Merge branch 'master' into monitoring/external_link

Author: elasticmachine

.eslintrc.js

@@ -96,7 +96,7 @@ module.exports = {
       },
     },
     {
-      files: ['x-pack/legacy/plugins/cross_cluster_replication/**/*.{js,ts,tsx}'],
+      files: ['x-pack/plugins/cross_cluster_replication/**/*.{js,ts,tsx}'],
       rules: {
         'jsx-a11y/click-events-have-key-events': 'off',
       },

.sass-lint.yml

@@ -9,6 +9,7 @@ files:
     - 'x-pack/legacy/plugins/canvas/**/*.s+(a|c)ss'
     - 'x-pack/plugins/triggers_actions_ui/**/*.s+(a|c)ss'
     - 'x-pack/plugins/lens/**/*.s+(a|c)ss'
+    - 'x-pack/plugins/cross_cluster_replication/**/*.s+(a|c)ss'
     - 'x-pack/legacy/plugins/maps/**/*.s+(a|c)ss'
     - 'x-pack/plugins/maps/**/*.s+(a|c)ss'
   ignore:

docs/development/plugins/data/public/kibana-plugin-plugins-data-public.datapublicpluginstart.actions.md

@@ -8,6 +8,7 @@
 
 ```typescript
 actions: {
-        createFiltersFromEvent: typeof createFiltersFromEvent;
+        createFiltersFromValueClickAction: typeof createFiltersFromValueClickAction;
+        createFiltersFromRangeSelectAction: typeof createFiltersFromRangeSelectAction;
     };
 ```

docs/development/plugins/data/public/kibana-plugin-plugins-data-public.datapublicpluginstart.md

@@ -14,7 +14,7 @@ export interface DataPublicPluginStart
 
 |  Property | Type | Description |
 |  --- | --- | --- |
-|  [actions](./kibana-plugin-plugins-data-public.datapublicpluginstart.actions.md) | <code>{</code><br/><code>        createFiltersFromEvent: typeof createFiltersFromEvent;</code><br/><code>    }</code> |  |
+|  [actions](./kibana-plugin-plugins-data-public.datapublicpluginstart.actions.md) | <code>{</code><br/><code>        createFiltersFromValueClickAction: typeof createFiltersFromValueClickAction;</code><br/><code>        createFiltersFromRangeSelectAction: typeof createFiltersFromRangeSelectAction;</code><br/><code>    }</code> |  |
 |  [autocomplete](./kibana-plugin-plugins-data-public.datapublicpluginstart.autocomplete.md) | <code>AutocompleteStart</code> |  |
 |  [fieldFormats](./kibana-plugin-plugins-data-public.datapublicpluginstart.fieldformats.md) | <code>FieldFormatsStart</code> |  |
 |  [indexPatterns](./kibana-plugin-plugins-data-public.datapublicpluginstart.indexpatterns.md) | <code>IndexPatternsContract</code> |  |

docs/development/plugins/data/public/kibana-plugin-plugins-data-public.fieldformats.md

@@ -10,7 +10,7 @@
 fieldFormats: {
     FieldFormat: typeof FieldFormat;
     FieldFormatsRegistry: typeof FieldFormatsRegistry;
-    serialize: (agg: import("./search").AggConfig) => import("../../expressions/common").SerializedFieldFormat<object>;
+    serialize: (agg: import("./search").AggConfig) => import("../../expressions").SerializedFieldFormat<object>;
     DEFAULT_CONVERTER_COLOR: {
         range: string;
         regex: string;

docs/development/plugins/data/server/kibana-plugin-plugins-data-server.fieldformats.md

