Merge branch 'main' into kibana-fips-140-3

kilfoyle · web-flow · commit fe2924de2bae · 2026-04-06T09:00:52.000-04:00
diff --git a/explore-analyze/cases/control-case-access.md b/explore-analyze/cases/control-case-access.md
@@ -108,14 +108,16 @@ Users must log in to their deployment at least once before they can be assigned
 
 ::::{applies-switch} 
 
-:::{applies-item} stack: ga
+:::{applies-item} { stack: ga 9.4+, serverless: ga }
 
-* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**). 
-* `Read` for a solution that has alerts (for example, **{{observability}}** or **Security**).
+* `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
+* To work with alerts in cases:
+  - **Security**: `Read` or `All` for the **Security > Alerts** feature. For what each level allows, refer to [Detections privileges](/solutions/security/detect-and-alert/detections-privileges.md#manage-alerts).
+  - **{{observability}}**: `Read` for **{{observability}}** 
 
 :::
 
-:::{applies-item} serverless: ga
+:::{applies-item} stack: ga 9.0-9.3
 
 * `All` for the **Cases** feature under the appropriate solution (**Security** or **{{observability}}**).
 * `Read` for a solution that has alerts (for example, **{{observability}}** or **Security**).
diff --git a/explore-analyze/visualize/legacy-editors.md b/explore-analyze/visualize/legacy-editors.md
@@ -12,10 +12,20 @@ products:
 
 Legacy editors are still available but have been replaced by better alternatives. Consider using one of the [modern editors](../visualize.md) offered in Elastic such as **Lens**.
 
-:::{note}
-Legacy panel types only appear in the **Add panel** dashboard menu if you already have such panels in your dashboards. If you have never used these panel types, use Lens instead.
+::::{applies-switch}
+
+:::{applies-item} { stack: ga 9.4+, serverless: ga }
+To create a legacy visualization, navigate to the **Dashboards** page, go to **Visualizations** > **Create visualization** > **Legacy**, then select **TSVB** or **Aggregation-based**. Consider using [Lens](../visualize.md) instead if you have never used these panel types.
+
+:::
+
+:::{applies-item} stack: ga 9.0-9.3
+To create a legacy visualization, click the {icon}`search` **Search** icon on the menu bar and search for **Visualize library**. Select **Create visualization** > **Legacy**, then select **TSVB** or **Aggregation-based**. Consider using [Lens](../visualize.md) instead if you have never used these panel types.
 :::
 
+::::
+
+
 The legacy editors are:
 
 - [Aggregation-based](legacy-editors/aggregation-based.md)
diff --git a/solutions/observability/apm/infrastructure.md b/solutions/observability/apm/infrastructure.md
@@ -3,8 +3,8 @@ mapped_pages:
   - https://www.elastic.co/guide/en/observability/current/apm-infrastructure.html
   - https://www.elastic.co/guide/en/serverless/current/observability-apm-infrastructure.html
 applies_to:
-  stack: ga
-  serverless: ga
+  stack: beta
+  serverless: beta
 products:
   - id: observability
   - id: apm
@@ -13,28 +13,36 @@ products:
 
 # Infrastructure [observability-apm-infrastructure]
 
-::::{important}
+The **Infrastructure** tab provides information about the containers, pods, and hosts that the selected service is linked to. The data sources and navigation behavior depend on whether the service is instrumented with [Elastic {{product.apm}}](#observability-apm-infrastructure-elastic-apm) or [OpenTelemetry (OTel)](#observability-apm-infrastructure-otel).
 
-The Applications UI Infrastructure functionality is in beta and is subject to change. The design and code is less mature than official generally available features and is being provided as-is with no warranties.
+IT ops and software reliability engineers (SREs) can use this tab to quickly find a service’s underlying infrastructure resources when debugging a problem. Knowing what infrastructure is related to a service allows you to remediate issues by restarting, killing hanging instances, changing configuration, rolling back deployments, scaling up, scaling out, and so on.
+
+::::{tip}
+**Why is the infrastructure tab empty?**
 
+If there is no data in the Application UI’s infrastructure tab for a selected service, you can read more about why this happens and how to fix it in the [troubleshooting docs](/troubleshoot/observability/apm/common-problems.md#troubleshooting-apm-infra-data).
 ::::
 
-The **Infrastructure** tab provides information about the containers, pods, and hosts that the selected service is linked to.
+## Elastic {{product.apm}}-instrumented services [observability-apm-infrastructure-elastic-apm]
+
+For services instrumented with Elastic {{product.apm}}, the tab uses the following data sources:
 
