elastic · joepeeples · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024 · Sep 11, 2024
@@ -136,7 +136,7 @@ NOTE: You cannot delete prebuilt templates.
 == Export and import Timeline templates
 
 You can import and export Timeline templates, which enables importing templates
-from one {kib} space or instance to another. Exported templates are saved in an `ndjson` file.
+from one space or {elastic-sec} instance to another. Exported templates are saved in an `ndjson` file.
 
 . Go to *Timelines* -> *Templates*.
 . To export templates, do one of the following:

@@ -171,7 +171,7 @@ then select an action from the *Bulk actions* menu.
 == Export and import Timelines
 
 You can export and import Timelines, which enables you to share Timelines from one
-{kib} space or instance to another. Exported Timelines are saved as `.ndjson` files.
+space or {elastic-sec} instance to another. Exported Timelines are saved as `.ndjson` files.
 
 To export Timelines:
 

@@ -33,7 +33,7 @@ NOTE: You cannot update the data view for the Alerts page. This includes referen
 [[default-data-view-security]]
 == The default {data-source}
 
-The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {kib}'s advanced settings (**Stack Management** > **Advanced Settings** > **Security Solution**). To learn more about this setting, including its default value, refer to {security-guide}/advanced-settings.html#update-sec-indices[Advanced settings].
+The default {data-source} is defined by the `securitySolution:defaultIndex` setting, which you can modify in {security-guide}/advanced-settings.html#update-sec-indices[advanced settings].
 
 The first time a user visits {elastic-sec} within a given {kib} {kibana-ref}/xpack-spaces.html[space], the default {data-source} generates in that space and becomes active. 
 

@@ -2,7 +2,7 @@
 = Spaces and {elastic-sec}
 
 {elastic-sec} supports the organization of your security operations into
-logical instances with the {kibana-ref}/xpack-spaces.html[{kib} spaces]
+logical instances with the {kibana-ref}/xpack-spaces.html[spaces]
 feature. Each space in {kib} represents a separate logical instance of
 {elastic-sec} in which detection rules, rule exceptions, value lists,
 alerts, Timelines, cases, and {kib} advanced settings are private to the
@@ -22,7 +22,7 @@ the `SOC_dev` space, and they will run independently of those in the
 [NOTE]
 ===== 
 By default, alerts created by detection rules are stored in {es} indices
-under the `.alerts-security.alerts-<Kibana-space>` index pattern, and they may be
+under the `.alerts-security.alerts-<space-name>` index pattern, and they may be
 accessed by any user with role privileges to access those
 {es} indices. In our example above, any user with {es} privileges to access
 `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from

@@ -44,14 +44,8 @@ This only allows you to add index patterns that match indices that currently con
 
 ## The default ((data-source))
 
-The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in your project's advanced settings{/* path to be updated: (**Stack Management** → **Advanced Settings** → **Security Solution**) */}. To learn more about this setting, including its default value, refer to <DocLink slug="/serverless/security/advanced-settings" />).
+The default ((data-source)) is defined by the `securitySolution:defaultIndex` setting, which you can modify in <DocLink slug="/serverless/security/advanced-settings">advanced settings</DocLink>.
 
-The first time a user visits ((elastic-sec)){/* within a given ((kib)) [space](((kibana-ref))/xpack-spaces.html)*/}, the default ((data-source)) generates{/* in that space*/} and becomes active.
+The first time a user visits ((elastic-sec)) within a given ((kib)) <DocLink slug="/serverless/spaces">space</DocLink>, the default ((data-source)) generates in that space and becomes active.
 
-{/* TO-DO: in the first sentence of the following note, link to the Serverless page that explains spaces. */}
-
-<DocCallOut title="Note">
-    Your space must have **Data View Management**{/*{kibana-ref}/xpack-spaces.html#spaces-control-feature-visibility[feature visibility*/} feature visibility setting enabled for the default ((data-source)) to generate and become active in your space. 
-</DocCallOut>
-
-If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page{/* in the space*/}.
+If you delete the active ((data-source)) when there are no other defined ((data-sources)), the default ((data-source)) will regenerate and become active upon refreshing any ((elastic-sec)) page in the space.
@@ -135,7 +135,7 @@ You cannot delete prebuilt templates.
 
