Merge branch '8.8' into backport/8.8/pr-157777

docs/api/spaces-management/copy_saved_objects.asciidoc

@@ -69,6 +69,15 @@ NOTE: This option cannot be used with the `createNewCopies` option.
 +
 NOTE: This option cannot be used with the `createNewCopies` option.
 
+[[spaces-api-copy-saved-objects-response-codes]]
+==== Response codes
+
+`200`::
+    Indicates a successful call.
+
+`404`::
+    Indicates that the request failed because one or more of the objects specified could not be found. A list of the unresolved objects are included in the 404 response attributes.
+
 [role="child_attributes"]
 [[spaces-api-copy-saved-objects-response-body]]
 ==== {api-response-body-title}

docs/management/connectors/action-types/servicenow-sir.asciidoc

@@ -49,7 +49,7 @@ A CORS rule is required for communication between Elastic and {sn}. To create a
 . Configure the rule as follows:
 * *Name*: Name the rule.
 * *REST API*: Set the rule to use the Elastic SecOps API by choosing `Elastic SIR API [x_elas2_sir_int/elastic_api]`.
-* *Domain*: Enter the Kibana URL.
+* *Domain*: Enter the Kibana URL, including the port number.
 . Go to the *HTTP methods* tab and select *GET*.
 . Click *Submit* to create the rule.
 

docs/management/connectors/action-types/servicenow.asciidoc

@@ -54,7 +54,7 @@ A CORS rule is required for communication between Elastic and {sn}. To create a
 . Configure the rule as follows:
 * *Name*: Name the rule.
 * *REST API*: Set the rule to use the Elastic ITSM API by choosing `Elastic ITSM API [x_elas2_inc_int/elastic_api]`.
-* *Domain*: Enter the Kibana URL.
+* *Domain*: Enter the Kibana URL, including the port number.
 . Go to the *HTTP methods* tab and select *GET*.
 . Click *Submit* to create the rule.
 

docs/management/maintenance-windows/maintenance-windows.asciidoc

@@ -1,9 +1,10 @@
 [[maintenance-windows]]
 == Maintenance windows
-:description: Maintenance windows enable you to suppress rule notifications.
-:tags-products: [kibana, alerting] 
-:tags-content-type: [overview] 
-:tags-user-goals: [manage]
+
+:frontmatter-description: Maintenance windows enable you to suppress rule notifications.
+:frontmatter-tags-products: [kibana, alerting] 
+:frontmatter-tags-content-type: [overview] 
+:frontmatter-tags-user-goals: [manage]
 
 preview::[]
 

docs/management/manage-data-views.asciidoc

@@ -1,7 +1,8 @@
 [[managing-data-views]]
 == Manage data views
-:keywords: administrator, data view, data views, management, runtime fields, runtime fields in Kibana, scripted fields, field formatters, data fields, index pattern, index patterns
-:description: Conceptual and step-by-step procedures for using runtime fields, scripted fields, and field formatters.
+
+:frontmatter-description: Conceptual and step-by-step procedures for using runtime fields, scripted fields, and field formatters.
+:frontmatter-tags-products: [kibana]
 
 To customize the data fields in your data view,
 you can add runtime fields to the existing documents,

docs/settings/alert-action-settings.asciidoc

@@ -4,10 +4,10 @@
 <titleabbrev>Alerting and action settings</titleabbrev>
 ++++
 
-:description: Learn about the settings that affect {kib} {alert-features}.
-:tags-products: [kibana, alerting]
-:tags-content-type: [reference]
-:tags-user-goals: [configure]
+:frontmatter-description: Learn about the settings that affect {kib} {alert-features}.
+:frontmatter-tags-products: [kibana, alerting] 
+:frontmatter-tags-content-type: [reference] 
+:frontmatter-tags-user-goals: [configure]
 
 Alerting and actions are enabled by default in {kib}, but require you to configure the following:
 

docs/settings/reporting-settings.asciidoc

@@ -4,8 +4,11 @@
 ++++
 <titleabbrev>Reporting settings</titleabbrev>
 ++++
-:keywords: administrator, reference, setup, reporting
-:description: A reference of the reporting settings administrators configure in kibana.yml.
+
+:frontmatter-description: A reference of the reporting settings administrators configure in kibana.yml.
+:frontmatter-tags-products: [kibana] 
+:frontmatter-tags-content-type: [reference] 
+:frontmatter-tags-user-goals: [configure]
 
 You can configure `xpack.reporting` settings in your `kibana.yml` to:
 

docs/settings/telemetry-settings.asciidoc

@@ -4,32 +4,30 @@
 <titleabbrev>Telemetry settings</titleabbrev>
 ++++
 
-By default, Usage Collection (also known as Telemetry) is enabled. This
-helps us learn about the {kib} features that our users are most interested in, so we
-can focus our efforts on making them even better.
+Usage Collection (also known as Telemetry) is enabled by default. This allows us to learn what our users are most interested in, so we can improve our products and services.
+
+Refer to our https://www.elastic.co/legal/product-privacy-statement[Privacy Statement] to learn more.
 