-* **Pods**: Uses the `kubernetes.pod.name` from the [APM metrics data streams](/solutions/observability/apm/metrics.md).
-* **Containers**: Uses the `container.id` from the [APM metrics data streams](/solutions/observability/apm/metrics.md).
-* **Hosts**: If the application is containerized—if the APM metrics documents include `container.id`—the `host.name` is used from the infrastructure data streams (filtered by `container.id`). If not, `host.hostname` is used from the APM metrics data streams.
+* **Pods**: Uses the `kubernetes.pod.name` from the [{{product.apm}} metrics data streams](/solutions/observability/apm/metrics.md).
+* **Containers**: Uses the `container.id` from the [{{product.apm}} metrics data streams](/solutions/observability/apm/metrics.md).
+* **Hosts**: If the application is containerized—if the {{product.apm}} metrics documents include `container.id`—the `host.name` is used from the infrastructure data streams (filtered by `container.id`). If not, `host.hostname` is used from the {{product.apm}} metrics data streams.
 
 :::{image} /solutions/images/serverless-infra.png
 :alt: Example view of the Infrastructure tab in the Applications UI
 :screenshot:
 :::
 
-IT ops and software reliability engineers (SREs) can use this tab to quickly find a service’s underlying infrastructure resources when debugging a problem. Knowing what infrastructure is related to a service allows you to remediate issues by restarting, killing hanging instances, changing configuration, rolling back deployments, scaling up, scaling out, and so on.
+## OTel-instrumented services [observability-apm-infrastructure-otel]
+```{applies_to}
+stack: ga 9.4
+serverless: ga
+```
 
-::::{tip}
-**Why is the infrastructure tab empty?**
-
-If there is no data in the Application UI’s infrastructure tab for a selected service, you can read more about why this happens and how to fix it in the [troubleshooting docs](/troubleshoot/observability/apm/common-problems.md#troubleshooting-apm-infra-data).
+For services instrumented with OpenTelemetry, the tab exclusively shows OTel-observed infrastructure. Click-through destinations differ by resource type:
 
-::::
+* **Hosts**: Links to the [**Hosts**](/solutions/observability/infra-and-hosts/analyze-compare-hosts.md) UI, which supports OpenTelemetry and its semantic conventions.
+* **Containers** and **Pods**: Link to [**Metrics** in Discover](/solutions/observability/infra-and-hosts/discover-metrics.md), as the Containers and Pods UIs do not yet support OTel semantic conventions.
diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring-requirements.md
@@ -35,6 +35,7 @@ To install or run the risk scoring engine, you need the following:
 | --- | --- | --- | --- |
 | Install the risk engine | `manage_index_templates`<br> `manage_transform`<br> `manage_ingest_pipelines` | `All` for `risk-score.risk-score-*` | **Read** for the **Security** feature |
 | Run the risk engine | `manage_transform` | N/A | **Read** for the **Security** feature |
+| {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` View alert risk contributions in entity details | N/A | N/A | **Read** for the **Security > Alerts** feature |
 
 
 ### Predefined roles [ers_roles]
diff --git a/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md b/solutions/security/advanced-entity-analytics/privileged-user-monitoring-requirements.md
@@ -24,21 +24,31 @@ To use this feature, you need:
 
 ## Privileges [privmon_privs]
 
+:::{table}
+:widths: 2-6-4
+
 | Action | Index Privileges | Kibana Privileges |
 | ------ | ---------------- | ----------------- |
-| Enable the privileged user monitoring feature | N/A | **All** for the **Security** feature |
-| View the Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | **Read** for the **Security** feature |
+| Enable privileged user monitoring | N/A | **All** for the **Security** feature |
+| View Privileged user monitoring dashboard | `Read` for the following indices:<br> - `.entity_analytics.monitoring.users-<space-id>`<br> - `risk-score.risk-score-*`<br> - `.alerts-security.alerts-<space-id>`<br> -  `.ml-anomalies-shared`<br> - Security data view indices | {applies_to}`stack: ga 9.4+` {applies_to}`serverless: ga` **Read** for the **Security** feature and at least **Read** for the **Alerts** feature to view detection alert data on the dashboard. <br><br>{applies_to}`stack: ga =9.3` **Read** for the **Security** feature |
+
+:::
 
 ## Predefined roles [privmon_roles]
 ```yaml {applies_to}
 serverless: 
 ```
 
+:::{table}
+:widths: 4-8
+
 | Action | Predefined role |
 | --- | --- |
 | Enable privileged user monitoring | - Platform engineer<br>- Admin |
 | View the Privileged user monitoring dashboard | - Tier 1 analyst<br>- Tier 2 analyst<br>- Tier 3 analyst<br>- Rule author<br>- SOC manager<br>- Platform engineer<br>- Detections admin<br>- Admin |
 
+:::
+
 ## Known limitations
 
 * Currently, none of the privileged user monitoring visualizations support [cross-cluster search](/explore-analyze/cross-cluster-search.md) as part of the data that they query from. 
diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md
@@ -26,11 +26,30 @@ To use Attack Discovery, your role needs specific privileges.
 
