[Serverless][8.16] New notes experience - Impacted screenshots and mi…

…sc updates (#6072)

* Re-adds images

* Adds notes to landing page for investigative tools

* Fix Serverless TOC

* Fixes threat intel images

* Adds size configs

* fixes file name

* Minor tweaks

(cherry picked from commit 1b13703)

# Conflicts:
#	docs/serverless/alerts/view-alert-details.asciidoc
#	docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout-invest-tab.png
#	docs/serverless/images/interactive-investigation-guides/-detections-ig-alert-flyout.png
#	docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline-query.png
#	docs/serverless/images/interactive-investigation-guides/-detections-ig-timeline.png
#	docs/serverless/images/timeline-templates-ui/-events-create-a-timeline-template-field.png
#	docs/serverless/images/timelines-ui/-events-correlation-tab-eql-query.png
#	docs/serverless/images/timelines-ui/-events-timeline-sidebar.png
#	docs/serverless/images/timelines-ui/-events-timeline-ui-renderer.png
#	docs/serverless/images/timelines-ui/-events-timeline-ui-updated.png
#	docs/serverless/images/view-alert-details/-detections-alert-details-flyout-preview-panel.gif
#	docs/serverless/images/view-alert-details/-detections-alert-details-flyout-right-panel.png
#	docs/serverless/images/view-alert-details/-detections-expand-details-button.png
#	docs/serverless/images/view-alert-details/-detections-expanded-correlations-view.png
#	docs/serverless/images/view-alert-details/-detections-expanded-entities-view.png
#	docs/serverless/images/view-alert-details/-detections-expanded-prevalence-view.png
#	docs/serverless/images/view-alert-details/-detections-expanded-threat-intelligence-view.png
#	docs/serverless/images/view-alert-details/-detections-open-alert-details-flyout.gif
#	docs/serverless/index.asciidoc
#	docs/serverless/investigate/investigate-events.asciidoc
#	docs/serverless/investigate/timeline-templates-ui.asciidoc
#	docs/serverless/investigate/timelines-ui.asciidoc
#	docs/serverless/osquery/invest-guide-run-osquery.asciidoc
#	docs/serverless/rules/interactive-investigation-guides.asciidoc

docs/detections/alerts-view-details.asciidoc

@@ -52,7 +52,7 @@ IMPORTANT: If you've enabled grouping on the Alerts page, the alert details flyo
 [[preview-panel]]
 === Preview panel 
 
-Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **x**. 
+Some areas in the flyout provide previews when you click on them. For example, clicking **Show rule summary** in the rule description displays a preview of the rule's details. To close the preview, click **Back** or **x**. 
 
 [role="screenshot"]
 image::images/alert-details-flyout-preview-panel.gif[Preview panel of the alert details flyout, 65%]
@@ -67,13 +67,13 @@ The left panel provides an expanded view of what's shown in the right panel. To
 +
 
 [role="screenshot"]
-image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 45%]
+image::images/expand-details-button.png[Expand details button at the top of the alert details flyout, 65%]
 
 * Click one of the section titles on the **Overview** tab within the right panel. 
 +
 
 [role="screenshot"]
-image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 45%]
+image::images/alert-details-flyout-left-panel.png[Left panel of the alert details flyout, 65%]
 
 [discrete]
 [[about-section]]
@@ -201,7 +201,7 @@ From the right panel, click **Threat intelligence** to open the expanded Threat
 NOTE: The expanded threat intelligence view queries indices specified in the `securitySolution:defaultThreatIndex` advanced setting. Refer to <<update-threat-intel-indices, Update default Elastic Security threat intelligence indices>> to learn more about threat intelligence indices. 
 
 [role="screenshot"]
-image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 70%]
+image::images/expanded-threat-intelligence-view.png[Expanded view of threat intelligence on the alert, 80%]
 
 The expanded Threat intelligence view shows individual indicators within the alert document. You can expand and collapse indicator details by clicking the arrow button at the end of the indicator label. Each indicator is labeled with values from the `matched.field` and `matched.atomic` fields and displays the threat intelligence provider. 
 
@@ -256,7 +256,7 @@ NOTE: To access data about alerts related by process ancestry, you must have a h
 From the right panel, click **Correlations** to open the expanded Correlations view within the left panel. 
 