 You can control whether this data is sent from the {kib} servers, or if it should be sent
 from the user's browser, in case a firewall is blocking the connections from the server. Additionally, you can decide to completely disable this feature either in the config file or in {kib} via *Management > Kibana > Advanced Settings > Usage Data*.
 
-Refer to our https://www.elastic.co/legal/product-privacy-statement[Privacy Statement] to learn more.
-
 [float]
 [[telemetry-general-settings]]
 ==== General telemetry settings
 
-`telemetry.sendUsageFrom`::
-  Set to `'server'` to report the cluster statistics from the {kib} server.
-  If the server fails to connect to our endpoint at https://telemetry.elastic.co/, it assumes
-  it is behind a firewall and falls back to `'browser'` to send it from users' browsers
-  when they are navigating through {kib}. Defaults to `'server'`.
-
 [[telemetry-optIn]] `telemetry.optIn`::
-  Set to `true` to send cluster statistics to Elastic. Reporting your
-  cluster statistics helps us improve your user experience. Set to `false` to stop sending any telemetry data to Elastic. +
+  Set to `false` to stop sending any telemetry data to Elastic. Reporting your
+cluster statistics helps us improve your user experience. *Default: `true`.* +
 +
 This setting can be changed at any time in <<advanced-options, Advanced Settings>>.
 To prevent users from changing it,
-set <<telemetry-allowChangingOptInStatus, `telemetry.allowChangingOptInStatus`>> to `false`. Defaults to `true`.
+set <<telemetry-allowChangingOptInStatus, `telemetry.allowChangingOptInStatus`>> to `false`.
 
 `telemetry.allowChangingOptInStatus`::
-  Set to `true` to allow overwriting the <<telemetry-optIn, `telemetry.optIn`>> setting via the <<advanced-options, Advanced Settings>> in {kib}. Defaults to `true`.
+  Set to `false` to disallow overwriting the <<telemetry-optIn, `telemetry.optIn`>> setting via the <<advanced-options, Advanced Settings>> in {kib}. *Default: `true`.*
+
+`telemetry.sendUsageFrom`::
+  Set to `'server'` to report the cluster statistics from the {kib} server.
+  If the server fails to connect to our endpoint at https://telemetry.elastic.co/, it assumes
+  it is behind a firewall and falls back to `'browser'` to send it from users' browsers
+  when they are navigating through {kib}. *Default: `'server'`.*

docs/setup/docker.asciidoc

@@ -34,13 +34,39 @@ endif::[]
 
 ifeval::["{release-state}"!="unreleased"]
 
+.. Create a new Docker network for {es} and {kib}:
++
 [source,sh,subs="attributes"]
 ----
 docker network create elastic
+----
+
+.. Pull the {es} Docker image:
++
+[source,sh,subs="attributes"]
+----
 docker pull {es-docker-image}
+----
+
+.. Optional: Verify the {es} Docker image signature::
++
+[source,sh,subs="attributes"]
+----
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub {docker-repo}:{version}
+----
++
+For details about this step, refer to {ref}/docker.html#docker-verify-signature[Verify the {es} Docker image signature] in the {es} documentation.
+
+.. Start {es} in Docker:
++
+[source,sh,subs="attributes"]
+----
 docker run --name es-node01 --net elastic -p 9200:9200 -p 9300:9300 -t {es-docker-image}
 ----
 
+
+
 endif::[]
 
 --
@@ -79,6 +105,34 @@ docker pull {docker-image}
 docker run --name kib-01 --net elastic -p 5601:5601 {docker-image}
 ----
 
+.. Pull the {kib} Docker image:
++
+[source,sh,subs="attributes"]
+----
+docker pull {docker-image}
+----
+
+.. Optional: Verify the {kib} Docker image signature::
++
+[source,sh,subs="attributes"]
+----
+wget https://artifacts.elastic.co/cosign.pub
+cosign verify --key cosign.pub {docker-repo}:{version}
+----
++
+For details about this step, refer to {ref}/docker.html#docker-verify-signature[Verify the {es} Docker image signature] in the {es} documentation.
+
+.. Start {kib} in Docker:
++
+[source,sh,subs="attributes"]
+----
+docker run --name kib-01 --net elastic -p 5601:5601 {docker-image}
+----
+
+
+
+
+
 endif::[]
 --
 +

docs/setup/settings.asciidoc

@@ -559,14 +559,13 @@ setting this to `true` enables unauthenticated users to access the {kib}
 server status API and status page. *Default: `false`*
 
