Merge branch 'master' into actions/missing-action-params-fields

* master: (108 commits)
  [DOCS] Refreshes Data Visualizer screenshot (elastic#87017)
  [Security Solution] Change 'anti-virus' text to 'antivirus' (elastic#87001)
  [securitySolution/cypress] temporarily limit to PRs
  [AppServices/Examples] Add the example for Reporting integration (elastic#82091)
  [Build Chromium] Improve git checkout (elastic#83225)
  Deprecate `services.callCluster` in alerts and actions executors (elastic#86474)
  [Security Solution] Use system node version for Cypress and increase exec command timeout (elastic#86985)
  [Lens] Add more chart editor tests based on the debug state (elastic#86750)
  [Lens] Integrate searchSessionId into Lens app (elastic#86297)
  skip "pagination updates results and page number" elastic#86975
  skip "Custom detection rules" elastic#83772
  [logging/json] use merge from kbn/std (elastic#86330)
  skip network and timeline inspection. elastic#85677, elastic#85678
  skip "adds correctly a filter to the global search bar" elastic#86552
  [ftr/flags] improve help text (elastic#86971)
  skip "Fields Browser rendering. elastic#60209
  skip "Closes and opens alerts" elastic#83773
  [Security Solution] Skip failing Cypress tests (elastic#86967)
  Removes archives (elastic#86537)
  [ML] Fix charts grid on the Anomaly Explorer page (elastic#86904)
  ...

.ci/jobs.yml

@@ -1,4 +1,4 @@
-# This file is needed by functionalTests:ensureAllTestsInCiGroup for the list of ciGroups. That must be changed before this file can be removed
+# This file is needed by node scripts/ensure_all_tests_in_ci_group  for the list of ciGroups. That must be changed before this file can be removed
 
 JOB:
   - kibana-intake

docs/development/plugins/embeddable/public/kibana-plugin-plugins-embeddable-public.embeddableinput.md

@@ -17,5 +17,6 @@ export declare type EmbeddableInput = {
     disabledActions?: string[];
     disableTriggers?: boolean;
     searchSessionId?: string;
+    syncColors?: boolean;
 };
 ```

docs/development/plugins/embeddable/public/kibana-plugin-plugins-embeddable-public.openaddpanelflyout.md

@@ -14,7 +14,7 @@ export declare function openAddPanelFlyout(options: {
     overlays: OverlayStart;
     notifications: NotificationsStart;
     SavedObjectFinder: React.ComponentType<any>;
-}): Promise<void>;
+}): OverlayRef;
 ```
 
 ## Parameters
@@ -25,5 +25,5 @@ export declare function openAddPanelFlyout(options: {
 
 <b>Returns:</b>
 
-`Promise<void>`
+`OverlayRef`
 

docs/development/plugins/expressions/public/kibana-plugin-plugins-expressions-public.expressionrenderhandler._constructor_.md

@@ -9,13 +9,13 @@ Constructs a new instance of the `ExpressionRenderHandler` class
 <b>Signature:</b>
 
 ```typescript
-constructor(element: HTMLElement, { onRenderError, renderMode, hasCompatibleActions, }?: ExpressionRenderHandlerParams);
+constructor(element: HTMLElement, { onRenderError, renderMode, syncColors, hasCompatibleActions, }?: ExpressionRenderHandlerParams);
 ```
 
 ## Parameters
 
 |  Parameter | Type | Description |
 |  --- | --- | --- |
 |  element | <code>HTMLElement</code> |  |
-|  { onRenderError, renderMode, hasCompatibleActions, } | <code>ExpressionRenderHandlerParams</code> |  |
+|  { onRenderError, renderMode, syncColors, hasCompatibleActions, } | <code>ExpressionRenderHandlerParams</code> |  |
 

docs/development/plugins/expressions/public/kibana-plugin-plugins-expressions-public.expressionrenderhandler.md

@@ -14,7 +14,7 @@ export declare class ExpressionRenderHandler
 
 |  Constructor | Modifiers | Description |
 |  --- | --- | --- |
-|  [(constructor)(element, { onRenderError, renderMode, hasCompatibleActions, })](./kibana-plugin-plugins-expressions-public.expressionrenderhandler._constructor_.md) |  | Constructs a new instance of the <code>ExpressionRenderHandler</code> class |
+|  [(constructor)(element, { onRenderError, renderMode, syncColors, hasCompatibleActions, })](./kibana-plugin-plugins-expressions-public.expressionrenderhandler._constructor_.md) |  | Constructs a new instance of the <code>ExpressionRenderHandler</code> class |
 
 ## Properties
 

docs/development/plugins/expressions/public/kibana-plugin-plugins-expressions-public.iexpressionloaderparams.md

