Skip to content

Commit 75a3e34

Browse files
Merge branch 'main' into alerting/experimental-setup
2 parents 3e79665 + c0bca23 commit 75a3e34

16 files changed

Lines changed: 316 additions & 139 deletions

File tree

deploy-manage/cloud-organization/billing/elastic-observability-billing-dimensions.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,8 @@ sub:
3434

3535
Your monthly bill is based on the capabilities you use. When you use {{obs-serverless}}, your bill is calculated based on data volume, which has these components:
3636

37-
* **Ingest** — Measured by the number of GB of log/event/info data that you send to your Observability project over the course of a month.
38-
* **Retention** — Measured by the total amount of ingested data stored in your Observability project.
37+
* **Ingest** — Measured by the number of GB of data that you send to your Observability project over the course of a month. Metrics data ingested in [time series index mode](/manage-data/data-store/data-streams/time-series-data-stream-tsds.md) is priced at 25% of the standard per-GB ingest rate. All other data, including logs and traces, are priced at the standard rate.
38+
* **Retention** — Measured by the total amount of ingested data stored in your Observability project. Metrics data stored in time series index mode is priced at 25% of the standard per-GB retention rate. All other data, including logs and traces, are priced at the standard rate.
3939

4040
:::{include} _snippets/note-data-volumes-ingest-retention.md
4141
:::

deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,7 @@ This table compares Elasticsearch capabilities between {{ech}} deployments and S
9797
| [**Elasticsearch for Apache Hadoop**](https://www.elastic.co/elasticsearch/hadoop) ||| Not available in Serverless |
9898
| **Enterprise Search (App Search & Workplace Search)** | ❌ (discontinued in 9.0) || Not available in Serverless |
9999
| [**Kibana Alerts**](/deploy-manage/monitor/monitoring-data/configure-stack-monitoring-alerts.md) ||| |
100+
| [**Reindexing from remote**](/manage-data/migrate/migrate-data-using-reindex-api.md) ||| |
100101
| **Repository management** || Managed | Automatically managed by Elastic |
101102
| [**Scripted metric aggregations**](elasticsearch://reference/aggregations/search-aggregations-metrics-scripted-metric-aggregation.md) ||| Not available in Serverless<br>The alternative for this in Serverless is [ES|QL](elasticsearch://reference/query-languages/esql.md) |
102103
| [**`join` fields**](elasticsearch://reference/elasticsearch/mapping-reference/parent-join.md) ||| Not available in Serverless<br>The alternative for this in Serverless is the ES\|QL [`LOOKUP JOIN`](elasticsearch://reference/query-languages/esql/commands/lookup-join.md) command |

deploy-manage/deploy/elastic-cloud/project-settings.md

Lines changed: 8 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,13 @@ mapped_pages:
33
- https://www.elastic.co/guide/en/serverless/current/project-and-management-settings.html
44
- https://www.elastic.co/guide/en/serverless/current/elasticsearch-manage-project.html
55
applies_to:
6-
serverless:
6+
serverless: ga
77
products:
88
- id: cloud-serverless
9+
navigation_title: Project settings
910
---
1011

11-
# Project settings
12+
# {{serverless-short}} project settings
1213

1314
Project settings are configurations that apply to your entire project, managed from the {{ecloud}} console. While Elastic [manages many things for you](/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md), you can customize the following aspects of your project:
1415

@@ -66,6 +67,10 @@ Project features and add-ons control which capabilities are available in your se
6667

6768
There are no additional project features or add-ons for {{es-serverless}} projects.
6869

70+
:::{note}
71+
In {{serverless-full}}, your organization's {{ecloud}} subscription level controls only the support level you receive, and is not related to the features that you use or have access to. [Learn more about subscriptions](/deploy-manage/license.md).
72+
:::
73+
6974
### {{sec-serverless}} project features [elastic-sec-project-features]
7075

7176
For {{sec-serverless}} projects, edit the **Project features** to select a feature tier and enable add-on options for specific use cases.
@@ -76,39 +81,8 @@ For {{sec-serverless}} projects, edit the **Project features** to select a featu
7681
| **Security Analytics Essentials** | A suite of security analytics, detections, investigations, and collaboration tools. Does not include AI-powered tools. Allows these add-ons:<br>• **Endpoint Protection Essentials**: endpoint protections with {{elastic-defend}}.<br>• **Cloud Protection Essentials**: Cloud native security features.|
7782
| **Security Analytics Complete** | Everything in **Security Analytics Essentials** and **EASE**, plus advanced features such as entity analytics, threat intelligence, and more. Allows these add-ons:<br><br>• **Endpoint Protection Complete**: Everything in **Endpoint Protection Essentials** plus advanced endpoint detection and response features.<br>• **Cloud Protection Complete**: Everything in **Cloud Protection Essentials** plus advanced cloud security features.|
7883

