Clarify trusted application behavior and alert #2822
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…fend.md The previous description for Trusted Applications was ambiguous. It contained these two statements: * `Doesn’t monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.` * `Might still generate malicious behavior alerts, if the application’s process events indicate malicious behavior.` For users unfamiliar with the underlying mechanics of Elastic Defend, this created a logical conflict: How can an application that "isn't monitored" for threats still generate a "malicious behavior alert"? This lack of clarity made it difficult for users to understand the feature's true behavior and configure it with confidence. ### Solution This change rewrites the description to be technically precise and to remove the ambiguity. The new text now clearly differentiates between two distinct layers of protection: 1. **File-based Threat Analysis:** It clarifies that "trusting" an application disables the direct scanning of the application's binary file (its code and signature). This is the "blind spot" created for performance and compatibility reasons. 2. **Behavioral Analysis:** It explains that a separate detection engine continuously monitors system-wide *patterns of activity*. The actions of a trusted application are still part of this monitoring, and an alert will be generated if its behavior matches a malicious pattern (e.g., ransomware-like file encryption). By explicitly defining these two concepts, the documentation now accurately explains how a trusted application can be exempt from direct scanning while still being subject to behavioral monitoring. This resolves the contradiction and provides a much clearer picture for our users.
🔍 Preview links for changed docs |
natasha-moore-elastic
approved these changes
Sep 5, 2025
natasha-moore-elastic
deleted the
jd_elastic_defend_clarification_trusted_apps
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The previous description for Trusted Applications was ambiguous. It contained these two statements:
Doesn’t monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.Might still generate malicious behavior alerts, if the application’s process events indicate malicious behavior.For users unfamiliar with the underlying mechanics of Elastic Defend, this created a logical conflict: How can an application that "isn't monitored" for threats still generate a "malicious behavior alert"? This lack of clarity made it difficult for users to understand the feature's true behavior and configure it with confidence.
Solution
This change rewrites the description to be technically precise and to remove the ambiguity. The new text now clearly differentiates between two distinct layers of protection:
By explicitly defining these two concepts, the documentation now accurately explains how a trusted application can be exempt from direct scanning while still being subject to behavioral monitoring. This resolves the contradiction and provides a much clearer picture for our users.