Merge branch 'improves-detections' of github.com:MadameSheema/kibana …

…into improves-detections

docs/getting-started/tutorial-define-index.asciidoc

@@ -47,5 +47,11 @@ contains the time series data.
 [role="screenshot"]
 image::images/tutorial_index_patterns.png[All tutorial index patterns]
 
+NOTE: When you define an index pattern, the indices that match that pattern must
+exist in Elasticsearch and they must contain data. To check if the indices are
+available, open the menu, go to *Dev Tools > Console*, then enter `GET _cat/indices`. Alternately, use
+`curl -XGET "http://localhost:9200/_cat/indices"`.
+For Windows, run `Invoke-RestMethod -Uri "http://localhost:9200/_cat/indices"` in Powershell.
+
 
 

docs/getting-started/tutorial-full-experience.asciidoc

@@ -25,7 +25,14 @@ curl -O https://download.elastic.co/demos/kibana/gettingstarted/8.x/shakespeare.
 curl -O https://download.elastic.co/demos/kibana/gettingstarted/8.x/accounts.zip
 curl -O https://download.elastic.co/demos/kibana/gettingstarted/8.x/logs.jsonl.gz
 
-Two of the data sets are compressed. To extract the files, use the following commands:
+Alternatively, for Windows users, run the following commands in Powershell:
+
+[source,shell]
+Invoke-RestMethod https://download.elastic.co/demos/kibana/gettingstarted/8.x/shakespeare.json -OutFile shakespeare.json
+Invoke-RestMethod https://download.elastic.co/demos/kibana/gettingstarted/8.x/accounts.zip -OutFile accounts.zip
+Invoke-RestMethod https://download.elastic.co/demos/kibana/gettingstarted/8.x/logs.jsonl.gz -OutFile logs.jsonl.gz
+
+Two of the data sets are compressed. To extract the files, use these commands:
 
 [source,shell]
 unzip accounts.zip

docs/user/alerting/action-types.asciidoc

@@ -11,10 +11,19 @@ a| <<email-action-type, Email>>
 
 | Send email from your server.
 
+a| <<resilient-action-type, IBM Resilient>>
+
+| Create an incident in IBM Resilient.
+
 a| <<index-action-type, Index>>
 
 | Index data into Elasticsearch.
 
+a| <<jira-action-type, Jira>>
+
+| Create an incident in Jira.
+
+
 a| <<pagerduty-action-type, PagerDuty>>
 
 | Send an event in PagerDuty.
@@ -53,10 +62,12 @@ before {kib} starts.
 If you preconfigure a connector, you can also <<preconfigured-action-type-example, preconfigure its action type>>.
 
 include::action-types/email.asciidoc[]
+include::action-types/resilient.asciidoc[]
 include::action-types/index.asciidoc[]
+include::action-types/jira.asciidoc[]
 include::action-types/pagerduty.asciidoc[]
 include::action-types/server-log.asciidoc[]
+include::action-types/servicenow.asciidoc[]
 include::action-types/slack.asciidoc[]
 include::action-types/webhook.asciidoc[]
 include::action-types/pre-configured-connectors.asciidoc[]
-include::action-types/servicenow.asciidoc[]