@@ -10,7 +10,7 @@
 fieldFormats: {
     FieldFormatsRegistry: typeof FieldFormatsRegistry;
     FieldFormat: typeof FieldFormat;
-    serializeFieldFormat: (agg: import("../public/search").AggConfig) => import("../../expressions/common").SerializedFieldFormat<object>;
+    serializeFieldFormat: (agg: import("../public/search").AggConfig) => import("../../expressions").SerializedFieldFormat<object>;
     BoolFormat: typeof BoolFormat;
     BytesFormat: typeof BytesFormat;
     ColorFormat: typeof ColorFormat;

docs/images/clone_panel.gif

@@ -217,6 +217,8 @@ might increase the search time. This setting is off by default. Users must opt-i
 [horizontal]
 `siem:defaultAnomalyScore`:: The threshold above which Machine Learning job anomalies are displayed in the SIEM app.
 `siem:defaultIndex`:: A comma-delimited list of Elasticsearch indices from which the SIEM app collects events.
+`siem:ipReputationLinks`:: A JSON array containing links for verifying the reputation of an IP address. The links are displayed on
+{siem-guide}/siem-ui-overview.html#network-ui[IP detail] pages.
 `siem:enableNewsFeed`:: Enables the security news feed on the SIEM *Overview*
 page.
 `siem:newsFeedUrl`:: The URL from which the security news feed content is

docs/management/advanced-options.asciidoc

@@ -8,7 +8,6 @@
 You do not need to configure any settings to use {kib} {ml-features}. They are
 enabled by default.
 
-[float]
 [[general-ml-settings-kb]]
 ==== General {ml} settings
 
@@ -19,3 +18,11 @@ If set to `false` in `kibana.yml`, the {ml} icon is hidden in this {kib}
 instance. If `xpack.ml.enabled` is set to `true` in `elasticsearch.yml`, however,
 you can still use the {ml} APIs. To disable {ml} entirely, see the
 {ref}/ml-settings.html[{es} {ml} settings].
+
+[[data-visualizer-settings]]
+==== {data-viz} settings
+
+`xpack.ml.file_data_visualizer.max_file_size`::
+Sets the file size limit when importing data in the {data-viz}. The default
+value is `100MB`. The highest supported value for this setting is `1GB`.
+

docs/settings/ml-settings.asciidoc

@@ -35,7 +35,7 @@ image::siem/images/network-ui.png[]
 
 [float]
 [[detections-ui]]
-=== Detections (Beta)
+=== Detections (beta)
 
 The Detections feature automatically searches for threats and creates 
 signals when they are detected. Signal detection rules define the conditions 
@@ -50,6 +50,22 @@ or the Detections API.
 [role="screenshot"]
 image::siem/images/detections-ui.png[]
 
+[float]
+[[cases-ui]]
+=== Cases (beta)
+
+Cases are used to open and track security issues directly in SIEM. 
+Cases list the original reporter and all users who contribute to a case
+(`participants`). Case comments support Markdown syntax, and allow linking to
+saved Timelines. Additionally, you can send cases to external systems from
+within SIEM (currently ServiceNow).
+
+For information about opening, updating, and closing cases, see
+{siem-guide}/cases-overview.html[Cases] in the SIEM Guide.
+
+[role="screenshot"]
+image::siem/images/cases-ui.png[]
+
 [float]
 [[timelines-ui]]
 === Timeline

docs/siem/images/cases-ui.png

@@ -1,6 +1,6 @@
 [role="xpack"]
 [[email-action-type]]
-== Email action type
+=== Email action
 
 The email action type uses the SMTP protocol to send mail message, using an integration of https://nodemailer.com/[Nodemailer]. Email message text is sent as both plain text and html text.
 
