with high-risk entities
+[[triage-alerts-associated-with-high-risk-or-business-critical-entities]]
+==== Triage alerts associated with high-risk or business-critical entities
 
-To analyze alerts associated with high-risk entities, you can filter or group them by entity risk level.
+To analyze alerts associated with high-risk or business-critical entities, you can filter or group them by entity risk level or asset criticality level.
 
-* Use the drop-down filter controls to filter alerts by entity risk level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.risk.calculated_level` or `host.risk.calculated_level`:
-+
-[role="screenshot"]
-image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]
+NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.
+
+* Use the drop-down filter controls to filter alerts by entity risk level or asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by:
 
-* To group alerts by entity risk level, select **Group alerts by**, then select **Custom field** and search for `host.risk.calculated_level` or `user.risk.calculated_level`.
+** `user.risk.calculated_level` or `host.risk.calculated_level` for entity risk level:
 +
 [role="screenshot"]
-image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]
+image::images/filter-by-host-risk-level.png[Alerts filtered by high host risk level]
 
-** You can further sort the grouped alerts by highest entity risk score:
-+
---
-... Expand a risk level group, for example **High**.
-... Select **Sort fields** → **Pick fields to sort by**.
-... Select fields in the following order:
-.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
-.... `Risk score`: **High-Low**
-.... `@timestamp`: **New-Old**
---
+** `user.asset.criticality` or `host.asset.criticality` for asset criticality level:
 +
 [role="screenshot"]
-image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score]
-
-[discrete]
-[[triage-alerts-associated-with-business-critical-entities]]
-==== Triage alerts associated with business-critical entities
-
-To analyze alerts associated with business-critical entities, you can filter or group them by entity asset criticality.
+image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]
 
-NOTE: If you change the entity's criticality level after an alert is generated, that alert document will include the original criticality level and will not reflect the new criticality level.
+* To group alerts by entity risk level or asset criticality level, select **Group alerts by**, then select **Custom field** and search for:
 
-* Use the drop-down filter controls to filter alerts by asset criticality level. To do this, <<drop-down-filter-controls, edit the default controls>> to filter by `user.asset.criticality` or `host.asset.criticality`:
+** `host.risk.calculated_level` or `user.risk.calculated_level` for entity risk level:
 +
 [role="screenshot"]
-image::images/filter-by-asset-criticality.png[Filter alerts by asset criticality level]
+image::images/group-by-host-risk-level.png[Alerts grouped by host risk levels]
 
-* To group alerts by asset criticality level, select **Group alerts by**, then select **Custom field** and search for `host.asset.criticality` or `user.asset.criticality`.
+** `host.asset.criticality` or `user.asset.criticality` for asset criticality level:
 +
 [role="screenshot"]
 image::images/group-by-asset-criticality.png[Alerts grouped by entity asset criticality levels]
 
 ** You can further sort the grouped alerts by highest entity risk score:
 +
 --
-... Expand an asset criticality group, for example **high_impact**.
+... Expand a risk level group (for example, **High**) or an asset criticality group (for example, **high_impact**).
 ... Select **Sort fields** → **Pick fields to sort by**.
 ... Select fields in the following order:
-.... `host.risk.calculated_score_norm`or `user.risk.calculated_score_norm`: **High-Low**
+.... `host.risk.calculated_score_norm` or `user.risk.calculated_score_norm`: **High-Low**
 .... `Risk score`: **High-Low**
 .... `@timestamp`: **New-Old**
 --
 +
 [role="screenshot"]
-image::images/ac-sort-by-host-risk-score.png[High-impact alerts sorted by host risk score]
+image::images/hrl-sort-by-host-risk-score.png[High-risk alerts sorted by host risk score]
 
 [discrete]
 [[alert-details-flyout]]

docs/advanced-entity-analytics/asset-criticality.asciidoc

@@ -26,7 +26,7 @@ For example, you can assign **Extreme impact** to business-critical entities, or
 [discrete]
 == View and assign asset criticality
 
-Entities do not have a default asset criticality level. You can view, assign, and change asset criticality from the following places in the {elastic-sec} app:
+Entities do not have a default asset criticality level. You can view, assign, change, or unassign asset criticality from the following places in the {elastic-sec} app:
 
 * The <<host-details-page, host details page>> and <<user-details-page, user details page>>:
 +
@@ -57,7 +57,7 @@ With asset criticality, you can improve your security operations by:
 
 You can use asset criticality as a prioritization factor when triaging alerts and conducting investigations and response activities.
 
-Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <<triage-alerts-associated-with-business-critical-entities, prioritize alerts associated with high-impact entities>>.
+Once you assign a criticality level to an entity, all subsequent alerts related to that entity are enriched with its criticality level. This additional context allows you to <<triage-alerts-associated-with-high-risk-or-business-critical-entities, prioritize alerts associated with business-critical entities>>.
 