79-
#### Downgrading the feature tier [elasticsearch-manage-project-downgrading-the-feature-tier]
80-
81-
:::{note}
82-
You cannot downgrade to EASE from any other feature tier. You can upgrade from EASE to other tiers.
83-
:::
84-
85-
When you downgrade your Security project features selection from **Security Analytics Complete** to **Security Analytics Essentials**, the following features become unavailable:
86-
87-
* All Entity Analytics features
88-
* The ability to use certain entity analytics-related integration packages, such as:
89-
* Data Exfiltration detection
90-
* Lateral Movement detection
91-
* Living off the Land Attack detection
92-
* Intelligence Indicators page
93-
* External rule action connectors
94-
* Case connectors
95-
* Endpoint response actions history
96-
* Endpoint host isolation exceptions
97-
* Trusted devices
98-
* AI Assistant
99-
* Attack discovery
100-
101-
And, the following data may be permanently deleted:
102-
103-
* AI Assistant conversation history
104-
* AI Assistant settings
105-
* Entity Analytics user and host risk scores
106-
* Entity Analytics asset criticality information
107-
* Detection rule external connector settings
108-
* Detection rule response action settings
109-
11084
:::{tip}
111-
For a full feature comparison, upgrading instructions, and more, refer to [{{product.serverless-security}} feature tiers](/solutions/security/security-serverless-feature-tiers.md).
85+
For a full feature comparison, upgrading instructions, downgrading information, and more, refer to [{{product.serverless-security}} feature tiers](/solutions/security/security-serverless-feature-tiers.md).
11286
:::
11387

11488
### {{obs-serverless}} project features

deploy-manage/license.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,10 @@ Depending on your deployment type, licenses and subscriptions are applied at dif
2424
* **{{ecloud}}, {{ece}}, and {{eck}}:** Licenses and subscriptions are controlled at the orchestrator or organization level, and apply to all related deployments.
2525
* **Self-managed {{es}}:** Licenses are controlled at the cluster level, and apply only to a single cluster.
2626

27+
:::{note}
28+
In {{serverless-full}}, your organization's {{ecloud}} subscription level controls only the support level you receive. Project features are controlled by each project's [feature tier and add-ons](/deploy-manage/deploy/elastic-cloud/project-settings.md#project-features-add-ons).
29+
:::
30+
2731
For a comprehensive comparison of the available subscription levels, see [Elastic subscriptions](https://www.elastic.co/subscriptions).
2832

2933
Use the topics in this section to manage your license or start a trial:

explore-analyze/ai-features/agent-builder/builtin-skills-reference.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -117,12 +117,13 @@ $$$agent-builder-detection-rule-edit-skill$$$ `detection-rule-edit` {applies_to}
117117

118118
**How to activate:** This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat — the skill creates the attachment and renders an **Apply to creation** or **Update rule** button so you can save the change to the rule form.
119119

120-
$$$agent-builder-automatic-troubleshooting-skill$$$ `automatic_troubleshooting` {applies_to}`stack: preview 9.4` {applies_to}`serverless: preview`
121-
: Diagnoses [Elastic Defend](/solutions/security/configure-elastic-defend.md) endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps. Registered only when the `automaticTroubleshootingSkill` experimental feature flag is enabled.
122-
120+
$$$agent-builder-automatic-troubleshooting-skill$$$ `automatic_troubleshooting` {applies_to}`stack: ga 9.5+, preview =9.4` {applies_to}`serverless: ga`
121+
: Diagnoses [{{elastic-defend}}](/solutions/security/configure-elastic-defend.md) endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus software. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps.
123122
**Assigned tools:** `platform.core.search`, `platform.core.get_document_by_id`, `platform.core.integration_knowledge`
124123

125-
**Prerequisites:** [Elastic Defend](/solutions/security/configure-elastic-defend.md) deployed and reporting. The `automaticTroubleshootingSkill` experimental feature flag must be enabled for the skill to appear.
124+
**Prerequisites:** [{{elastic-defend}}](/solutions/security/configure-elastic-defend.md) deployed and reporting.
125+
126+
{applies_to}`stack: preview =9.4` In this version, the `automaticTroubleshootingSkill` [experimental feature flag](kibana://reference/configuration-reference/security-solution-settings.md#experimental-features) must be enabled for the skill to appear.
126127