docs/user/alerting/action-types/jira.asciidoc

@@ -0,0 +1,77 @@
+[role="xpack"]
+[[jira-action-type]]
+=== Jira action
+
+The Jira action type uses the https://developer.atlassian.com/cloud/jira/platform/rest/v2/[REST API v2] to create Jira issues.
+
+[float]
+[[jira-connector-configuration]]
+==== Connector configuration
+
+Jira connectors have the following configuration properties:
+
+Name::      The name of the connector. The name is used to identify a  connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
+URL::       Jira instance URL.
+Project key:: Jira project key.
+Email (or username)::  The account email (or username) for HTTP Basic authentication.
+API token (or password)::  Jira API authentication token (or password) for HTTP Basic authentication.
+
+[float]
+[[Preconfigured-jira-configuration]]
+==== Preconfigured action type
+
+[source,text]
+--
+ my-jira:
+   name: preconfigured-jira-action-type
+   actionTypeId: .jira
+   config:
+     apiUrl: https://elastic.atlassian.net
+     projectKey: ES
+   secrets:
+     email: testuser
+     apiToken: tokenkeystorevalue
+--
+
+`config` defines the action type specific to the configuration and contains the following properties:
+
+[cols="2*<"]
+|===
+
+| `apiUrl`
+| An address that corresponds to *URL*.
+
+| `projectKey`
+| A key that corresponds to *Project Key*.
+
+|===
+
+`secrets` defines sensitive information for the action type:
+
+[cols="2*<"]
+|===
+
+| `email`
+| A string that corresponds to *Email*.
+
+| `apiToken`
+| A string that corresponds to *API Token*. Should be stored in the <<creating-keystore, {kib} keystore>>.
+
+|===
+
+[[jira-action-configuration]]
+==== Action configuration
+
+Jira actions have the following configuration properties:
+
+Issue type::              The type of the issue.
+Priority::              The priority of the incident.
+Labels::              The labels of the incident.
+Title::    A title for the issue, used for searching the contents of the knowledge base. 
+Description::          The details about the incident.
+Additional comments::  Additional information for the client, such as how to troubleshoot the issue.
+
+[[configuring-jira]]
+==== Configuring and testing Jira
+
+Jira offers free https://www.atlassian.com/software/jira/free[Instances], which you can use to test incidents.

docs/user/alerting/action-types/pagerduty.asciidoc

@@ -36,7 +36,7 @@ This is required to encrypt parameters that must be secured, for example PagerDu
 If you have security enabled:
 
 * You must have
-application privileges to access Metrics, APM, Uptime, or SIEM.
+application privileges to access Metrics, APM, Uptime, or Security.
 * If you are using a self-managed deployment with security, you must have
 Transport Security Layer (TLS) enabled for communication <<configuring-tls-kib-es, between Elasticsearch and Kibana>>.
 Alerts uses API keys to secure background alert checks and actions,

docs/user/alerting/action-types/resilient.asciidoc

@@ -0,0 +1,76 @@
+[role="xpack"]
+[[resilient-action-type]]
+=== IBM Resilient action
+
+The IBM Resilient action type uses the https://developer.ibm.com/security/resilient/rest/[RESILIENT REST v2] to create IBM Resilient incidents.
+
+[float]
+[[resilient-connector-configuration]]
+==== Connector configuration
+
+IBM Resilient connectors have the following configuration properties:
+
+Name::      The name of the connector. The name is used to identify a  connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
+URL::       IBM Resilient instance URL.
+Organization ID:: IBM Resilient organization ID.
+API key ID::  The authentication key ID for HTTP Basic authentication.
+API key secret::  The authentication key secret for HTTP Basic authentication.
+
+[float]
+[[Preconfigured-resilient-configuration]]
+==== Preconfigured action type
+
+[source,text]
+--
+ my-resilient:
+   name: preconfigured-resilient-action-type
+   actionTypeId: .resilient
+   config:
+     apiUrl: https://elastic.resilient.net
+     orgId: ES
+   secrets:
+     apiKeyId: testuser
+     apiKeySecret: tokenkeystorevalue
+--
+
+`config` defines the action type specific to the configuration and contains the following properties:
+
+[cols="2*<"]
+|===
+
+| `apiUrl`
+| An address that corresponds to *URL*.
+
+| `orgId`
+| An ID that corresponds to *Organization ID*.
+
+|===
+
+`secrets` defines sensitive information for the action type:
+
+[cols="2*<"]
+|===
+
+| `apiKeyId`
+| A string that corresponds to *API key ID*.
+
+| `apiKeySecret`
+| A string that corresponds to *API Key secret*. Should be stored in the <<creating-keystore, {kib} keystore>>.
+
+|===
+
+[[resilient-action-configuration]]
+==== Action configuration
+
+IBM Resilient actions have the following configuration properties:
+
+Incident types::              The incident types of the incident.
+Severity code::              The severity of the incident.
+Name::    A name for the issue, used for searching the contents of the knowledge base. 
+Description::          The details about the incident.
+Additional comments::  Additional information for the client, such as how to troubleshoot the issue.
+
+[[configuring-resilient]]
+==== Configuring and testing IBM Resilient
+
+IBM Resilient offers https://www.ibm.com/security/intelligent-orchestration/resilient[Instances], which you can use to test incidents.

