Merge branch 'main' into 5732-blocklist-IS-operator

.backportrc.json

@@ -1,5 +1,5 @@
 {
   "upstream": "elastic/security-docs",
-  "branches": ["8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
+  "branches": ["8.x", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"],
   "labels": ["backport"]
 }

.mergify.yml

@@ -13,6 +13,20 @@ pull_request_rules:
             git merge upstream/{{base}}
             git push upstream {{head}}
             ```
+  - name: backport patches to 8.16 branch
+    conditions:
+      - merged
+      - base=main
+      - label=v8.16.0
+    actions:
+      backport:
+        assignees:
+          - "{{ author }}"
+        branches:
+          - "8.x"
+        title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})"
+        labels:
+          - backport
   - name: backport patches to 8.15 branch
     conditions:
       - merged

docs/detections/rules-ui-create.asciidoc

@@ -13,7 +13,7 @@ To create a new detection rule, follow these steps:
 . Configure basic rule settings.
 . Configure advanced rule settings (optional).
 . Set the rule's schedule.
-. Set up alert notifications (optional).
+. Set up rule actions (optional).
 . Set up response actions (optional).
 
 .Requirements
@@ -616,9 +616,6 @@ run exactly at its scheduled time.
 `Additional look-back time` are _not_ created.
 ==============
 . Click *Continue*. The *Rule actions* pane is displayed.
-+
-[role="screenshot"]
-image::images/available-action-types.png[Available connector types]
 
 . Do either of the following:
 
@@ -627,23 +624,26 @@ image::images/available-action-types.png[Available connector types]
 
 [float]
 [[rule-notifications]]
-=== Set up alert notifications (optional)
+=== Set up rule actions (optional)
 
-Use {kib} Actions to set up notifications sent via other systems when alerts
+Use {kib} actions to set up notifications sent via other systems when alerts
 are generated.
 
-NOTE: To use {kib} Actions for alert notifications, you need the
+NOTE: To use {kib} actions for alert notifications, you need the
 https://www.elastic.co/subscriptions[appropriate license] and your role needs *All* privileges for the *Action and Connectors* feature. For more information, see <<case-permissions>>.
 
 . Select a connector type to determine how notifications are sent. For example, if you select the {jira} connector, notifications are sent to your {jira} system.
 +
-NOTE: Each action type requires a connector. Connectors store the
+[NOTE] 
+=====
+Each action type requires a connector. Connectors store the
 information required to send the notification from the external system. You can
 configure connectors while creating the rule or in *{stack-manage-app}* -> *{connectors-ui}*. For more
 information, see {kibana-ref}/action-types.html[Action and connector types].
-+
-[role="screenshot"]
-image::images/available-action-types.png[Available connector types]
+
+Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the {kibana-ref}/cases-action-type.html[Cases connector]
+
+=====
 
 . After you select a connector, set its action frequency to define when notifications are sent:
 
@@ -775,18 +775,15 @@ Example using the mustache "current element" notation `{{.}}` to output all the
 
 [float]
 [[rule-response-action]]
-=== Set up response actions (optional)
-Use Response Actions to set up additional functionality that will run whenever a rule executes:
+==== Set up response actions (optional)
+Use response actions to set up additional functionality that will run whenever a rule executes:
 
 * **Osquery**: Include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to <<osquery-response-action>> to learn more.
 
 * **{elastic-defend}**: Automatically run response actions on an endpoint when rule conditions are met. For example, you can automatically isolate a host or terminate a process when specific activities or events are detected on the host. Refer to <<automated-response-actions>> to learn more.
 
 IMPORTANT: Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.
 
-[role="screenshot"]
-image::images/available-response-actions.png[Shows available response actions]
-
 [discrete]
 [[preview-rules]]
 === Preview your rule (optional)

docs/management/admin/response-actions-config.asciidoc

@@ -113,16 +113,21 @@ IMPORTANT: Do not create more than one SentinelOne connector.
    - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
 .. Click **Save**.
 
-. **Create and enable a rule to generate {elastic-sec} alerts.** Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. 
+. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<create-custom-rule,detection rules>> to generate {elastic-sec} alerts based on SentinelOne events and data. 
 +
-Use these settings when creating the custom query rule to target the data collected from SentinelOne:
+This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
 +
---
-- **Index patterns**: `logs-sentinel_one.alert*`
-- **Custom query**: `observer.serial_number:*`
---
+When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns:
 +
-NOTE: Do not include any other index patterns or query parameters.
+[cols="1,1"]
+|===
+|Index pattern                 |SentinelOne agent ID field
+
+|`logs-sentinel_one.alert*`    |`sentinel_one.alert.agent.id`
+|`logs-sentinel_one.threat*`   |`sentinel_one.threat.agent.id`
+|`logs-sentinel_one.activity*` |`sentinel_one.activity.agent.id`
+|`logs-sentinel_one.agent*`    |`sentinel_one.agent.agent.id`
+|===
 +
-This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout.
-====
+NOTE: Do not include any other index patterns.
+====

docs/management/admin/response-actions.asciidoc

@@ -69,6 +69,7 @@ Example: `release --comment "Release host, everything looks OK"`
 Show information about the host's status, including: {agent} status and version, the {elastic-defend} integration's policy status, and when the host was last active.
 