127128
## Elasticsearch skills
128129
```{applies_to}

reference/fleet/fleet-api-docs.md

Lines changed: 74 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
mapped_pages:
33
- https://www.elastic.co/guide/en/fleet/current/fleet-api-docs.html
4+
description: Send Fleet API requests with the Kibana Console or cURL. Reference examples cover agent policies, integration policies, enrollment tokens, agent listing, KQL filters, and manual rollback.
45
applies_to:
56
stack: ga
67
serverless: ga
@@ -11,34 +12,39 @@ products:
1112

1213
# Kibana Fleet APIs [fleet-api-docs]
1314

14-
You can find details for all available {{fleet}} API endpoints in the [Kibana API docs]({{kib-apis}}). For {{serverless-full}} projects, check the [Kibana Serverless API docs]({{kib-serverless-apis}}).
15+
This page provides cURL and {{kib}} Console examples for commonly used {{fleet}} APIs, including agent policies, integration policies, enrollment tokens, agent listing, KQL filtering, and agent rollback.
1516

16-
In this section, we provide examples of some commonly used {{fleet}} APIs.
17+
For full endpoint specifications, parameters, and response schemas, refer to the [Kibana API docs]({{kib-apis}}). For {{serverless-full}} projects, use the [Kibana Serverless API docs]({{kib-serverless-apis}}).
18+
19+
20+
## Before you begin [fleet-api-before-you-begin]
21+
22+
You'll need:
23+
24+
* A running {{kib}} deployment or {{serverless-full}} project with {{fleet}} available
25+
* The {{kib}} host URL for your deployment (for example, `https://my-kibana-host:9243`)
26+
* Authentication credentials for {{kib}} API requests. API key authentication is recommended. For details, refer to [Authentication]({{kib-apis}}authentication).
27+
* A {{kib}} user with the required {{fleet}} and {{integrations}} privileges. For details, refer to [Roles and privileges](/reference/fleet/fleet-roles-privileges.md).
1728

1829

1930
## Using the Console [using-the-console]
2031

2132
You can run {{fleet}} API requests through the {{kib}} Console.
2233

23-
1. Open the {{kib}} menu and go to **Management → Dev Tools**.
34+
1. To open **Console**, find **Dev Tools** in the main menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
2435
2. In your request, prepend your {{fleet}} API endpoint with `kbn:`, for example:
2536

2637
```sh
2738
GET kbn:/api/fleet/agent_policies
2839
```
2940

3041

31-
For more detail about using the {{kib}} Console refer to [Run API requests](/explore-analyze/query-filter/tools/console.md).
32-
33-
34-
## Authentication [authentication]
35-
36-
Authentication is required to send {{fleet}} API requests. For more information, refer to [Authentication]({{kib-apis}}authentication).
42+
For more details about using the {{kib}} Console, refer to [Run API requests](/explore-analyze/query-filter/tools/console.md).
3743

3844

3945
## Create agent policy [create-agent-policy-api]
4046

41-
To create a new agent policy in {{fleet}}, call `POST /api/fleet/agent_policies`.
47+
To create an agent policy in {{fleet}}, call `POST /api/fleet/agent_policies`.
4248

4349
This cURL example creates an agent policy called `Agent policy 1` in the default namespace.
4450

@@ -96,7 +102,7 @@ Example response:
96102
}
97103
```
98104

99-
1. Make a note of the policy ID. You’ll need the policy ID to add integration policies.
105+
1. Note the policy ID. You need it to add integration policies.
100106

101107

102108

@@ -109,7 +115,7 @@ You can use the {{fleet}} API to [Create and customize an {{elastic-defend}} pol
109115
::::
110116

111117

112-
This cURL example creates an integration policy for Nginx and adds it to the agent policy created in the previous example:
118+
This cURL example creates an integration policy for Nginx and adds it to the agent policy you created in [Create agent policy](#create-agent-policy-api):
113119

114120
```shell
115121
curl --request POST \
@@ -414,10 +420,10 @@ Example response (formatted for readability):
414420

415421
## List all {{agents}} [list-agents-api]
416422

417-
Use the [Get agents API]({{kib-apis}}operation/operation-get-fleet-agents) to retrieve a list of currently enrolled {{agents}}:
423+
Use the [Get agents API]({{kib-apis}}operation/operation-get-fleet-agents) to retrieve a list of enrolled {{agents}}:
418424

419425
```shell
420-
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents
426+
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents'
421427
```
422428

423429
By default, a maximum of 10,000 agents are returned, with 20 agents listed per page.
@@ -461,24 +467,51 @@ curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents?perPage=10000&se
461467
```
462468

