[Serverless & 8.14] Updates to ES|QL Security features in 8.14 and Serverless

[nastasha-solomon]

Description

Summary

With ES|QL going GA in 8.14 and being exposed in Serverless, multiple changes are being made to ESS and Serverless Security features that use ES|QL. These changes will require various doc and screenshot updates across the ESS and Serverless docsets. I've outlined them below.

ESS/8.14

The following ES|QL Security features are being updated in 8.14.

ES|QL rule -

The ES|QL rule will be moved from tech preview to GA in 8.14.

• Related dev issue and PR:
  • [Detection Engine][ESS] GA ES|QL rule type when ES|QL GAs kibana#178422
  • [Security Solution][Detection Engine] removes ES|QL tech preview badges from rule create form and rule details kibana#179855
• Doc issue and PR:
  • [Request][ESS] [ES|QL] Update rule type to GA #4899
  • [ESS][8.14] ES|QL rule is GA'ing  #5032
• Required doc updates:
  • Remove the tech preview label from UI and API docs for the ES|QL rule.

ES|QL Timeline tab

The ES|QL tab in Timeline will be moved from tech preview to GA in 8.14 and will be enabled by default.

• Related dev issue and PR:
  • [Investigations] - Remove technical preview tag from ES|QL tab kibana#180838
  • [Security Solution] - Security solution ES|QL configurable via advanced setting kibana#181616
• Doc issue and PR:
  • [Request][ESS] ES|QL Timeline tab enabled by default and moved to GA #5138
  • [Request][ESS][8.14] ES|QL Timeline tab enabled by default and moved to GA  #5139
• Required doc updates:
  • Remove the tech preview label from UI docs
  • Update various screenshots.

AI Assistant Knowledge base

The entire Knowledge Base feature (which is the functionality that generates ES|QL queries and the functionality that answers questions about alerts) is still in tech preview for 8.14. Because of this, the required doc updates are slightly different. I've outlined them here.

• Related dev issue and PR: N/A (the tech preview icon is not being removed from the Knowledge Base UI since the feature is still in tech preview)
• Doc issue and PR:
  • [Request][Serverless & ESS] Update docs to convey release state of AI Assistant's ES|QL-query-generating functionality  #5098
  • [Request][ESS][8.14] Update docs to convey release state of AI Assistant's ES|QL-query-generating functionality #5105
• Required doc updates:
  • Outlined above

Serverless

The following ES|QL Security features are being added to Serverless on May 6. Since Serverless is still in tech preview, these features and ES|QL will remain in tech preview.

ES|QL rule

The ES|QL rule is being added to the rule creation workflow. Users can choose the ES|QL rule type when creating a new rule.

• Related dev issue and PR:
  • [Detection Engine][Serverless] Enable ES|QL rule in Serverless kibana#181937
  • PR is Pending/In progress
• Doc issue and PR:
  • [Request] [Detection Engine][Serverless] Expose ES|QL rule in serverless #5135
  • https://github.com/elastic/staging-serverless-security-docs/pull/340
• Required doc updates:
  • Add docs for the ES|QL rule. Can reuse content from the ESS docs.
  • Figure out whether the ES|QL rule docs should reference ES|QL reference content in Servlerss (which doesn't currently exist) or ES|QL content in the ESS docset. Will ping the ES writers to learn more. Confirmed that we should point to the ESS ES|QL docs if need to reference them.

ES|QL Timeline tab

The ES|QL tab is being added to Timeline.

• Related dev issue and PR:
  • [Security Solution] - Security solution ES|QL configurable via advanced setting kibana#181616
• Doc issue and PR:
  • [Request][Serverless] ES|QL Timeline tab will be exposed in Serverless  #5152
  • https://github.com/elastic/staging-serverless-security-docs/pull/341
• Required doc updates:
  • Add docs for the ES|QL tab to the Investigate events in Timeline page. Can re-use the content that's available in the ESS docs.
  • Make the additional changes outlined here

AI Assistant Knowledge base

Looks like the Knowledge base feature in Serverless can generate ES|QL queries, but the feature itself is still in the tech preview state (I'll confirm both with @benironside). The required doc updates might be the same as what I've outlined for ESS.

• Related dev issue and PR: N/A (the tech preview icon is not being removed from the Knowledge Base UI since the feature is still in tech preview)
• Doc issue and PR:
  • [Request][Serverless & ESS] Update docs to convey release state of AI Assistant's ES|QL-query-generating functionality  #5098 (will need to add Serverless details to this)
  • https://github.com/elastic/staging-serverless-security-docs/pull/339
• Required doc updates:
  • Outlined above

Background & resources

• PRs: Details above
• Issues/metas: Ditto
• Point of contact: @yctercero @michaelolo24
• Test environments: TBD

Which documentation set does this change impact?

ESS and serverless

ESS release

8.14

Serverless release

TBD

Feature differences

All details are outlined above

API docs impact

All details are outlined above

Prerequisites, privileges, feature flags

ESS/8.14

ES|QL and related ES|QL Security features will be enabled by default in 8.14 and in the GA state. Users can disable it by turning the enableESQL advanced setting off under the General section.

Required doc updates:

• Outlined at [Request][ESS] Document advanced setting that allows users to disable ES|QL in ESS #5163

Serverless

ES|QL and related ES|QL Security features (including the ES|QL option in Discover) will be enabled by default in Serverless. All ES|QL functionality in Serverless will be in Tech Preview since the Serverless platform is in Tech Preview.

No doc updates are required.

[nastasha-solomon]

All Serverless and ESS docs are updated.