[9.2] Device Control

solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md

@@ -13,7 +13,7 @@ products:
 
 # Configure an integration policy for {{elastic-defend}}
 
-After the {{agent}} is installed with the {{elastic-defend}} integration, several protections features — including preventions against malware, ransomware, memory threats, and malicious behavior — are automatically enabled on protected hosts. If needed, you can update the integration policy to configure protection settings, event collection, antivirus settings, trusted applications, event filters, host isolation exceptions, and blocked applications to meet your organization’s security needs.
+After the {{agent}} is installed with the {{elastic-defend}} integration, several protections features — including preventions against malware, ransomware, memory threats, and malicious behavior — are automatically enabled on protected hosts. If needed, you can update the integration policy to configure protection settings, event collection, antivirus settings, trusted applications, trusted devices, event filters, host isolation exceptions, and blocked applications to meet your organization’s security needs.
 
 You can also create multiple {{elastic-defend}} integration policies to maintain unique configuration profiles. To create an additional {{elastic-defend}} integration policy, find **Integrations** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then follow the steps for [adding the {{elastic-defend}} integration](/solutions/security/configure-elastic-defend/install-elastic-defend.md#add-security-integration).
 
@@ -40,12 +40,13 @@ To configure an integration policy:
     * [Memory threat protection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#memory-protection)
     * [Malicious behavior protection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#behavior-protection)
     * [Attack surface reduction](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#attack-surface-reduction)
+    * [Device control](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#device-control)
     * [Event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection)
     * [Register {{elastic-sec}} as antivirus (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#register-as-antivirus)
     * [Advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings)
     * [Save the general policy settings](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#save-policy)
 
-4. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md), [Event filters](/solutions/security/manage-elastic-defend/event-filters.md), [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md), and [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md)). On these tabs, you can:
+4. Click the **Trusted applications**, **Trusted devices**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md), [Trusted devices](/solutions/security/manage-elastic-defend/trusted-devices.md), [Event filters](/solutions/security/manage-elastic-defend/event-filters.md), [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md), and [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md)). On these tabs, you can:
 
     * Expand and view an artifact: Click the arrow next to its name.
     * View an artifact’s details: Click the actions menu (**…**), then select **View full details**.
@@ -230,6 +231,24 @@ In {{serverless-short}}, attack surface reduction requires the Endpoint Protecti
 :screenshot:
 :::
 
+## Device control [device-control]
+
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+Device control helps protect your organization from data loss, malware, and unauthorized access by managing which devices can connect to your computers. Specifically, it restricts which external USB storage devices can connect to hosts that have {{elastic-defend}} installed. 
+
+To configure device control for one or more hosts, edit the {{elastic-defend}} policy that affects those hosts. Your policy specifies which operations these devices are allowed to take on a host. You can create [trusted devices](/solutions/security/manage-elastic-defend/trusted-devices.md) to define exceptions to your policy for specific devices. 
+
+
+:::{image} /solutions/images/security-defend-policy-device-control.png
+:alt: Detail of device control section.
+:screenshot:
+:::
+
+By default, each {{kib}} instance includes a Device Control dashboard. When at least one of your {{elastic-defend}} policies has device control enabled, the dashboard displays data about attempted device connections and their outcomes. To access it and review information about blocked connections, search for `device control` in the **Dashboards** page's **Custom Dashboards** section.
 