 [role="screenshot"]
-image::images/expanded-correlations-view.png[Expanded view of correlation data, 65%]
+image::images/expanded-correlations-view.png[Expanded view of correlation data, 75%]
 
 In the expanded view, corelation data is organized into several tables:
 

docs/events/timeline-ui-overview.asciidoc

@@ -58,7 +58,7 @@ Many types of events automatically appear in preconfigured views that provide re
 contextual information, called *Event renderers*. All event renderers are turned off by default. To turn them on, use the **Event renderers** toggle at the top of the results pane. To only turn on specific event renderers, click the gear (image:images/customize-event-renderers.png[The customize event renderer button,20,20]) icon next to the toggle, and select the ones you want enabled. Close the **Customize event renderers** pane when you're done. Your changes are automatically applied to Timeline.
 
 [role="screenshot"]
-image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted]
+image::images/timeline-ui-renderer.png[example timeline with the event renderer highlighted, 70%]
 
 The example above displays the Flow event renderer, which highlights the movement of
 data between its source and destination. If you see a particular part of the rendered event that
@@ -102,7 +102,7 @@ TIP: Collapse the query builder to provide more space for Timeline results by cl
 Click a filter to access additional operations such as *Add filter*, *Clear all*, *Load saved query*, and more:
 
 [role="screenshot"]
-image::images/timeline-ui-filter-options.png[width=30%]
+image::images/timeline-ui-filter-options.png[width=60%]
 
 Here are examples of various types of filters:
 