@@ -10,11 +10,11 @@ The email action type uses the SMTP protocol to send mail message, using an inte
 
 Email connectors have the following configuration properties:
 
-Name::      The name of the connector. The name is used to identify a  connector in the management UI connector listing, or in the connector list when configuring an action. 
+Name::      The name of the connector. The name is used to identify a  connector in the management UI connector listing, or in the connector list when configuring an action.
 Sender::    The from address for all emails sent with this connector, specified in `user@host-name` format.
-Host::      Host name of the service provider. If you are using the <<action-settings, `xpack.actions.whitelistedHosts`>> setting, make sure this hostname is whitelisted. 
+Host::      Host name of the service provider. If you are using the <<action-settings, `xpack.actions.whitelistedHosts`>> setting, make sure this hostname is whitelisted.
 Port::      The port to connect to on the service provider.
-Secure::    If true the connection will use TLS when connecting to the service provider. See https://nodemailer.com/smtp/#tls-options[nodemailer TLS documentation] for more information.  
+Secure::    If true the connection will use TLS when connecting to the service provider. See https://nodemailer.com/smtp/#tls-options[nodemailer TLS documentation] for more information.
 Username::  username for 'login' type authentication.
 Password::  password for 'login' type authentication.
 
@@ -26,4 +26,4 @@ Email actions have the following configuration properties:
 
 To, CC, BCC::    Each is a list of addresses. Addresses can be specified in `user@host-name` format, or in `name <user@host-name>` format. One of To, CC, or BCC must contain an entry.
 Subject::       The subject line of the email.
-Message::       The message text of the email. Markdown format is supported.
+Message::       The message text of the email. Markdown format is supported.

docs/siem/siem-ui.asciidoc

@@ -1,6 +1,6 @@
 [role="xpack"]
 [[index-action-type]]
-== Index action type
+=== Index action
 
 The index action type will index a document into {es}.
 
@@ -21,4 +21,4 @@ Execution time field::  This field will be automatically set to the time the ale
 
 Index actions have the following properties:
 
-Document::  The document to index in json format.
+Document::  The document to index in json format.

docs/user/alerting/action-types/email.asciidoc

@@ -1,6 +1,6 @@
 [role="xpack"]
 [[pagerduty-action-type]]
-== PagerDuty action type
+=== PagerDuty action
 
 The PagerDuty action type uses the https://v2.developer.pagerduty.com/docs/events-api-v2[v2 Events API] to trigger, acknowledge, and resolve PagerDuty alerts.
 
@@ -10,7 +10,7 @@ The PagerDuty action type uses the https://v2.developer.pagerduty.com/docs/event
 
 [float]
 [[pagerduty-benefits]]
-=== PagerDuty + Elastic integration benefits
+==== PagerDuty + Elastic integration benefits
 
 By integrating PagerDuty with alerts, you can:
 
@@ -20,15 +20,15 @@ By integrating PagerDuty with alerts, you can:
 
 [float]
 [[pagerduty-how-it-works]]
-==== How it works
+===== How it works
 
 {kib} allows you to create alerts to notify you of a significant move
 in your dataset.
 You can create alerts for all your Observability, Security, and Elastic Stack use cases.
 Alerts will trigger a new incident on the corresponding PagerDuty service.
 
 [float]
-==== Requirements
+===== Requirements
 
 In the `kibana.yml` configuration file, you must add the <<general-alert-action-settings, saved objects encryption setting>>.
 This is required to encrypt parameters that must be secured, for example PagerDuty’s integration key.
@@ -47,18 +47,17 @@ review the <<action-settings, Actions settings>> that are available to you.
 
 [float]
 [[pagerduty-support]]
-==== Support
+===== Support
 If you need help with this integration, get in touch with the {kib} team by visiting
 https://support.elastic.co[support.elastic.co] or by using the *Ask Elastic* option in the {kib} Help menu.
 You can also select the {kib} category at https://discuss.elastic.co/[discuss.elastic.co].
 
 [float]
 [[pagerduty-integration-walkthrough]]
-==== Integration with PagerDuty walkthrough
+===== Integration with PagerDuty walkthrough
 
-[float]
 [[pagerduty-in-pagerduty]]
-===== In PagerDuty
+*In PagerDuty*
 
 . From the *Configuration* menu, select *Services*.
 . Add an integration to a service:
@@ -83,9 +82,8 @@ image::user/alerting/images/pagerduty-integration.png[PagerDuty Integrations tab
 
 . Save this key, as you will use it when you configure the integration with Elastic in the next section.
 