docs/user/alerting/action-types/servicenow.asciidoc

@@ -10,7 +10,7 @@ The ServiceNow action type uses the https://developer.servicenow.com/app.do#!/re
 
 ServiceNow connectors have the following configuration properties:
 
-Name::      The name of the connector. The name is used to identify a  connector in the management UI connector listing, or in the connector list when configuring an action.
+Name::      The name of the connector. The name is used to identify a  connector in the **Stack Management** UI connector listing, and in the connector list when configuring an action.
 URL::       ServiceNow instance URL.
 Username::  Username for HTTP Basic authentication.
 Password::  Password for HTTP Basic authentication.
@@ -37,7 +37,7 @@ Password::  Password for HTTP Basic authentication.
 |===
 
 | `apiUrl`
-| An address that corresponds to *Sender*.
+| An address that corresponds to *URL*.
 
 |===
 
@@ -47,7 +47,7 @@ Password::  Password for HTTP Basic authentication.
 |===
 
 | `username`
-| A string that corresponds to *User*.
+| A string that corresponds to *Username*.
 
 | `password`
 | A string that corresponds to *Password*. Should be stored in the <<creating-keystore, {kib} keystore>>.
@@ -62,7 +62,7 @@ ServiceNow actions have the following configuration properties:
 Urgency::              The extent to which the incident resolution can delay.
 Severity::             The severity of the incident.
 Impact::               The effect an incident has on business. Can be measured by the number of affected users or by how critical it is to the business in question.
-Short description::    A short description of the incident, used for searching the contents of the knowledge base. 
+Short description::    A short description for the incident, used for searching the contents of the knowledge base. 
 Description::          The details about the incident.
 Additional comments::  Additional information for the client, such as how to troubleshoot the issue.
 

docs/user/alerting/alerting-getting-started.asciidoc

@@ -6,7 +6,7 @@ beta[]
 
 --
 
-Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, <<xpack-uptime,*Uptime*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> for you to use.
+Alerting allows you to detect complex conditions within different {kib} apps and trigger actions when those conditions are met. Alerting is integrated with <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*Security*>>, <<xpack-uptime,*Uptime*>>, can be centrally managed from the <<management,*Management*>> UI, and provides a set of built-in <<action-types, actions>> and <<alert-types, alerts>> for you to use.
 
 image::images/alerting-overview.png[Alerts and actions UI]
 
@@ -148,7 +148,7 @@ Functionally, {kib} alerting differs in that:
 * {kib} alerts tracks and persists the state of each detected condition through *alert instances*. This makes it possible to mute and throttle individual instances, and detect changes in state such as resolution. 
 * Actions are linked to *alert instances* in {kib} alerting. Actions are fired for each occurrence of a detected condition, rather than for the entire alert. 
 
-At a higher level, {kib} alerts allow rich integrations across use cases like <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, and <<xpack-uptime,*Uptime*>>.
+At a higher level, {kib} alerts allow rich integrations across use cases like <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*Security*>>, and <<xpack-uptime,*Uptime*>>.
 Pre-packaged *alert types* simplify setup, hide the details complex domain-specific detections, while providing a consistent interface across {kib}.
 