@@ -25,6 +25,7 @@ export interface IExpressionLoaderParams
 |  [renderMode](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.rendermode.md) | <code>RenderMode</code> |  |
 |  [searchContext](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.searchcontext.md) | <code>SerializableState</code> |  |
 |  [searchSessionId](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.searchsessionid.md) | <code>string</code> |  |
+|  [syncColors](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.synccolors.md) | <code>boolean</code> |  |
 |  [uiState](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.uistate.md) | <code>unknown</code> |  |
 |  [variables](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.variables.md) | <code>Record&lt;string, any&gt;</code> |  |
 

docs/development/plugins/expressions/public/kibana-plugin-plugins-expressions-public.iexpressionloaderparams.synccolors.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-plugins-expressions-public](./kibana-plugin-plugins-expressions-public.md) &gt; [IExpressionLoaderParams](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.md) &gt; [syncColors](./kibana-plugin-plugins-expressions-public.iexpressionloaderparams.synccolors.md)
+
+## IExpressionLoaderParams.syncColors property
+
+<b>Signature:</b>
+
+```typescript
+syncColors?: boolean;
+```

docs/development/plugins/expressions/public/kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.issynccolorsenabled.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-plugins-expressions-public](./kibana-plugin-plugins-expressions-public.md) &gt; [IInterpreterRenderHandlers](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.md) &gt; [isSyncColorsEnabled](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.issynccolorsenabled.md)
+
+## IInterpreterRenderHandlers.isSyncColorsEnabled property
+
+<b>Signature:</b>
+
+```typescript
+isSyncColorsEnabled: () => boolean;
+```

docs/development/plugins/expressions/public/kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.md

@@ -18,6 +18,7 @@ export interface IInterpreterRenderHandlers
 |  [event](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.event.md) | <code>(event: any) =&gt; void</code> |  |
 |  [getRenderMode](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.getrendermode.md) | <code>() =&gt; RenderMode</code> |  |
 |  [hasCompatibleActions](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.hascompatibleactions.md) | <code>(event: any) =&gt; Promise&lt;boolean&gt;</code> |  |
+|  [isSyncColorsEnabled](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.issynccolorsenabled.md) | <code>() =&gt; boolean</code> |  |
 |  [onDestroy](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.ondestroy.md) | <code>(fn: () =&gt; void) =&gt; void</code> |  |
 |  [reload](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.reload.md) | <code>() =&gt; void</code> |  |
 |  [uiState](./kibana-plugin-plugins-expressions-public.iinterpreterrenderhandlers.uistate.md) | <code>unknown</code> | This uiState interface is actually <code>PersistedState</code> from the visualizations plugin, but expressions cannot know about vis or it creates a mess of circular dependencies. Downstream consumers of the uiState handler will need to cast for now. |

docs/development/plugins/expressions/server/kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.issynccolorsenabled.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-plugins-expressions-server](./kibana-plugin-plugins-expressions-server.md) &gt; [IInterpreterRenderHandlers](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.md) &gt; [isSyncColorsEnabled](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.issynccolorsenabled.md)
+
+## IInterpreterRenderHandlers.isSyncColorsEnabled property
+
+<b>Signature:</b>
+
+```typescript
+isSyncColorsEnabled: () => boolean;
+```

docs/development/plugins/expressions/server/kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.md

@@ -18,6 +18,7 @@ export interface IInterpreterRenderHandlers
 |  [event](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.event.md) | <code>(event: any) =&gt; void</code> |  |
 |  [getRenderMode](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.getrendermode.md) | <code>() =&gt; RenderMode</code> |  |
 |  [hasCompatibleActions](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.hascompatibleactions.md) | <code>(event: any) =&gt; Promise&lt;boolean&gt;</code> |  |
+|  [isSyncColorsEnabled](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.issynccolorsenabled.md) | <code>() =&gt; boolean</code> |  |
 |  [onDestroy](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.ondestroy.md) | <code>(fn: () =&gt; void) =&gt; void</code> |  |
 |  [reload](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.reload.md) | <code>() =&gt; void</code> |  |
 |  [uiState](./kibana-plugin-plugins-expressions-server.iinterpreterrenderhandlers.uistate.md) | <code>unknown</code> | This uiState interface is actually <code>PersistedState</code> from the visualizations plugin, but expressions cannot know about vis or it creates a mess of circular dependencies. Downstream consumers of the uiState handler will need to cast for now. |

docs/discover/search.asciidoc

@@ -74,7 +74,7 @@ status codes, you could enter `status:[400 TO 499]`.
 codes and have an extension of `php` or `html`, you could enter `status:[400 TO
 499] AND (extension:php OR extension:html)`.
 