 ::::{applies-switch}
 
-:::{applies-item} { "stack": "ga 9.3+", "serverless": "ga" }
+:::{applies-item} { "stack": "ga 9.4+", "serverless": "ga" }
 
 Ensure your role has:
 
-* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature and at least `Read` privileges for the **Security > Rules** {{kib}} feature.
+* Minimum [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for these **Security** features:
+
+  - `All` for **Attack discovery**
+  - At least `Read` for **Rules**
+  - At least `Read` for **Alerts**
+
+* The appropriate [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges), based on what you want to do with Attack Discovery alerts:
+
+| Action | Indices | {{es}} privileges |
+|---------|---------|--------------------------|
+| Read Attack Discovery alerts | - `.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.alerts-security.attack.discovery.alerts-<space-id>`<br> - `.adhoc.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>`| `read` and `view_index_metadata` |
+| Read and modify Attack Discovery alerts. This includes:<br>- Generating discovery alerts manually<br>- Generating discovery alerts using schedules<br>- Sharing manually created alerts with other users<br>- Updating a discovery's status |- `.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.adhoc.alerts-security.attack.discovery.alerts-<space-id>`<br>- `.internal.adhoc.alerts-security.attack.discovery.alerts-<space-id>`| `read`, `view_index_metadata`, `write`, and `maintenance`|
+
+:::
+
+:::{applies-item} { "stack": "ga 9.3"}
+
+Ensure your role has:
+
+* `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 
     ![attack-discovery-rules-rbac](/solutions/images/attack-discovery-rules-rbac.png "elasticsearch =60%x60%")
 
@@ -49,7 +68,7 @@ Ensure your role has:
 
 * `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature and at least `Read` privileges for the **Security > Rules, Alerts, and Exceptions** {{kib}} feature.
 
-    ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png)
+    ![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png "elasticsearch =60%x60%")
 
 * The appropriate [index privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges), based on what you want to do with Attack Discovery alerts:
 
@@ -64,7 +83,7 @@ Ensure your role has:
 
 Ensure your role has `All` [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for the **Security > Attack discovery** {{kib}} feature.
 
-![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png)
+![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png "elasticsearch =60%x60%")
 
 :::
 
@@ -82,7 +101,8 @@ In {{stack}} 9.0.0, the **Run** button is called **Generate**.
 
 ::::{image} /solutions/images/security-attack-discovery-settings.png
 :alt: Attack Discovery's settings menu
-:width: 500px
+:screenshot:
+:width: 60%
 ::::
 
 You can select which alerts Attack Discovery will process by filtering based on a KQL query, the time and date selector, and the **Number of alerts** slider. Note that sending more alerts than your chosen LLM can handle may result in an error. Under **Alert summary** you can view a summary of the selected alerts grouped by various fields, and under **Alerts preview** you can see more details about the selected alerts.
@@ -115,6 +135,8 @@ You’ll need to select an LLM connector before you can analyze alerts. To get s
 
     :::{image} /solutions/images/security-attck-disc-select-model-empty.png
     :alt: attck disc select model empty
+    :screenshot:
+    :width: 60%
     :::
 
 3. Once you’ve selected a connector, do one of the following to start the analysis:
@@ -138,6 +160,8 @@ Each discovery includes the following information describing the potential threa
 
 :::{image} /solutions/images/security-attck-disc-example-disc.png
 :alt: Attack Discovery detail view
+:screenshot:
+:width: 60%
 :::
 
 
@@ -153,6 +177,7 @@ There are several ways you can incorporate discoveries into your {{elastic-sec}}
 
 :::{image} /solutions/images/security-add-discovery-to-assistant.gif
 :alt: Attack Discovery view in AI Assistant
+:width: 60%
 :::
 
 ## Schedule discoveries
diff --git a/solutions/security/detect-and-alert/detections-privileges.md b/solutions/security/detect-and-alert/detections-privileges.md
diff --git a/troubleshoot/observability/apm/common-problems.md b/troubleshoot/observability/apm/common-problems.md
