Merge branch 'main' into adds_exceptions_mapping_warning

* main:
  [DOCS] Add new EQL search configuration options (#2061)
  Add example response section (#2084)
  [DOCS][8.3] Updates "Endpoint Security" to "Endpoint and Cloud Security" screenshots (#2075)

docs/detections/api/rules/rules-api-create.asciidoc

@@ -413,6 +413,24 @@ must be an {es} date data type.
 
 |==============================================
 
+[[opt-fields-eql-create]]
+===== Optional fields for event correlation rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|event_category_field |String
+|Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field.
+
+|tiebreaker_field |String
+|Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
+
+|timestamp_field |String
+|Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
+
+|==============================================
+
 [[actions-object-schema]]
 ===== `actions` schema
 

docs/detections/api/rules/rules-api-import.asciidoc

@@ -66,3 +66,18 @@ curl -X POST "api/detection_engine/rules/_import?overwrite=true"
 
 `200`::
     Indicates a successful call.
+
+===== Example response
+
+[source,json]
+--------------------------------------------------
+{
+    "success": true,
+    "success_count": 1,
+    "rules_count": 1,
+    "errors": [],
+    "exceptions_errors": [],
+    "exceptions_success": true,
+    "exceptions_success_count": 0
+}
+--------------------------------------------------

docs/detections/api/rules/rules-api-update.asciidoc

@@ -329,6 +329,24 @@ must be an {es} date data type.
 
 |==============================================
 
+[[opt-fields-eql-update]]
+===== Optional fields for EQL rules
+
+[width="100%",options="header"]
+|==============================================
+|Name |Type |Description
+
+|event_category_field |String
+|Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field.
+
+|tiebreaker_field |String
+|Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
+
+|timestamp_field |String
+|Contains the event timestamp used for sorting a sequence of events. This is different from `timestamp_override`, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
+
+|==============================================
+
 [[actions-object-schema-update]]
 ===== `actions` schema
 

docs/detections/rules-ui-create.asciidoc

@@ -180,7 +180,7 @@ network connection:
 +
 ** *Index patterns*: `winlogbeat-*`
 +
-> Winlogbeat ships Windows events to {elastic-sec}.
+Winlogbeat ships Windows events to {elastic-sec}.
 
 ** *EQL query*:
 +
@@ -205,6 +205,11 @@ image::images/eql-rule-query-example.png[]
 +
 NOTE: For sequence events, the {security-app} generates a single alert when all events listed in the sequence are detected. To see the matched sequence events in more detail, you can view the alert in the Timeline, and, if all events came from the same process, open the alert in Analyze Event view.
 +
+. (Optional) Click the EQL settings icon (image:images/eql-settings-icon.png[EQL settings icon,16,16]) to configure additional fields used by {ref}/eql.html#specify-a-timestamp-or-event-category-field[EQL search]:
+  * *Event category field*: Contains the event classification, such as `process`, `file`, or `network`. This field is typically mapped as a field type in the {ref}/keyword.html[keyword family]. Defaults to the `event.category` ECS field.
+  * *Tiebreaker field*: Sets a secondary field for sorting events (in ascending, lexicographic order) if they have the same timestamp.
+  * *Timestamp field*: Contains the event timestamp used for sorting a sequence of events. This is different from the *Timestamp override* advanced setting, which is used for querying events within a range. Defaults to the `@timestamp` ECS field.
++
 . Continue with <<preview-rules, previewing the rule>> (optional) or click *Continue* to <<rule-ui-basic-params, configure basic rule settings>>.
 
 [discrete]

docs/getting-started/install-endpoint.asciidoc

@@ -1,10 +1,10 @@
 [[install-endpoint]]
 [role="xpack"]
-= Configure and install the Endpoint Security integration
+= Configure and install the {endpoint-cloud-sec} integration
 
-Like other Elastic integrations, Endpoint Security can be integrated into the Elastic Agent through {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the Elastic Agent to monitor for events on your host and send data to the {security-app}.
+Like other Elastic integrations, {endpoint-cloud-sec} can be integrated into the {agent} through {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor for events on your host and send data to the {security-app}.
 
-NOTE: To configure the Endpoint Security integration on the {agent}, you must have permission to use {fleet} in {kib}. You must also have admin permissions in {kib} to access the **Endpoints** page in the {security-app}.
+NOTE: To configure the {endpoint-cloud-sec} integration on the {agent}, you must have permission to use {fleet} in {kib}. You must also have admin permissions in {kib} to access the **Endpoints** page in the {security-app}.
 
