[DOCS] New section for AWP docs (#2629)

* first draft

* Adds K8s dash section, minor tweaks

* Adds outline to CWP landing pg

* Incorporates various updates

* Fixes ToC order of articles

* Incorporates Joe's feedback

* Update docs/cloud-native-security/cloud-workload-protection.asciidoc

Co-authored-by: Janeen Mikell Roberts <[email protected]>

* Update docs/cloud-native-security/cloud-workload-protection.asciidoc

Co-authored-by: Janeen Mikell Roberts <[email protected]>

* Update docs/cloud-native-security/cloud-workload-protection.asciidoc

Co-authored-by: Janeen Mikell Roberts <[email protected]>

* Update docs/cloud-native-security/cloud-workload-protection.asciidoc

Co-authored-by: Janeen Mikell Roberts <[email protected]>

Co-authored-by: Janeen Mikell Roberts <[email protected]>

Author: benironside

docs/cloud-native-security/cloud-nat-sec-kubernetes-dashboard.asciidoc

@@ -0,0 +1,89 @@
+[[cloud-nat-sec-kubernetes-dashboard]]
+// Note: This page is intentionally duplicated by docs/dashboards/kubernetes-dashboard.asciidoc. When you update this page, update that page to match. And careful with the anchor links because they should not match.
+
+== Kubernetes dashboard
+
+The Kubernetes dashboard provides insight into Linux process data from your Kubernetes clusters. It shows sessions in detail and in the context of your monitored infrastructure.
+
+image::images/kubernetes-dashboard.png[The Kubernetes dashboard, with numbered labels 1 through 3 for major sections]
+The numbered sections are described below:
+
+  1. The charts at the top of the dashboard provide an overview of your monitored Kubernetes infrastructure. You can hide them by clicking *Hide charts*.
+  2. The tree navigation menu allows you to navigate through your deployments and select the scope of the sessions table to the right. You can select any item in the menu to show its sessions. In Logical view, the menu is organized by Cluster, Namespace, Pod, and Container image. In Infrastructure view, it is organized by Cluster, Node, Pod, and Container image.
+  3. The sessions table displays sessions collected from the selected element of your Kubernetes infrastructure. You can view it in fullscreen by selecting the button in the table's upper right corner. You can sort the table by any of its fields.
+
+You can filter the data using the KQL search bar and date picker at the top of the page.
+
+From the sessions table's Actions column, you can take the following investigative actions:
+
+- View details
+- <<timelines-ui,Open in Timeline>>
+- <<alerts-run-osquery, Run Osquery>>
+- <<visual-event-analyzer, Analyze event>>
+- <<session-view, Open Session View>>
+
+Session View displays Kubernetes metadata under the *Metadata* tab of the Detail panel:
+
+image::images/metadata-tab.png[The Detail panel's metadata tab]
+
+The *Metadata* tab is organized into these expandable sections:
+
+- *Metadata:* `hostname`, `id`, `ip`, `mac`, `name`, Host OS information
+- *Cloud:* `instance.name`, `provider`, `region`, `account.id`, `project.id`
+- *Container:* `id`, `name`, `image.name`, `image.tag`, `image.hash.all`
+- *Orchestrator:* `resource.ip`, `resource.name`, `resource.type`, `namespace`, `cluster.id`, `cluster.name`, `parent.type`
+
+
+[discrete]
+[[cloud-nat-sec-k8s-dash-setup]]
+== Setup
+To collect session data for the dashboard, you'll deploy a Kubernetes DaemonSet to your clusters that implements the {elastic-defend} integration.
+
+**Prerequisites**:
+
+- This feature requires Elastic Stack version 8.4 or newer.
+- You need an active {fleet-guide}/fleet-overview.html[{fleet} Server].
+- Your Elastic deployment must have the {elastic-defend} integration <<install-endpoint,enabled>>.
+- The {elastic-defend} integration policy must have **Include session data** set to `true`. To modify this setting, go to **Manage -> Policies**, select your policy, and find `Include session data` near the bottom of the `Policy settings` tab.
+
+**Support matrix**: This feature is currently available on GKE and EKS using Linux hosts and Kubernetes versions that match the following specifications:
+|=====================
+| | **Kubernetes versions** | **Node OSes**
+|**EKS**| 1.18; 1.19; 1.20; 1.21 | Amazon Linux 2, Bottlerocket OS
+|**GKE**| Regular (default channel): 1.21 and 1.22; Stable: 1.20 and 1.21; Rapid: 1.22 and 1.23 | Container-optimized OS (COS), Ubuntu
+|=====================
+
+[discrete]
+=== Download and modify the DaemonSet manifest
+The DaemonSet integrates {elastic-endpoint} into your Kubernetes cluster. The {agent} is enrolled to a running {fleet-server} using the `FLEET_URL` parameter, and connected to a specific {agent} policy using the `FLEET_ENROLLMENT_TOKEN`.
+
+You first need to download the DaemonSet manifest `.yaml`, then modify it to include your {fleet} URL and Enrollment Token before you deploy it to the clusters you want to monitor.
+
+. Download the DaemonSet manifest using this command:
++
+[source,console]
+----
+curl -L -O https://raw.githubusercontent.com/elastic/endpoint/main/releases/8.5.0/kubernetes/deploy/elastic-defend.yaml
+----
+
+. Fill in the manifest's `FLEET_URL` field with your {fleet} server's `Host URL`. To find it, go to **{kib} -> Management -> {fleet} -> Settings**. For more information, refer to {fleet-guide}/fleet-settings.html[Fleet UI settings].
+. Fill in the manifest's `FLEET_ENROLLMENT_TOKEN` field with a Fleet enrollment token. To find one, go to **{kib} -> Management -> {fleet} -> Enrollment tokens**. For more information, refer to {fleet-guide}/fleet-enrollment-tokens.html[Fleet enrollment tokens].
+
+
+[discrete]
+=== Apply the modified manifest to your cluster or clusters
+
+To ensure you install {elastic-endpoint} on the desired Kubernetes cluster(s), set the default context using command: `kubectl config use-context <name-of-context>`.
+To check which contexts exist, use `kubectl config get-contexts` to list them from your local kubectl config file. An asterisk indicates the current default context.
+
+You can repeat the following steps for multiple contexts.
+
+**Example:**
+
+- Apply the manifest to a cluster: `kubectl apply -f elastic-endpoint-security.yaml`
+- Check the DaemonSet’s status: `kubectl get pods -A`
+
+Once the DaemonSet is running, Elastic Endpoint will start sending Linux session data from Kubernetes to {kib}. You can then view that data from the Kubernetes dashboard.
+
+
+IMPORTANT: This dashboard uses data from the `logs-*` index pattern, which is included by default in the <<advanced-settings,`securitySolution:defaultIndex` advanced setting>>. To collect data from multiple {es} clusters (as in a cross-cluster deployment), update `logs-*` to `*:logs-*`.