docs/serverless/index.asciidoc

@@ -0,0 +1,198 @@
+:doctype: book
+
+include::{asciidoc-dir}/../../shared/versions/stack/master.asciidoc[]
+include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
+
+[[what-is-security-serverless]]
+== Elastic Security serverless
+
+++++
+<titleabbrev>Elastic Security</titleabbrev>
+++++
+
+include::./what-is-security-serverless.asciidoc[leveloffset=+2]
+
+include::./security-overview.asciidoc[leveloffset=+2]
+
+include::./billing.asciidoc[leveloffset=+2]
+
+include::./projects-create/create-project.asciidoc[leveloffset=+2]
+
+include::./sec-requirements.asciidoc[leveloffset=+2]
+
+include::./security-ui.asciidoc[leveloffset=+2]
+include::./security-spaces.asciidoc[leveloffset=+3]
+
+include::./AI-for-security/ai-for-security-landing-pg.asciidoc[leveloffset=+2]
+include::./AI-for-security/ai-assistant.asciidoc[leveloffset=+3]
+include::./AI-for-security/attack-discovery.asciidoc[leveloffset=+3]
+include::./AI-for-security/llm-connector-guides.asciidoc[leveloffset=+3]
+include::./AI-for-security/llm-performance-matrix.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-azure-openai.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-bedrock.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-openai.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-vertex.asciidoc[leveloffset=+4]
+include::./AI-for-security/connect-to-byo-llm.asciidoc[leveloffset=+4]
+include::./AI-for-security/ai-use-cases.asciidoc[leveloffset=+3]
+include::./AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc[leveloffset=+4]
+include::./AI-for-security/ai-assistant-alert-triage.asciidoc[leveloffset=+4]
+include::./AI-for-security/ai-assistant-esql-queries.asciidoc[leveloffset=+4]
+
+include::./ingest/ingest-data.asciidoc[leveloffset=+2]
+include::./ingest/threat-intelligence.asciidoc[leveloffset=+3]
+include::./ingest/auto-import.asciidoc[leveloffset=+3]
+
+include::./edr-install-config/endpoint-protection-intro.asciidoc[leveloffset=+2]
+include::./edr-install-config/deploy-endpoint-reqs.asciidoc[leveloffset=+3]
+include::./edr-install-config/install-elastic-defend.asciidoc[leveloffset=+3]
+include::./edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc[leveloffset=+4]
+include::./edr-install-config/deploy-endpoint-macos-ven.asciidoc[leveloffset=+4]
+include::./edr-install-config/deploy-with-mdm.asciidoc[leveloffset=+4]
+include::./edr-install-config/agent-tamper-protection.asciidoc[leveloffset=+4]
+include::./edr-install-config/defend-feature-privs.asciidoc[leveloffset=+3]
+include::./edr-install-config/configure-endpoint-integration-policy.asciidoc[leveloffset=+3]
+include::./edr-install-config/artifact-control.asciidoc[leveloffset=+4]
+include::./edr-install-config/endpoint-diagnostic-data.asciidoc[leveloffset=+4]
+include::./edr-install-config/self-healing-rollback.asciidoc[leveloffset=+4]
+include::./edr-install-config/linux-file-monitoring.asciidoc[leveloffset=+4]
+include::./edr-install-config/endpoint-data-volume.asciidoc[leveloffset=+4]
+include::./edr-install-config/uninstall-agent.asciidoc[leveloffset=+3]
+
+include::./edr-manage/manage-endpoint-protection.asciidoc[leveloffset=+2]
+include::./edr-manage/endpoints-page.asciidoc[leveloffset=+3]
+include::./edr-manage/policies-page-ov.asciidoc[leveloffset=+3]
+include::./edr-manage/trusted-apps-ov.asciidoc[leveloffset=+3]
+include::./edr-manage/event-filters.asciidoc[leveloffset=+3]
+include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3]
+include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
+include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
+include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]
+
+include::./endpoint-response-actions/response-actions.asciidoc[leveloffset=+2]
+include::./endpoint-response-actions/automated-response-actions.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/host-isolation-ov.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/response-actions-history.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/third-party-actions.asciidoc[leveloffset=+3]
+include::./endpoint-response-actions/response-actions-config.asciidoc[leveloffset=+3]
+
+include::./cloud-native-security/cloud-native-security-overview.asciidoc[leveloffset=+2]
+include::./cloud-native-security/security-posture-management.asciidoc[leveloffset=+3]
+include::./cloud-native-security/enable-cloudsec.asciidoc[leveloffset=+3]
+include::./cloud-native-security/cspm.asciidoc[leveloffset=+3]
+include::./cloud-native-security/cspm-get-started.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-get-started-gcp.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-get-started-azure.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-findings-page.asciidoc[leveloffset=+4]
+include::./cloud-native-security/benchmark-rules.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cspm-security-posture-faq.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm.asciidoc[leveloffset=+3]
+include::./cloud-native-security/get-started-with-kspm.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm-cspm-findings-page.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm-benchmark-rules.asciidoc[leveloffset=+4]
+include::./cloud-native-security/kspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/security-posture-faq.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-overview.asciidoc[leveloffset=+3]
+include::./cloud-native-security/vuln-management-get-started.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-findings.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/vuln-management-faq.asciidoc[leveloffset=+4]
+include::./cloud-native-security/d4c-overview.asciidoc[leveloffset=+3]
+include::./cloud-native-security/d4c-get-started.asciidoc[leveloffset=+4]
+include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4]
+include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4]
+include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3]
+include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4]
+