-IMPORTANT: When you use the Lucene Query Syntax in the *KQL* search bar, {kib} is unable to search on nested objects and perform aggregations across fields that contain nested objects. 
+IMPORTANT: When you use the Lucene Query Syntax in the *KQL* search bar, {kib} is unable to search on nested objects and perform aggregations across fields that contain nested objects.
 Using `include_in_parent` or `copy_to` as a workaround can cause {kib} to fail.
 
 For more detailed information about the Lucene query syntax, see the
@@ -107,7 +107,8 @@ To save the current search:
 . Click *Save* in the Kibana toolbar.
 . Enter a name for the search and click *Save*.
 
-To import, export, and delete saved searches, open the main menu, then click *Stack Management > Saved Ojbects*.
+To import, export, and delete saved searches, open the main menu,
+then click *Stack Management > Saved Objects*.
 
 ==== Open a saved search
 To load a saved search into Discover:

docs/management/advanced-options.asciidoc

@@ -262,6 +262,10 @@ Hides the "Time" column in *Discover* and in all saved searches on dashboards.
 Highlights results in *Discover* and saved searches on dashboards. Highlighting
 slows requests when working on big documents.
 
+[[doctable-legacy]]`doc_table:legacy`:: 
+Control the way the Discover's table looks and works. Set this property to `true` to revert to the legacy implementation.
+
+
 [float]
 [[kibana-ml-settings]]
 ==== Machine learning

docs/user/alerting/alerting-getting-started.asciidoc

@@ -123,14 +123,15 @@ image::images/alert-concepts-connectors.svg[Connectors provide a central place t
 [float]
 === Summary
 
-An _alert_ consists of conditions, _actions_, and a schedule. When conditions are met, _alert instances_ are created that render _actions_ and invoke them. To make action setup and update easier, actions refer to _connectors_ that centralize the information used to connect with {kib} services and third-party integrations.
+An _alert_ consists of conditions, _actions_, and a schedule. When conditions are met, _alert instances_ are created that render _actions_ and invoke them. To make action setup and update easier, actions refer to _connectors_ that centralize the information used to connect with {kib} services and third-party integrations. The following example ties these concepts together: 
 
 image::images/alert-concepts-summary.svg[Alerts, actions, alert instances and connectors work together to convert detection into action]
 
-* *Alert*: a specification of the conditions to be detected, the schedule for detection, and the response when detection occurs. 
-* *Action*: the response to a detected condition defined in the alert. Typically actions specify a service or third party integration along with alert details that will be sent to it. 
-* *Alert instance*: state tracked by {kib} for every occurrence of a detected condition. Actions as well as controls like muting and re-notification are controlled at the instance level. 
-* *Connector*: centralized configurations for services and third party integration that are referenced by actions. 
+. Anytime an *alert*'s conditions are met, an *alert instance* is created.  This example checks for servers with average CPU > 0.9. Three servers meet the condition, so three instances are created. 
+. Instances create *actions* as long as they are not muted or throttled. When actions are created, the template that was setup in the alert is filled with actual values.  In this example three actions are created, and the template string {{server}} is replaced with the server name for each instance. 
+. {kib} invokes the actions, sending them to a 3rd party *integration* like an email service.
+. If the 3rd party integration has connection parameters or credentials, {kib} will fetch these from the *connector* referenced in the action. 
+
 
 [float]
 [[alerting-concepts-differences]]

docs/user/dashboard/edit-dashboards.asciidoc

@@ -81,6 +81,21 @@ Put the dashboard in *Edit* mode, then use the following options:
 * To delete, open the panel menu, then select *Delete from dashboard*. When you delete a panel from the dashboard, the 
 visualization or saved search from the panel is still available in Kibana.
 
+[float]
+[[sync-colors]]
+=== Synchronize colors
+
+By default, dashboard panels that share a non-gradient based color palette will synchronize their color assignment to improve readability.
+Color assignment is based on the series name, and the total number of colors is based on the number of unique series names.
+
+The color synchronizing logic can make the dashboard less readable when there are too many unique series names. It is possible to disable the synchronization behavior:
+
+. Put the dashboard in *Edit* mode. 
+
+. Click the "Options" button in the top navigation bar.
+
+. Disable "Sync color palettes across panels".
+
 [float]
 [[clone-panels]]
 === Clone panels

docs/user/security/audit-logging.asciidoc

@@ -47,9 +47,11 @@ For information on how to configure `xpack.security.audit.appender`, refer to
 
 Refer to the table of events that can be logged for auditing purposes. 
 