 [discrete]
 [[monitor-entity-risk]]

docs/advanced-entity-analytics/entity-risk-scoring.asciidoc

@@ -14,8 +14,14 @@ It also generates risk scores on a recurring interval, and allows for easy onboa
 
 Entity risk scores are determined by the following risk inputs:
 
-* <<alerts-ui-manage, Alerts>>, stored in the `.alerts-security.alerts-<space-id>` index alias
-* <<asset-criticality, Asset criticality level>>, stored in the `.asset-criticality.asset-criticality-<space-id>` index alias
+[width="100%",options="header"]
+|==============================================
+|Risk input |Storage location
+
+|<<alerts-ui-manage, Alerts>> |`.alerts-security.alerts-<space-id>` index alias
+|<<asset-criticality, Asset criticality level>> |`.asset-criticality.asset-criticality-<space-id>` index alias
+|==============================================
+
 
 The resulting entity risk scores are stored in the `risk-score.risk-score-<space-id>` data stream alias.
 
@@ -29,10 +35,12 @@ The resulting entity risk scores are stored in the `risk-score.risk-score-<space
 [[how-is-risk-score-calculated]]
 == How is risk score calculated?
 
-The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts. It groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
+. The risk scoring engine runs hourly to aggregate `Open` and `Acknowledged` alerts from the last 30 days. For each entity, the engine processes up to 10,000 alerts.
 
-The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level:
+. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity's <<host-risk-summary, risk summary>>.
 
+. The engine then verifies the entity's <<asset-criticality, asset criticality level>>. If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
++
 [width="100%",options="header"]
 |==============================================
 |Asset criticality level |Default risk weight
@@ -43,13 +51,11 @@ The engine then verifies the entity's <<asset-criticality, asset criticality lev
 |Extreme impact |2
 
 |==============================================
-
++
 NOTE: Asset criticality levels and default risk weights are subject to change.
 
-The asset criticality risk input is assigned to the **Asset Criticality** category in the entity's risk summary.
-
-Based on the two risk inputs, the risk scoring engine generates a single numeric value, normalized to a 0-100 range, as the entity risk score. It assigns a risk level by mapping the normalized risk score to one of these levels:
-
+. Based on the two risk inputs, the risk scoring engine generates a single entity risk score of 0-100. It assigns a risk level by mapping the risk score to one of these levels:
++
 [width="100%",options="header"]
 |==============================================
 |Risk level |Risk score

docs/advanced-entity-analytics/images/ac-sort-by-host-risk-score.png

@@ -173,6 +173,8 @@ To explore the alerts attached to a case, click the *Alerts* tab. In the table,
 [role="screenshot"]
 image::images/cases-alert-tab.png[Shows you the Alerts tab]
 
+NOTE: Each case can have a maximum of 1,000 alerts.
+
 [float]
 [[cases-add-files]]
 === Add files

docs/advanced-entity-analytics/images/asset-criticality-impact.png

@@ -28,9 +28,7 @@ Frequently asked questions about the Kubernetes Security Posture Management (KSP
 
 *What versions of Kubernetes are supported?*
 
-For self-managed/vanilla clusters, Kubernetes version 1.23 is supported.
-
-For EKS clusters, all Kubernetes versions available at the time of cluster deployment are supported.
+For self-managed/vanilla and EKS clusters, Kubernetes version 1.23 is supported.
 
 *Do benchmark rules support multiple Kubernetes deployment types?*
 Yes. There are different sets of benchmark rules for self-managed and third party-managed deployments. Refer to <<get-started-with-kspm,Get started with KSPM>> for more information about setting up each deployment type.

docs/cases/cases-manage.asciidoc

@@ -59,8 +59,15 @@ For most users, the simplest option is to use a Google Cloud Shell script to aut
 +
 image::images/cspm-cloudshell-trust.png[The cloud shell confirmation popup]
 +
+NOTE: Google has deprecated its old Cloud Shell editor. If you continue to use it, you may encounter the following message:
++
+image::images/cspm-cloudshell-old-editor.png[The cloud shell switch editor popup]
++
+If the message appears, click **X** or **Try the new Editor** and follow the next steps. When you switch to the new editor, your context should remain unchanged.
 . In Google Cloud Shell, execute the command you copied. Once it finishes, return to {kib} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data.
 
+NOTE: If you encounter any issues running the command, return to {kib} and navigate again to Google Cloud Shell.
+
 NOTE: During Cloud Shell setup, the CSPM integration adds roles to Google's default service account, which enables custom role creation and attachment of the service account to a compute instance.
 After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account:
 https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin[Project IAM Admin], https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin[Role Administrator].