 [[telemetry-allowChangingOptInStatus]] `telemetry.allowChangingOptInStatus`::
-When `true`, users are able to change the telemetry setting at a later time in
-<<advanced-options, Advanced Settings>>.  When `false`, users cannot change the opt-in status through *Advanced Settings*, and
+When `false`, users cannot change the opt-in status through <<advanced-options, Advanced Settings>>, and
 {kib} only looks at the value of <<settings-telemetry-optIn, `telemetry.optIn`>> to determine whether to send telemetry data or not. *Default: `true`*.
 
 [[settings-telemetry-optIn]] `telemetry.optIn`::
+Set to `false` to stop sending any telemetry data to Elastic.
 Reporting your cluster statistics helps
 us improve your user experience.
-Set to `true` to allow telemetry data to be sent to Elastic.
 When `false`, the telemetry data is never sent to Elastic. +
 +
 This setting can be changed at any time in <<advanced-options, Advanced Settings>>.

docs/user/alerting/alerting-setup.asciidoc

@@ -74,16 +74,16 @@ A rule or connector created in one space will not be visible in another.
 [[alerting-authorization]]
 === Authorization
 
-Rules are authorized using an <<api-keys,API key>> associated with the last user 
-to edit the rule. This API key captures a snapshot of the user's privileges at 
-the time of the edit. They are subsequently used to run all background tasks 
-associated with the rule, including condition checks like {es} queries and 
-triggered actions. The following rule actions will re-generate the API key:
+Rules are authorized using an API key.
+Its credentials are used to run all background tasks associated with the rule, including condition checks like {es} queries and triggered actions.
+
+You can create API keys and use them in the header of your API calls as described in <<api-keys>>.
+If you create or edit a rule in {kib}, an API key is created that captures a snapshot of your privileges at the time of the edit. The following actions regenerate the API key in {kib}:
 
 * Creating a rule
 * Updating a rule
 
-When you disable a rule, it retains the associated API key which is re-used when 
+When you disable a rule, it retains the associated API key which is reused when 
 the rule is enabled. If the API key is missing when you enable the rule (for 
 example, in the case of imported rules), it generates a new key that has your 
 security privileges.
@@ -94,10 +94,11 @@ You can update an API key manually in
 
 [IMPORTANT]
 ==============================================
-If a rule requires certain privileges, such as index privileges, to run, and a 
+If a rule requires certain privileges, such as index privileges, to run and a 
 user without those privileges updates the rule, the rule will no longer 
 function. Conversely, if a user with greater or administrator privileges 
 modifies the rule, it will begin running with increased privileges.
+The same behavior occurs when you change the API key in the header of your API calls.
 ==============================================
 
 [float]

docs/user/alerting/rule-types/es-query.asciidoc

@@ -1,6 +1,11 @@
 [[rule-type-es-query]]
 == {es} query
 
+:frontmatter-description: An {es} query rule generates alerts when your query meets a threshold.
+:frontmatter-tags-products: [kibana,alerting]
+:frontmatter-tags-content-type: [overview]
+:frontmatter-tags-user-goals: [analyze]
+
 The {es} query rule type runs a user-configured query, compares the number of 
 matches to a configured threshold, and schedules actions to run when the 
 threshold condition is met.
@@ -20,19 +25,21 @@ Define properties to detect the condition.
 [role="screenshot"]
 image::user/alerting/images/rule-types-es-query-conditions.png[Eight clauses define the condition to detect]
 