-Each event is broken down into `category`, `type`, `action` and `outcome` fields
+Each event is broken down into <<field-event-category, category>>, <<field-event-type, type>>, <<field-event-action, action>> and <<field-event-outcome, outcome>> fields
 to make it easy to filter, query and aggregate the resulting logs. 
 
+Refer to <<xpack-security-ecs-audit-schema>> for a table of fields that get logged with audit event. 
+
 [NOTE]
 ============================================================================
 To ensure that a record of every operation is persisted even in case of an
@@ -230,3 +232,188 @@ Refer to the corresponding {es} logs for potential write errors.
 | `http_request`
 | `unknown` | User is making an HTTP request.
 |======
+
+
+[[xpack-security-ecs-audit-schema]]
+==== ECS audit schema
+
+Audit logs are written in JSON using https://www.elastic.co/guide/en/ecs/1.6/index.html[Elastic Common Schema (ECS)] specification.
+
+[cols="2*<"]
+|======
+
+2+a| ===== Base Fields
+
+| *Field*
+| *Description*
+
+| `@timestamp`
+| Time when the event was generated. 
+
+Example: `2016-05-23T08:05:34.853Z`
+
+| `message`
+| Human readable description of the event. 
+
+2+a| ===== Event Fields
+
+| *Field*
+| *Description*
+
+| [[field-event-action]] `event.action`
+| The action captured by the event.
+
+Refer to <<xpack-security-ecs-audit-logging>> for a table of possible actions. 
+
+| [[field-event-category]] `event.category`
+| High level category associated with the event.
+
+This field is closely related to `event.type`, which is used as a subcategory.
+
+Possible values:
+`database`,
+`web`,
+`authentication`
+
+| [[field-event-type]] `event.type`
+| Subcategory associated with the event.
+
+This field can be used along with the `event.category` field to enable filtering events down to a level appropriate for single visualization.
+
+Possible values:
+`creation`,
+`access`,
+`change`,
+`deletion`
+
+| [[field-event-outcome]] `event.outcome`
+| Denotes whether the event represents a success or failure. 
+
+Possible values:
+`success`,
+`failure`,
+`unknown`
+
+2+a| ===== User Fields
+
+| *Field*
+| *Description*
+
+| `user.name`
+| Login name of the user.
+
+Example: `jdoe`
+
+| `user.roles[]`
+| Set of user roles at the time of the event.
+
+Example: `[kibana_admin, reporting_user]`
+
+2+a| ===== Kibana Fields
+
+| *Field*
+| *Description*
+
+| `kibana.space_id`
+| ID of the space associated with the event.
+
+Example: `default`
+
+| `kibana.session_id`
+| ID of the user session associated with the event. 
+
+Each login attempt results in a unique session id.
+
+| `kibana.saved_object.type`
+| Type of saved object associated with the event.
+
+Example: `dashboard`
+
+| `kibana.saved_object.id`
+| ID of the saved object associated with the event.
+
+| `kibana.authentication_provider`
+| Name of the authentication provider associated with the event.
+
+Example: `my-saml-provider`
+
+| `kibana.authentication_type`
+| Type of the authentication provider associated with the event.
+
+Example: `saml`
+
+| `kibana.authentication_realm`
+| Name of the Elasticsearch realm that has authenticated the user.
+
+Example: `native`
+
+| `kibana.lookup_realm`
+| Name of the Elasticsearch realm where the user details were retrieved from.
+
+Example: `native`
+
+| `kibana.add_to_spaces[]`
+| Set of space IDs that a saved object is being shared to as part of the event.
+
+Example: `[default, marketing]`
+
+| `kibana.delete_from_spaces[]`
+| Set of space IDs that a saved object is being removed from as part of the event.
+
+Example: `[marketing]`
+
+2+a| ===== Error Fields
+
+| *Field*
+| *Description*
+
+| `error.code`
+| Error code describing the error.
+
+| `error.message`
+| Error message. 
+
+2+a| ===== HTTP and URL Fields
+
+| *Field*
+| *Description*
+
+| `http.request.method`
+| HTTP request method.
+
+Example: `get`, `post`, `put`, `delete`
+
+| `url.domain`
+| Domain of the url.
+
+Example: `www.elastic.co`
+
+| `url.path`
+| Path of the request.
+
+Example: `/search`
+
+| `url.port`
+| Port of the request.
+
+Example: `443`
+
+| `url.query`
+| The query field describes the query string of the request.
+
+Example: `q=elasticsearch`
+
+| `url.scheme`
+| Scheme of the request.
+
+Example: `https`
+
+2+a| ===== Tracing Fields
+
+| *Field*
+| *Description*
+
+| `trace.id`
+| Unique identifier allowing events of the same transaction from {kib} and {es} to be be correlated.
+
+|======