 [discrete]
+[[processes]]
 === `processes`
 Show a list of all processes running on the host. This action may take a minute or so to complete.
 
@@ -81,7 +82,10 @@ Use this command to get current PID or entity ID values, which are required for
 Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.
 ====
 
+NOTE: Running this command on third-party-protected hosts might return the process list in a different format. Refer to <<third-party-actions>> for more information.
+
 [discrete]
+[[kill-process]]
 === `kill-process`
 
 Terminate a process. You must include one of the following parameters to identify the process to terminate:
@@ -93,6 +97,13 @@ Required privilege: *Process Operations*
 
 Example: `kill-process --pid 123 --comment "Terminate suspicious process"`
 
+[NOTE]
+====
+For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
+
+Example: `kill-process --processName cat --comment "Terminate suspicious process"`
+====
+
 [discrete]
 === `suspend-process`
 

docs/management/admin/third-party-actions.asciidoc

@@ -52,4 +52,15 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r
 +
 NOTE: For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.
 
+* **Get a list of processes running on a host** with the <<processes, `processes` response action>>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
+
+* **Terminate a process running on a host** with the <<kill-process, `kill-process` response action>>.
++
+[NOTE]
+====
+For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
+
+Example: `kill-process --processName cat --comment "Terminate suspicious process"`
+====
+
 * **View past response action activity** in the <<response-actions-history,response actions history>> log.

docs/serverless/billing.mdx

@@ -17,6 +17,8 @@ Your monthly bill is based on the capabilities you use. When you use Security An
 * **Ingest** — Measured by the number of GB of log/event/info data that you send to your Security project over the course of a month.
 * **Retention** — Measured by the total amount of ingested data stored in your Security project.
 
+Data volumes for both ingest and retention are based on the uncompressed data size at the point of ingest, before ((es)) compression is performed, and will be higher than the volumes traditionally reported by ((es)) index size. In addition, these volumes might be larger than the volumes reported by cloud provider proxy logs for data going into ((es)).
+
 ## Endpoint Protection
 
 Endpoint Protection is an _optional_ add-on to Security Analytics that provides on-endpoint protection and prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations:

docs/serverless/endpoint-response-actions/response-actions-config.mdx

@@ -117,7 +117,7 @@ Select a tab below for your endpoint security system:
         | Index pattern                 | SentinelOne agent ID field       |
         | ----------------------------- | -------------------------------- |
         | `logs-sentinel_one.alert*`    | `sentinel_one.alert.agent.id`    |
-        | `logs-sentinel_one.threat*`   |  `sentinel_one.threat.agent.id`  |
+        | `logs-sentinel_one.threat*`   | `sentinel_one.threat.agent.id`   |
         | `logs-sentinel_one.activity*` | `sentinel_one.activity.agent.id` |
         | `logs-sentinel_one.agent*`    | `sentinel_one.agent.agent.id`    |
 

docs/serverless/rules/rules-ui-create.mdx

@@ -662,8 +662,6 @@ When configuring an ((esql)) rule's **<DocLink slug="/serverless/security/rules-
 
 1. Click **Continue**. The **Rule actions** pane is displayed.
 
-    ![Available connector types](../images/rules-ui-create/-detections-available-action-types.png)
-
 1. Do either of the following:
 
     * Continue onto <DocLink slug="/serverless/security/rules-create" section="set-up-alert-notifications-optional">setting up alert notifications</DocLink> and <DocLink slug="/serverless/security/rules-create" section="set-up-response-actions-optional">Response Actions</DocLink> (optional).
@@ -690,8 +688,6 @@ To use actions for alert notifications, you need the appropriate user role. For
     Some connectors that perform actions require less configuration. For example, you do not need to set the action frequency or variables for the [Cases connector](((kibana-ref))/cases-action-type.html).
     </DocCallOut>
 
-    ![Available connector types](../images/rules-ui-create/-detections-available-action-types.png)
-
 1. After you select a connector, set its action frequency to define when notifications are sent:
 
     * **Summary of alerts**: Select this option to get a report that summarizes generated alerts, which you can review at your convenience. Alert summaries will be sent at the specified time intervals. 
@@ -845,8 +841,6 @@ Use response actions to set up additional functionality that will run whenever a
 Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.
 </DocCallOut>
 
-![Shows available response actions](../images/rules-ui-create/-detections-available-response-actions.png)
-
 <div id="preview-rules"></div>
 
 ## Preview your rule (optional)

docs/whats-new.asciidoc

@@ -24,7 +24,7 @@ You can now interact with and manage {security-guide}/security-assistant.html[El
 preview:[] {security-guide}/automatic-import.html[Automatic Import] uses AI to create integrations for your custom data sources.
 
 [role="screenshot"]
-image::whats-new/images/8.15/auto-import-success-message.png[The Automatic Import success message, 80%]
+image::whats-new/images/8.15/auto-import-success-message.png[Automatic Import success message, 80%]
 
 [float]
 == Entity Analytics enhancements