-[float]
 [[pagerduty-in-elastic]]
-===== In Elastic
+*In Elastic*
 
 . Create a PagerDuty Connector in Kibana.  You can:
 +
@@ -117,7 +115,7 @@ https://v2.developer.pagerduty.com/v2/docs/send-an-event-events-api-v2[API v2 do
 
 [float]
 [[pagerduty-uninstall]]
-==== How to uninstall
+===== How to uninstall
 To remove a PagerDuty connector from an alert, simply remove it
 from the *Actions* section of that alert, using the remove (x) icon.
 This will disable the integration for the particular alert.
@@ -129,7 +127,7 @@ This is an irreversible action and impacts all alerts that use this connector.
 
 [float]
 [[pagerduty-connector-configuration]]
-=== Connector configuration
+==== Connector configuration
 
 PagerDuty connectors have the following configuration properties:
 
@@ -139,7 +137,7 @@ Routing Key::   A 32 character PagerDuty Integration Key for an integration on a
 
 [float]
 [[pagerduty-action-configuration]]
-=== Action configuration
+==== Action configuration
 
 PagerDuty actions have the following properties:
 

docs/user/alerting/action-types/index.asciidoc

@@ -1,6 +1,6 @@
 [role="xpack"]
 [[server-log-action-type]]
-== Server log action type
+=== Server log action
 
 This action type writes and entry to the {kib} server log.
 
@@ -18,4 +18,4 @@ Name::      The name of the connector. The name is used to identify a  connector
 
 Server log actions have the following properties:
 
-Message::   The message to log. 
+Message::   The message to log.

docs/user/alerting/action-types/pagerduty.asciidoc

@@ -1,8 +1,8 @@
 [role="xpack"]
 [[slack-action-type]]
-== Slack action type
+=== Slack action
 
-The Slack action type uses https://api.slack.com/incoming-webhooks[Slack Incoming Webhooks]. 
+The Slack action type uses https://api.slack.com/incoming-webhooks[Slack Incoming Webhooks].
 
 [float]
 [[slack-connector-configuration]]
@@ -11,12 +11,12 @@ The Slack action type uses https://api.slack.com/incoming-webhooks[Slack Incomin
 Slack connectors have the following configuration properties:
 
 Name::      The name of the connector. The name is used to identify a  connector in the management UI connector listing, or in the connector list when configuring an action.
-Webhook URL::   The URL of the incoming webhook. See https://api.slack.com/messaging/webhooks#getting_started[Slack Incoming Webhooks] for instructions on generating this URL. If you are using the <<action-settings, `xpack.actions.whitelistedHosts`>> setting, make sure the hostname is whitelisted. 
+Webhook URL::   The URL of the incoming webhook. See https://api.slack.com/messaging/webhooks#getting_started[Slack Incoming Webhooks] for instructions on generating this URL. If you are using the <<action-settings, `xpack.actions.whitelistedHosts`>> setting, make sure the hostname is whitelisted.
 
 [float]
 [[slack-action-configuration]]
 ==== Action configuration
 
 Slack actions have the following properties:
 
-Message::   The message	text, converted to the `text` field in the Webhook JSON payload. Currently only the text field is supported. Markdown, images, and other advanced formatting are not yet supported.
+Message::   The message	text, converted to the `text` field in the Webhook JSON payload. Currently only the text field is supported. Markdown, images, and other advanced formatting are not yet supported.

docs/user/alerting/action-types/server-log.asciidoc

@@ -1,6 +1,6 @@
 [role="xpack"]
 [[webhook-action-type]]
-== Webhook action type
+=== Webhook action
 
 The Webhook action type uses https://github.com/axios/axios[axios] to send a POST or PUT request to a web service.
 