 ## Export and import Timeline templates
 
-You can import and export Timeline templates, which enables importing templates from one {/*space or (*/}((elastic-sec)) instance to another. Exported templates are saved in an `ndjson` file.
+You can import and export Timeline templates, which enables importing templates from one space or ((elastic-sec)) instance to another. Exported templates are saved in an `ndjson` file.
 
 1. Go to **Investigations** → **Timelines** → **Templates**.
 1. To export templates, do one of the following:

@@ -176,7 +176,7 @@ then select an action from the **Bulk actions** menu.
 
 ## Export and import Timelines
 
-You can export and import Timelines, which enables you to share Timelines from one {/* space or */} ((elastic-sec)) instance to another. Exported Timelines are saved as `.ndjson` files.
+You can export and import Timelines, which enables you to share Timelines from one space or ((elastic-sec)) instance to another. Exported Timelines are saved as `.ndjson` files.
 
 To export Timelines:
 

@@ -15,9 +15,9 @@ Provide access to ((elastic-sec)) by assigning a user the appropriate <DocLink s
 
 To use ((elastic-sec)), your role must have at least:
 
-* `Read` privilege for the `Security` feature in the [space](((kibana-ref))/xpack-spaces.html). This grants you `Read` access to all features in ((elastic-sec)) except cases. You need additional <DocLink slug="/serverless/security/cases-requirements">minimum privileges</DocLink> to use cases.
-* `Read` and `view_index_metadata` privileges for all ((elastic-sec)) indices, such as
-`filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.
+    * `Read` privilege for the `Security` feature in the <DocLink slug="/serverless/spaces">space</DocLink>. This grants you `Read` access to all features in ((elastic-sec)) except cases. You need additional <DocLink slug="/serverless/security/cases-requirements">minimum privileges</DocLink> to use cases.
+    * `Read` and `view_index_metadata` privileges for all ((elastic-sec)) indices, such as
+    `filebeat-*`, `packetbeat-*`, `logs-*`, and `endgame-*` indices.
 
 <DocCallOut title="Note">
     <DocLink slug="/serverless/security/advanced-settings" /> describes how to modify ((elastic-sec)) indices.

@@ -0,0 +1,16 @@
+---
+slug: /serverless/security/security-spaces
+title: Spaces and ((elastic-sec))
+description: Learn how spaces work in ((elastic-sec)).
+tags: [ 'serverless', 'security', 'reference' ]
+---
+
+((elastic-sec)) supports the organization of your security operations into logical instances with the <DocLink slug="/serverless/spaces">spaces</DocLink> feature. Each space in ((kib)) represents a separate logical instance of ((elastic-sec)) in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and ((kib)) advanced settings are private to the space and accessible only by users that have role privileges to access the space. For details about configuring privileges for ((es)) and ((kib)), refer to <DocLink slug="/serverless/security/detections-requirements" section="detections-permissions-section" />.
+
+For example, if you create a `SOC_prod` space in which you load and activate all the ((elastic-sec)) prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the ((security-app)) in the `SOC_prod` space. If you then create a new `SOC_dev` space, you'll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to the `SOC_dev` space, and they will run independently of those in the `SOC_prod` space.
+
+<DocCallOut title="Note">    
+    By default, alerts created by detection rules are stored in ((es)) indices under the `.alerts-security.alerts-<space-name>` index pattern, and they may be accessed by any user with role privileges to access those ((es)) indices. In our example above, any user with ((es)) privileges to access `.alerts-security.alerts-SOC_prod` will be able to view `SOC_prod` alerts from within ((es)) and other ((kib)) apps such as Discover. 
+
+    To ensure that detection alert data remains private to the space in which it was created, ensure that the roles assigned to your ((elastic-sec)) users include ((es)) privileges that limit their access to alerts within their space's alerts index. 
+</DocCallOut>
@@ -21,7 +21,12 @@
     },
     {
       "slug": "/serverless/security/security-ui", 
-      "classic-sources": [ "enSecurityEsUiOverview" ]
+      "classic-sources": [ "enSecurityEsUiOverview" ],
+      "items": [
+        {
+          "slug": "/serverless/security/security-spaces"
+        }
+      ]
     }, 
     {
       "label": "AI for security",