-Index:: Specifies an *index or data view* and a *time field* that is used for 
-the *time window*.
-{es} query:: Specifies the ES DSL query. Only the `query`, `fields`, `_source` and `runtime_mappings` fields are used, other DSL fields are not considered.
-When:: Specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field within the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used and an aggregation field is not necessary. 
-Over or Grouped Over:: Specifies whether the aggregation is applied over all documents or split into groups using a grouping field. If grouping is used, an <<alerting-concepts-alerts,alert>> will be created for each group when it meets the condition. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked.
-Threshold:: Defines a threshold value and a comparison operator  (`is above`, 
+Define your query::
+If you chose the query DSL option, you must specify indices to query and a time field that is used for the time window. You must then define a query in {es} query DSL. Only the `query`, `fields`, `_source` and `runtime_mappings` fields are used, other DSL fields are not considered.
++
+If you chose the KQL or Lucene option, you must specify a data view then define a text-based query. 
+Set the group, theshold, and time window::
+When::: Specify how to calculate the value that is compared to the threshold. The value is calculated by aggregating a numeric field within the time window. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used and an aggregation field is not necessary. 
+Over or Grouped Over::: Specify whether the aggregation is applied over all documents or split into groups using a grouping field. If grouping is used, an alert will be created for each group when it meets the condition. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the top groups are checked.
+Threshold::: Defines a threshold value and a comparison operator  (`is above`, 
 `is above or equals`, `is below`, `is below or equals`, or `is between`). The value
 calculated by the aggregation is compared to this threshold.
-Time window:: Defines how far back to search for documents, using the 
-*time field* set in the *index* clause. Generally this value should be set to a 
-value higher than the *check every* value, to avoid gaps in 
+Time window::: Defines how far back to search for documents, using the 
+time field set in the index clause. Generally this value should be set to a 
+value higher than the check interval, to avoid gaps in 
 detection.
-Size:: Specifies the number of documents to pass to the configured actions when 
+Set the number of documents to send:: Specifies the number of documents to pass to the configured actions when 
 the threshold condition is met.
 Exclude matches from previous run:: Turn on to avoid alert duplication by
 excluding documents that have already been detected by the previous rule run. This

docs/user/alerting/rule-types/index-threshold.asciidoc

@@ -1,6 +1,11 @@
 [[rule-type-index-threshold]]
 == Index threshold
 
+:frontmatter-description: An index threshold rule generates alerts when an aggregated query meets a threshold. 
+:frontmatter-tags-products: [kibana,alerting] 
+:frontmatter-tags-content-type: [overview] 
+:frontmatter-tags-user-goals: [analyze]
+
 The index threshold rule type runs an {es} query. It aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met.
 
 [float]
@@ -12,11 +17,13 @@ image::user/alerting/images/rule-types-index-threshold-conditions.png[Defining i
 
 When you create an index threshold rule, you must define the conditions for the rule to detect. For example:
 
-Index:: This clause requires an *index or data view* and a *time field* that will be used for the *time window*.
-When:: This clause specifies how the value to be compared to the threshold is calculated. The value is calculated by aggregating a numeric field a the *time window*. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used, and an aggregation field is not necessary. 
-Over/Grouped Over:: This clause lets you configure whether the aggregation is applied over all documents, or should be split into groups using a grouping field. If grouping is used, an  <<alerting-concepts-alerts, alert>> will be created for each group when it exceeds the threshold. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the *top* groups are checked.
-Threshold:: This clause defines a threshold value and a comparison operator  (one of `is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The result of the aggregation is compared to this threshold. 
-Time window:: This clause determines how far back to search for documents, using the *time field* set in the *index* clause. Generally this value should be to a value higher than the *check every* value, to avoid gaps in detection. 
+Select an index::
+Index::: Specify the indices to query and a time field that will be used for the time window.
+When::: Specify how to calculate the value that is compared to the threshold. The value is calculated by aggregating a numeric field in a time window. The aggregation options are: `count`, `average`, `sum`, `min`, and `max`. When using `count` the document count is used and an aggregation field is not necessary. 
+Over/Grouped Over::: Specify whether the aggregation is applied over all documents or split into groups using a grouping field. If grouping is used, an <<alerting-concepts-alerts,alert>> will be created for each group when it exceeds the threshold. To limit the number of alerts on high cardinality fields, you must specify the number of groups to check against the threshold. Only the top groups are checked.
+Define the condition::
+This section defines a threshold value and a comparison operator (`is above`, `is above or equals`, `is below`, `is below or equals`, or `is between`). The result of the aggregation is compared to this threshold.
+It also defines a time window, which determines how far back to search for documents, using the time field set in the index clause. Generally this value should be a value higher than the check interval to avoid gaps in detection. 
 
 If data is available and all clauses have been defined, a preview chart will render the threshold value and display a line chart showing the value for the last 30 intervals. This can provide an indication of recent values and their proximity to the threshold, and help you tune the clauses.
 

docs/user/alerting/troubleshooting/alerting-common-issues.asciidoc

@@ -263,7 +263,7 @@ This error happens when the `xpack.encryptedSavedObjects.encryptionKey` value us
 | The other {kib} instance might be trying to run the rule using a different encryption key than what the rule was created with. Ensure the encryption keys among all the {kib} instances are the same, and setting <<xpack-encryptedSavedObjects-keyRotation-decryptionOnlyKeys, decryption only keys>> for previously used encryption keys.
 
 | If other scenarios don't apply.
-| Generate a new API key for the rule by disabling then enabling the rule.
+| Generate a new API key for the rule. For example, in *{stack-manage-app} > {rules-ui}*, select *Update API key* from the action menu.
 
 |===