@@ -11,7 +11,7 @@ The Webhook action type uses https://github.com/axios/axios[axios] to send a POS
 Webhook connectors have the following configuration properties:
 
 Name::      The name of the connector. The name is used to identify a  connector in the management UI connector listing, or in the connector list when configuring an action.
-URL::       The request URL. If you are using the <<action-settings, `xpack.actions.whitelistedHosts`>> setting, make sure the hostname is whitelisted. 
+URL::       The request URL. If you are using the <<action-settings, `xpack.actions.whitelistedHosts`>> setting, make sure the hostname is whitelisted.
 Method::    HTTP request method, either `post`(default) or `put`.
 Headers::   A set of key-value pairs sent as headers with the request
 User::      An optional username. If set, HTTP basic authentication is used. Currently only basic authentication is supported.
@@ -23,4 +23,4 @@ Password::  An optional password. If set, HTTP basic authentication is used. Cur
 
 Webhook actions have the following properties:
 
-Body::      A json payload sent to the request URL.
+Body::      A json payload sent to the request URL.

docs/user/alerting/action-types/slack.asciidoc

@@ -98,6 +98,24 @@ to the new dimensions.
 * To delete a panel, open the panel menu and select *Delete from dashboard.* Deleting a panel from a
 dashboard does *not* delete the saved visualization or search.
 
+[float]
+[[cloning-a-panel]]
+=== Clone dashboard elements
+
+In *Edit* mode, you can clone any panel on a dashboard.
+
+To clone an existing panel, open the panel menu of the element you wish to clone, then select *Clone panel*.
+
+* Cloned panels appear beside the original, and will move other panels down to make room if necessary.
+
+* Clones support all of the original panel's functionality, including renaming, editing, and cloning.
+
+* All cloned visualizations will appear in the visualization list.
+
+[role="screenshot"]
+image:images/clone_panel.gif[clone panel]
+
+
 [float]
 [[viewing-detailed-information]]
 === Inspect and edit elements

docs/user/alerting/action-types/webhook.asciidoc

@@ -4,31 +4,31 @@
 
 [partintro]
 --
-As datasets increase in size and complexity, the human effort required to
+As data sets increase in size and complexity, the human effort required to
 inspect dashboards or maintain rules for spotting infrastructure problems,
 cyber attacks, or business issues becomes impractical. Elastic {ml-features}
 such as {anomaly-detect} and {oldetection} make it easier to notice suspicious
 activities with minimal human interference.
 
-If you have a basic license, you can use the *Data Visualizer* to learn more
-about your data. In particular, if your data is stored in {es} and contains a
-time field, you can use the *Data Visualizer* to identify possible fields for
-{anomaly-detect}:
+{kib} includes a free *{data-viz}* to learn more about your data. In particular,
+if your data is stored in {es} and contains a time field, you can use the
+*{data-viz}* to identify possible fields for {anomaly-detect}:
 
 [role="screenshot"]
-image::user/ml/images/ml-data-visualizer-sample.jpg[Data Visualizer for sample flight data]
+image::user/ml/images/ml-data-visualizer-sample.jpg[{data-viz} for sample flight data]
 
-experimental[] You can also upload a CSV, NDJSON, or log file (up to 100 MB in 
-size). The *Data Visualizer* identifies the file format and field mappings. You 
-can then optionally import that data into an {es} index.
+experimental[] You can also upload a CSV, NDJSON, or log file. The *{data-viz}*
+identifies the file format and field mappings. You can then optionally import
+that data into an {es} index. To change the default file size limit, see
+<<data-visualizer-settings>>.
 
-You need the following permissions to use the Data Visualizer with file upload:
+You need the following permissions to use the {data-viz} with file upload:
 
 * cluster privileges: `monitor`, `manage_ingest_pipelines`
 * index privileges: `read`, `manage`, `index`
 
 For more information, see {ref}/security-privileges.html[Security privileges] 
-and {ref}/built-in-roles.html[Built-in roles].
+and {ml-docs}/setup.html[Set up {ml-features}].
 
 --