 [discrete]
 [[security-before-you-begin]]
@@ -14,34 +14,34 @@ If you're using macOS, some versions may require you to grant Full Disk Access t
 
 [discrete]
 [[add-security-integration]]
-== Add the Endpoint Security integration
+== Add the {endpoint-cloud-sec} integration
 
-. In {kib}, select **Security** -> **Endpoints**. If this is not your first time using {es-sec}, select **Management** -> **Integrations**, then search for and select **Endpoint Security**.
+. In {kib}, select **Security** -> **Endpoints**. If this is not your first time using {es-sec}, select **Management** -> **Integrations**, then search for and select **{endpoint-cloud-sec}**.
 +
 [role="screenshot"]
-image::images/install-endpoint/security-integration.png[Search result for "Endpoint Security" on the Integrations page.]
+image::images/install-endpoint/endpoint-cloud-sec-integrations-page.png[Search result for "Endpoint and Cloud Security" on the Integrations page.]
 +
-. Select **Add Endpoint Security** on either the Endpoints page of the {security-app} or the Endpoint Security integration page (*Management* -> *Integrations*). The integration configuration page appears.
+. Select **Add {endpoint-cloud-sec}** on either the Endpoints page of the {security-app} or the {endpoint-cloud-sec} integration page (*Management* -> *Integrations*). The integration configuration page appears.
 +
 [role="screenshot"]
-image::images/install-endpoint/add-elastic-endpoint-security.png[Add Endpoint Security integration page.]
+image::images/install-endpoint/endpoint-cloud-security-configuration.png[Add Endpoint and Cloud Security integration page.]
 +
-. Configure the Endpoint Security integration with an **Integration name** and optional **Description**.
-. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. 
+. Configure the {endpoint-cloud-sec} integration with an **Integration name** and optional **Description**.
+. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
 . When the configuration is complete, click **Save and continue**.
 . To complete the integration, continue to the next section to install the {agent} on your hosts.
 
 [discrete]
 [[enroll-security-agent]]
 == Configure and enroll the {agent}
 
-To configure the {agent}, Endpoint Security requires enrollment through Fleet to enable the integration.
+To enable the {endpoint-cloud-sec} integration, you must enroll agents in the relevant policy using {fleet}.
 
 [IMPORTANT]
 =====
 Before you add an {agent}, a {fleet-server} must be running. Refer to {fleet-guide}/add-a-fleet-server.html[Add a {fleet-server}].
 
-{endpoint-sec} cannot be integrated with an {agent} in standalone mode.
+{endpoint-cloud-sec} cannot be integrated with an {agent} in standalone mode.
 =====
 
 [discrete]
@@ -63,24 +63,24 @@ If you have upgraded to an {stack} version that includes {fleet-server} 7.13.0 o
 . Go to *{fleet}* -> *Agents* -> **Add agent**.
 +
 [role="screenshot"]
-image::images/install-endpoint/add-agent.png[Add agent flyout on the Fleet page.]
+image::images/install-endpoint/endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.]
 
 . Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
 +
-The selected agent policy should include {endpoint-sec}.
+The selected agent policy should include {endpoint-cloud-sec}.
 +
 [role="screenshot"]
-image::images/install-endpoint/endpoint-configuration.png[Add agent flyout with Endpoint Security integration highlighted.,575]
+image::images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with Endpoint and Cloud Security integration highlighted.,575]
 
-. Ensure that the **Enroll in {fleet}** option is selected. {endpoint-sec} cannot be integrated with {agent} in standalone mode.
+. Ensure that the **Enroll in {fleet}** option is selected. {endpoint-cloud-sec} cannot be integrated with {agent} in standalone mode.
 
 . Select the appropriate platform or operating system for the host, then copy the provided commands.
 
 . On the host, open a command-line interface and navigate to the directory where you want to install {agent}. Paste and run the commands from {fleet} to download, extract, enroll, and start {agent}.
 
 . (Optional) Return to the **Add agent** flyout in {fleet}, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {es}.
 
-. After you have enrolled the {agent} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {fleet}. Otherwise, select **Close**. 
+. After you have enrolled the {agent} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {fleet}. Otherwise, select **Close**.
 +
 The host will now appear on the **Endpoints** page in the {security-app}. It may take another minute or two for endpoint data to appear in {elastic-sec}.