docs/cloud-native-security/cloud-native-security-index.asciidoc

@@ -9,3 +9,6 @@ include::findings.asciidoc[leveloffset=+1]
 include::benchmark-rules.asciidoc[leveloffset=+1]
 include::cloud-nat-sec-posture-dashboard.asciidoc[leveloffset=+1]
 include::kspm-faq.asciidoc[leveloffset=+1]
+include::cloud-workload-protection.asciidoc[leveloffset=+1]
+include::session-view.asciidoc[leveloffset=+1]
+include::cloud-nat-sec-kubernetes-dashboard.asciidoc[leveloffset=+1]

docs/cloud-native-security/cloud-workload-protection.asciidoc

@@ -0,0 +1,19 @@
+[[cloud-workload-protection]]
+= Cloud workload protection
+
+Cloud workload protection helps you monitor and protect your Linux hosts and Kubernetes runtimes. It uses the <<install-endpoint,{elastic-defend}>> integration to capture cloud workload telemetry containing process, file, and network activity. In Kubernetes environments, this telemetry is further enriched with metadata that enables you to isolate events in your cloud topography.
+
+This telemetry also enables the automated identification of cloud threats with out-of-the-box detection rules and machine learning models. Alerts based on these detections can reduce the time to identify and remediate threats.
+
+[discrete]
+== Use cases
+
+* **Runtime monitoring of cloud workloads:** Provides visibility into cloud workloads, context for detected threats, and the historical data needed for retroactive threat investigations.
+* **Cloud-native threat detection and prevention:** Provides security coverage for Linux, containers, Kubernetes, and serverless applications. Protects from known and unknown threats using on-host detections and protections against malicious behavior, memory threats, and malware.
+* **Reducing the time to detect and remediate runtime threats:** Helps you resolve potential threats by showing alerts in context, making the data necessary for further investigations readily available, and providing remediation options.
+
+To continue setting up your cloud workload protection, learn more about:
+
+* <<install-endpoint,*Getting started with {elastic-defend}*>>: configure {elastic-defend} to protect your hosts. Be sure to select one of the "Cloud workloads" presets if you want to collect session data by default, including process, file, and network telemetry.
+* <<session-view,*Session view*>>: examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. Use it to monitor and investigate session activity, and to understand user and service behavior on your Linux infrastructure.
+* <<cloud-nat-sec-kubernetes-dashboard,*The Kubernetes dashboard*>>: Explore an overview of your protected Kubernetes clusters, and drill down into individual sessions within your Kubernetes infrastructure.

docs/detections/session-view.asciidoc renamed to docs/cloud-native-security/session-view.asciidoc

@@ -24,8 +24,6 @@ include::alerts-add-to-cases.asciidoc[leveloffset=+1]
 
 include::visual-event-analyzer.asciidoc[]
 
-include::session-view.asciidoc[]
-
 include::query-alert-indices.asciidoc[]
 
 include::prebuilt-rules/tune-rule-signals.asciidoc[]