[EDR Workflows] Add Automatic Troubleshooting knowledge base documents

[szwarckonrad]

Summary

This PR adds Automatic Troubleshooting knowledge base documentation for policy response failures to the endpoint package. These docs will be automatically indexed by Fleet into the .integration_knowledge system index when the package is installed.

Part of the broader effort to migrate KB context docs from Kibana's Elastic Assistant plugin to the endpoint package, enabling out-of-band updates independent of Kibana releases.

Changes

Knowledge Base Documents

• Added 14 markdown files under package/endpoint/docs/knowledge_base/automatic_troubleshooting/policy_response_failures/
  • 4 Linux troubleshooting docs
  • 6 macOS troubleshooting docs
  • 4 Windows troubleshooting docs

Document Headers

Updated frontmatter format from:

type: policy_response_failure

To:

type: automatic_troubleshooting
sub_type: policy_response_failure

This prepares for future expansion with additional insight types beyond policy response failures.

Package Configuration

• Updated manifest.yml: Version 9.2.0 → 9.3.0-next, Kibana version requirement ^9.2.0 → ^9.3.0
• Updated changelog.yml: Added entry for knowledge base docs addition

File Structure

package/endpoint/docs/knowledge_base/
└── automatic_troubleshooting/
    └── policy_response_failures/
        ├── linux_agent_connectivity.md
        ├── linux_configure_malware.md
        ├── linux_download_user_artifacts.md
        ├── linux_outdated_protection_artifacts.md
        ├── macos_agent_connectivity.md
        ├── macos_connect_kernel.md
        ├── macos_detect_network_events.md
        ├── macos_download_user_artifacts.md
        ├── macos_full_disk_access.md
        ├── macos_outdated_protection_artifacts.md
        ├── windows_agent_connectivity.md
        ├── windows_connect_kernel.md
        ├── windows_download_user_artifacts.md
        └── windows_outdated_protection_artifacts.md

Testing

Prerequisites

1. Started Elasticsearch with trial license: yarn es snapshot --license trial
2. Deployed ELSER model (.elser_model_2) required for semantic text indexing
3. Configured Kibana with experimental feature flag installIntegrationsKnowledge
4. Started local package registry: make run-registry
5. Configured Kibana: xpack.fleet.registryUrl: "http://127.0.0.1:8080"

Test Steps

1. Package Registry: Verified 9.3.0-next version available via curl "http://localhost:8080/search?package=endpoint&prerelease=true"
2. Installation: Installed endpoint package 9.3.0-next through Kibana UI (Management → Integrations)
3. Verification: Confirmed all 14 KB docs indexed to .integration_knowledge with correct nested paths

Verification Query

GET /.integration_knowledge/_search
{
  "query": {
    "term": {
      "package_name": "endpoint"
    }
  }
}

Results: All 14 documents indexed with:

• ✅ package_name: "endpoint"
• ✅ filename: Preserved nested paths like "automatic_troubleshooting/policy_response_failures/linux_agent_connectivity.md"
• ✅ content: Full markdown with updated frontmatter headers
• ✅ version: "9.3.0-next"

Closes https://github.com/elastic/security-team/issues/14877
Part of https://github.com/elastic/security-team/issues/14786

[szwarckonrad]

@pzl
https://github.com/elastic/endpoint-package/blob/add-automatic-troubleshooting-kb-docs/package/endpoint/docs/README.md is being indexed by Fleet because it’s an .md file inside the package’s docs/ directory. We should move it out, but I’m not sure what the right home is ;)

[joeypoon]

thanks for adding these, looks great to me 🙆‍♂️.

[pzl]

@pzl https://github.com/elastic/endpoint-package/blob/add-automatic-troubleshooting-kb-docs/package/endpoint/docs/README.md is being indexed by Fleet because it’s an .md file inside the package’s docs/ directory. We should move it out, but I’m not sure what the right home is ;)

I don't think moving that readme file is the appropriate fix. That is the correct path for an integration's primary readme file (spec) and is required at that location. You may be seeing a bug in Fleet's handling of that directory

---

also to note, since I was double-checking the spec:

It looks like directories are not allowed in docs/knowledge_base/. The spec wants only .md files, without nested directories.

This package is out of spec in other places already, so we don't validate currently, but for legacy reasons. We should probably avoid adding more

[szwarckonrad]

@pzl
Flattened the structure, now its all *.mds directly under ../docs/knowledge_base

[pzl]

the *.md files are good!

I don't think the other package assets need changes as part of this

[pzl]

if you want to set this to 9.3.0-prerelease.0 you can, but otherwise you can just leave this as is. 9.2.0 package shipped, this label is just behind. We can't merge with it set to 9.3.0 though

[pzl]

this will be added as part of release process automatically

adding it now will fail some validations

[szwarckonrad]

@pzl
Reverted changes to manifest and changelog.