 [float]
@@ -171,7 +171,7 @@ To access alerting in a space, a user must have access to one of the following f
 
 * <<xpack-apm,*APM*>>
 * <<xpack-infra,*Metrics*>>
-* <<xpack-siem,*SIEM*>>
+* <<xpack-siem,*Security*>>
 * <<xpack-uptime,*Uptime*>>
 
 See <<kibana-feature-privileges, feature privileges>> for more information on configuring roles that provide access to these features. 

docs/user/alerting/defining-alerts.asciidoc

@@ -2,7 +2,7 @@
 [[defining-alerts]]
 == Defining alerts
 
-{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*SIEM*>>, <<xpack-uptime,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
+{kib} alerts can be created in a variety of apps including <<xpack-apm,*APM*>>, <<xpack-infra,*Metrics*>>, <<xpack-siem,*Security*>>, <<xpack-uptime,*Uptime*>> and from <<management,*Management*>> UI. While alerting details may differ from app to app, they share a common interface for defining and configuring alerts that this section describes in more detail.
 
 [float]
 === Alert flyout

src/plugins/data/server/server.api.md

@@ -44,6 +44,7 @@ import { DeleteDocumentParams } from 'elasticsearch';
 import { DeleteScriptParams } from 'elasticsearch';
 import { DeleteTemplateParams } from 'elasticsearch';
 import { Duration } from 'moment';
+import { ElasticsearchClient as ElasticsearchClient_2 } from 'kibana/server';
 import { Ensure } from '@kbn/utility-types';
 import { EnvironmentMode } from '@kbn/config';
 import { ErrorToastOptions } from 'src/core/public/notifications';

src/plugins/kibana_usage_collection/server/collectors/application_usage/telemetry_application_usage_collector.test.ts

@@ -17,7 +17,11 @@
  * under the License.
  */
 
-import { savedObjectsRepositoryMock, loggingSystemMock } from '../../../../../core/server/mocks';
+import {
+  savedObjectsRepositoryMock,
+  loggingSystemMock,
+  elasticsearchServiceMock,
+} from '../../../../../core/server/mocks';
 import {
   CollectorOptions,
   createUsageCollectionSetupMock,
@@ -50,6 +54,7 @@ describe('telemetry_application_usage', () => {
   const getUsageCollector = jest.fn();
   const registerType = jest.fn();
   const callCluster = jest.fn();
+  const esClient = elasticsearchServiceMock.createClusterClient().asInternalUser;
 
   beforeAll(() =>
     registerApplicationUsageCollector(logger, usageCollectionMock, registerType, getUsageCollector)
@@ -62,7 +67,7 @@ describe('telemetry_application_usage', () => {
 
   test('if no savedObjectClient initialised, return undefined', async () => {
     expect(collector.isReady()).toBe(false);
-    expect(await collector.fetch(callCluster)).toBeUndefined();
+    expect(await collector.fetch(callCluster, esClient)).toBeUndefined();
     jest.runTimersToTime(ROLL_INDICES_START);
   });
 
@@ -80,7 +85,7 @@ describe('telemetry_application_usage', () => {
     jest.runTimersToTime(ROLL_TOTAL_INDICES_INTERVAL); // Force rollTotals to run
 
     expect(collector.isReady()).toBe(true);
-    expect(await collector.fetch(callCluster)).toStrictEqual({});
+    expect(await collector.fetch(callCluster, esClient)).toStrictEqual({});
     expect(savedObjectClient.bulkCreate).not.toHaveBeenCalled();
   });
 
@@ -137,7 +142,7 @@ describe('telemetry_application_usage', () => {
 
     jest.runTimersToTime(ROLL_TOTAL_INDICES_INTERVAL); // Force rollTotals to run
 
-    expect(await collector.fetch(callCluster)).toStrictEqual({
+    expect(await collector.fetch(callCluster, esClient)).toStrictEqual({
       appId: {
         clicks_total: total + 1 + 10,
         clicks_7_days: total + 1,
@@ -197,7 +202,7 @@ describe('telemetry_application_usage', () => {
 
     getUsageCollector.mockImplementation(() => savedObjectClient);
 
-    expect(await collector.fetch(callCluster)).toStrictEqual({
+    expect(await collector.fetch(callCluster, esClient)).toStrictEqual({
       appId: {
         clicks_total: 1,
         clicks_7_days: 0,