463469

470+
## Filter results with KQL [filter-results-with-kql]
471+
472+
The following {{fleet}} list endpoints accept a `kuery` query parameter that takes a [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md) string to filter results: agents (`GET /api/fleet/agents`), agent policies (`GET /api/fleet/agent_policies`), package policies (`GET /api/fleet/package_policies`), and enrollment tokens (`GET /api/fleet/enrollment_api_keys`). To check whether another endpoint accepts `kuery`, refer to its parameters in the [Kibana API docs]({{kib-apis}}).
473+
474+
**Agents and enrollment tokens** are stored in {{es}} system indices. Reference fields directly, with no prefix. This cURL example returns only the online agents:
475+
476+
```shell
477+
curl --request GET \
478+
--url 'https://my-kibana-host:9243/api/fleet/agents?kuery=status:online' \
479+
--header 'Authorization: ApiKey yourbase64encodedkey' \
480+
--header 'kbn-xsrf: xx'
481+
```
482+
483+
**Agent policies and package policies** are stored as saved objects. When a field path contains a dot, prefix it with the saved object type so the query parser reads it as a field name and not as a type. This cURL example returns only the package policies for the `nginx` integration:
484+
485+
```shell
486+
curl --request GET \
487+
--url 'https://my-kibana-host:9243/api/fleet/package_policies?kuery=ingest-package-policies.package.name:nginx' \
488+
--header 'Authorization: ApiKey yourbase64encodedkey' \
489+
--header 'kbn-xsrf: xx'
490+
```
491+
492+
::::{tip}
493+
If a query returns a `400`, the field needs a saved object type prefix. When the error is a `KQLSyntaxError` about a missing key, it names the saved object index pattern to use as the prefix (for example `ingest-agent-policies.name`). When the error is `This type <x> is not allowed`, no pattern is named, so prefix the field with the endpoint's saved object type (for example `ingest-package-policies.package.name`).
494+
::::
495+
496+
For the full query syntax, including wildcards, ranges, and boolean operators, refer to [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md).
497+
498+
464499
## Manually roll back an {{agent}} upgrade [agent-rollback-api]
465500
```{applies_to}
466501
stack: ga 9.3+
467502
```
468503
469-
The manual rollback feature for {{agent}} gives you the ability to roll back to the previously installed version if the install artifacts are still available on disk--typically seven days after the upgrade.
504+
The manual rollback feature for {{agent}} lets you roll back to the previously installed version if the install artifacts are still available on disk (typically seven days after the upgrade).
470505
471-
To roll back a single agent:
472-
:Call `POST /api/fleet/agents/{agentID}/rollback`.
506+
To roll back a single agent, call `POST /api/fleet/agents/{agentID}/rollback`.
473507
474-
To roll back multiple agents:
475-
:Call `POST /api/fleet/agents/bulk_rollback`.
508+
To roll back multiple agents, call `POST /api/fleet/agents/bulk_rollback`.
476509
477510
### Limitations for manual rollback [rollback-limitations-api]
478511
479-
These limitations apply for the manual rollback feature:
512+
These limitations apply for the manual rollback feature:
480513
481-
* Rollback is limited to the version running _before_ the upgrade. Both the previously and currently running versions must be 9.3.0 or later for this functionality to be available.
514+
* Rollback is limited to the version running _before_ the upgrade. Both the pre-upgrade and post-upgrade versions must be 9.3.0 or later for this functionality to be available.
482515
* Data required for the rollback is stored on disk for seven days, which can impact available disk space.
483516
* Rollback must be performed within seven days of the upgrade. Rollback data is automatically cleaned up after seven days and becomes unavailable.
484517
* Manual rollback is not available for system-managed packages such as DEB and RPM.
@@ -489,6 +522,24 @@ These limitations apply for the manual rollback feature:
489522
If no version is available on disk to rollback to, you get an error.
490523
This situation can happen if:
491524
492-
- the version you upgraded from is earlier than 9.3.0, as the feature is not supported for earlier versions.
525+
- The version you upgraded from is earlier than 9.3.0, as the feature is not supported for earlier versions.
526+
527+
- The rollback window has ended (typically more than seven days). When the rollback window ends, the files from the previous version are removed to free up disk space.
528+
529+
530+
## Next steps [fleet-api-next-steps]
531+
532+
After you create agent and integration policies with the API:
533+
534+
* [Enroll {{agents}}](/reference/fleet/fleet-enrollment-tokens.md) using enrollment tokens from your agent policy
535+
* [Manage {{agents}} in {{fleet}}](/reference/fleet/manage-elastic-agents-in-fleet.md) to monitor status and policy assignments
536+
* [Create an agent policy without using the UI](/reference/fleet/create-policy-no-ui.md) for automation use cases
537+
538+
539+
## Related pages [fleet-api-related-pages]
493540
494-
- the rollback window has ended (typically more than seven days). When the rollback window ends, the files from the previous version are removed to free up disk space.
541+
* [Kibana API docs]({{kib-apis}})
542+
* [Run API requests](/explore-analyze/query-filter/tools/console.md)
543+
* [Roles and privileges](/reference/fleet/fleet-roles-privileges.md)
544+
* [Grant standalone {{agents}} access to {{es}}](/reference/fleet/grant-access-to-elasticsearch.md)
545+
* [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md)

0 commit comments

Comments
 (0)