+include::./explore/explore-your-data.asciidoc[leveloffset=+2]
+include::./explore/hosts-overview.asciidoc[leveloffset=+3]
+include::./explore/network-page-overview.asciidoc[leveloffset=+3]
+include::./explore/conf-map-ui.asciidoc[leveloffset=+4]
+include::./explore/users-page.asciidoc[leveloffset=+3]
+include::./explore/data-views-in-sec.asciidoc[leveloffset=+3]
+include::./explore/runtime-fields.asciidoc[leveloffset=+3]
+include::./explore/siem-field-reference.asciidoc[leveloffset=+3]
+
+include::./dashboards/dashboards-overview.asciidoc[leveloffset=+2]
+include::./dashboards/overview-dashboard.asciidoc[leveloffset=+3]
+include::./dashboards/detection-response-dashboard.asciidoc[leveloffset=+3]
+include::./dashboards/kubernetes-dashboard-dash.asciidoc[leveloffset=+3]
+include::./dashboards/cloud-posture-dashboard-dash.asciidoc[leveloffset=+3]
+include::./dashboards/detection-entity-dashboard.asciidoc[leveloffset=+3]
+include::./dashboards/data-quality-dash.asciidoc[leveloffset=+3]
+include::./dashboards/vuln-management-dashboard-dash.asciidoc[leveloffset=+3]
+include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3]
+
+include::./rules/detection-engine-overview.asciidoc[leveloffset=+2]
+include::./rules/detections-permissions-section.asciidoc[leveloffset=+3]
+
+include::./rules/about-rules.asciidoc[leveloffset=+2]
+include::./rules/rules-ui-create.asciidoc[leveloffset=+3]
+include::./rules/interactive-investigation-guides.asciidoc[leveloffset=+4]
+include::./rules/building-block-rule.asciidoc[leveloffset=+4]
+include::./rules/prebuilt-rules/prebuilt-rules-management.asciidoc[leveloffset=+3]
+include::./rules/rules-ui-management.asciidoc[leveloffset=+3]
+include::./rules/alerts-ui-monitor.asciidoc[leveloffset=+3]
+include::./rules/detections-ui-exceptions.asciidoc[leveloffset=+3]
+include::./rules/value-lists-exceptions.asciidoc[leveloffset=+4]
+include::./rules/add-exceptions.asciidoc[leveloffset=+4]
+include::./rules/shared-exception-lists.asciidoc[leveloffset=+4]
+include::./rules/rules-coverage.asciidoc[leveloffset=+3]
+include::./rules/tuning-detection-signals.asciidoc[leveloffset=+3]
+include::./rules/prebuilt-rules/prebuilt-rules.asciidoc[leveloffset=+3]
+
+include::./alerts/alerts-ui-manage.asciidoc[leveloffset=+2]
+include::./alerts/visualize-alerts.asciidoc[leveloffset=+3]
+include::./alerts/view-alert-details.asciidoc[leveloffset=+3]
+include::./alerts/signals-to-cases.asciidoc[leveloffset=+3]
+include::./alerts/alert-suppression.asciidoc[leveloffset=+3]
+include::./alerts/reduce-notifications-alerts.asciidoc[leveloffset=+3]
+include::./alerts/query-alert-indices.asciidoc[leveloffset=+3]
+include::./alerts/alert-schema.asciidoc[leveloffset=+3]
+
+include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2]
+include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3]
+include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3]
+include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/machine-learning.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/tuning-anomaly-results.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/behavioral-detection-use-cases.asciidoc[leveloffset=+4]
+include::./advanced-entity-analytics/prebuilt-ml-jobs.asciidoc[leveloffset=+4]
+
+include::./investigate/investigate-events.asciidoc[leveloffset=+2]
+include::./investigate/timelines-ui.asciidoc[leveloffset=+3]
+include::./investigate/timeline-templates-ui.asciidoc[leveloffset=+4]
+include::./investigate/timeline-object-schema.asciidoc[leveloffset=+4]
+include::./alerts/visual-event-analyzer.asciidoc[leveloffset=+3]
+include::./cloud-native-security/session-view.asciidoc[leveloffset=+3]
+include::./osquery/use-osquery.asciidoc[leveloffset=+3]
+include::./osquery/osquery-response-action.asciidoc[leveloffset=+4]
+include::./osquery/invest-guide-run-osquery.asciidoc[leveloffset=+4]
+include::./osquery/alerts-run-osquery.asciidoc[leveloffset=+4]
+include::./osquery/view-osquery-results.asciidoc[leveloffset=+4]
+include::./osquery/osquery-placeholder-fields.asciidoc[leveloffset=+4]
+include::./investigate/add-manage-notes.asciidoc[leveloffset=+3]
+include::./investigate/indicators-of-compromise.asciidoc[leveloffset=+3]
+include::./investigate/cases-overview.asciidoc[leveloffset=+3]
+include::./investigate/case-permissions.asciidoc[leveloffset=+4]
+include::./investigate/cases-open-manage.asciidoc[leveloffset=+4]
+include::./investigate/cases-settings.asciidoc[leveloffset=+4]
+
+include::./assets/asset-management.asciidoc[leveloffset=+2]
+
+include::./settings/manage-settings.asciidoc[leveloffset=+2]
+include::./settings/project-settings.asciidoc[leveloffset=+3]
+include::./settings/advanced-settings.asciidoc[leveloffset=+3]
+
+include::./troubleshooting/troubleshooting-intro.asciidoc[leveloffset=+2]
+include::./troubleshooting/ts-detection-rules.asciidoc[leveloffset=+3]
+include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3]
+
+include::./technical-preview-limitations.asciidoc[leveloffset=+2]

docs/serverless/investigate/investigate-events.asciidoc

@@ -0,0 +1,17 @@
+[[security-investigate-events]]
+= Investigation tools
+
+// :description: Investigate security events and track security issues in {elastic-sec}.
+// :keywords: serverless, security, overview
+
+preview:[]
+
+The following sections describe tools for investigating security events and tracking security issues directly in {elastic-sec}.
+
+These features are available in the {security-app}'s side navigation menu:
+
+* <<security-cases-overview,**Cases**>>: Track investigation details about security issues.
+* **Investigations** → <<security-timelines-ui,**Timelines**>>: Workspace for investigations and threat hunting.
+* **Investigations** → <<security-query-operating-systems,**Osquery**>>: Run live and scheduled queries on operating systems.
+* <<security-indicators-of-compromise,**Intelligence**>>: Indicators of compromise used for threat intelligence.
+* <<security-add-manage-notes,**Notes**>>: Use notes to coordinate responses, conduct threat hunting, and share investigative findings.