 ## Event collection [event-collection]
 

solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md

@@ -41,6 +41,7 @@ For each of the following sub-feature privileges, select the type of access you
 | **Automatic Troubleshooting** |Access [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/automatic-troubleshooting.md) to check if your hosts have third-party AV software installed.<br><br>**Note:** In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. |
 | **Global Artifact Management** {applies_to}`stack: ga 9.1` | Manage global assignment of endpoint artifacts (e.g., trusted applications, event filters) across all spaces and policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management. |
 | **Trusted Applications** | Access the [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md) page to remediate conflicts with other software, such as antivirus or endpoint security applications. |
+| **Trusted Devices** {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga`| Access the [Trusted devices](/solutions/security/manage-elastic-defend/trusted-devices.md) page to specify which trusted devices can connect to hosts with [Device Control](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#device-control) enabled.
 | **Host Isolation Exceptions** | Access the [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md) page to add specific IP addresses that isolated hosts can still communicate with. |
 | **Blocklist** | Access the [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md) page to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. |
 | **Event Filters** | Access the [Event Filters](/solutions/security/manage-elastic-defend/event-filters.md) page to filter out endpoint events that you don’t want stored in {{es}}. |

solutions/security/manage-elastic-defend/trusted-applications.md

@@ -145,4 +145,4 @@ You can delete a trusted application, which removes it entirely from all {{elast
 To delete a trusted application:
 
 1. Click the actions menu (**…**) on the trusted application you want to delete, then select **Delete trusted application**.
-2. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message is displayed.
+2. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message appears.

solutions/security/manage-elastic-defend/trusted-devices.md

@@ -0,0 +1,62 @@
+---
+applies_to:
+  stack: ga 9.2
+  serverless:
+    security: ga
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Trusted devices
+
+By default, {{elastic-defend}} policies have [device control](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#device-control) enabled, with access level set to block all operations. This prevents external storage devices from connecting to protected hosts.
+
+Trusted devices are specific external devices that are allowed to connect to your protected hosts regardless of device control settings. Create trusted devices to avoid interfering with expected workflows that involve known hardware. 
+
+By default, a trusted device is recognized globally across all hosts running {{elastic-defend}}. You can also assign a trusted device to a specific {{elastic-defend}} integration policy, enabling the device to be trusted by only the hosts assigned to that policy.
+
+## Add a trusted device
+
+Add a trusted device to exempt it from device control:
+
+1. Go to the **Trusted Devices** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+2. Click **+ Add trusted device**. The Add trusted device flyout opens.
+3. Name your trusted device and give it a description. 
+4. In the **Conditions** section, specify the operating system(s) and the `Device ID`. 
+5. Select an option in the **Assignment** section:
+    * **Global**: Assign the trusted device to all {{elastic-defend}} integration policies.
+    * **Per Policy**: Assign the trusted device to one or more specific {{elastic-defend}} integration policies.
+6. Click **Add trusted device**.
+
+## View and manage trusted devices
+
+## View and manage trusted devices
+
+The **Trusted devices** page displays all the trusted devices that have been added to the {{security-app}}. To refine the list, use the search bar to search by name, description, or field value.
+
+:::{image} /solutions/images/security-trusted-devices-list.png
+:alt: trusted apps list
+:screenshot:
+:::
+
+
+### Edit a trusted application [edit-trusted-app]
+
+You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to.
+
+To edit a trusted application:
+
+1. Click the actions menu (**…**) on the trusted application you want to edit, then select **Edit trusted device**.
+2. Modify details as needed.
+3. Click **Save**.
+
+
+### Delete a trusted device
+
+You can delete a trusted device, which removes it entirely from all {{elastic-defend}} integration policies.
+
+To delete a trusted device:
+
+1. Click the actions menu (**…**) on the trusted device you want to delete, then select **Delete trusted device**.
+2. On the dialog that opens, verify that you are removing the correct device, then click **Delete**. A confirmation message appears.

solutions/toc.yml

@@ -625,6 +625,7 @@ toc:
           - file: security/manage-elastic-defend/endpoints.md
           - file: security/manage-elastic-defend/policies.md
           - file: security/manage-elastic-defend/trusted-applications.md
+          - file: security/manage-elastic-defend/trusted-devices.md
           - file: security/manage-elastic-defend/event-filters.md
           - file: security/manage-elastic-defend/host-isolation-exceptions.md
           - file: security/manage-elastic-defend/blocklist.md