[9.2] Device Control

solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md

@@ -40,12 +40,13 @@ To configure an integration policy:
     * [Memory threat protection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#memory-protection)
     * [Malicious behavior protection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#behavior-protection)
     * [Attack surface reduction](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#attack-surface-reduction)
+    * [Device control](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#device-control)
     * [Event collection](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#event-collection)
     * [Register {{elastic-sec}} as antivirus (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#register-as-antivirus)
     * [Advanced policy settings (optional)](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings)
     * [Save the general policy settings](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#save-policy)
 
-4. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md), [Event filters](/solutions/security/manage-elastic-defend/event-filters.md), [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md), and [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md)). On these tabs, you can:
+4. Click the **Trusted applications**, **Trusted devices**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md), [Event filters](/solutions/security/manage-elastic-defend/event-filters.md), [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md), and [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md)). On these tabs, you can:
 
     * Expand and view an artifact: Click the arrow next to its name.
     * View an artifact’s details: Click the actions menu (**…**), then select **View full details**.
@@ -230,6 +231,24 @@ In {{serverless-short}}, attack surface reduction requires the Endpoint Protecti
 :screenshot:
 :::
 
+## Device control [device-control]
+
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+Device control helps protect your organization from data loss, malware, and unauthorized access by managing which devices can connect to your computers. Specifically, it restricts which external USB storage devices can connect to endpoints that have {{elastic-defend}} installed. 
+
+To configure Device Control for one or more hosts, edit the {{elastic-defend}} policy that affects those hosts. Your policy specifies which operations these devices are allowed to take on a host. You can create [Trusted Devices](/solutions/security/manage-elastic-defend/trusted-devices.md) to define exceptions to your policy for specific devices. 
+
+
+:::{image} /solutions/images/security-defend-policy-device-control.png
+:alt: Detail of device control section.
+:screenshot:
+:::
+
+By default, each new {{kib}} instance includes a Device Control dashboard. When at least one of your {{elastic-defend}} policies has Device Control enabled, the dashboard displays data about attempted device connections and their outcomes. To access it and review information about blocked connections, search for `device control` in the **Dashboards** page's Custom Dashboards section.
 
 ## Event collection [event-collection]
 

solutions/security/manage-elastic-defend/trusted-devices.md

@@ -0,0 +1,35 @@
+---
+applies_to:
+  stack: ga 9.2
+  serverless:
+    security: all
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Trusted devices
+
+By default, new {{elastic-defend}} policies have Device Control enabled, with all operations set to **Block**. This prevents external storage devices from connecting to protected hosts.
+
+Trusted Devices are specific external devices that are allowed to connect to your protected hosts regardless of Device Control settings. Create Trusted Devices to avoid interfering with expected workflows that involve known hardware. Trusted Devices can apply to a specific policy, or globally to all policies. 
+
+## Add Trusted Devices to exempt them from Device Control
+
+1. Go to the **Trusted Devices** page using the navigation menu or the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
+2. Click **+ Add trusted device**. The Add trusted device flyout opens.
+3. Name your trusted device and give it a description. 
+4. In the **Conditions** section, specify the operating system and the `Device ID`. 
+5. Select either **Global** or **Per policy**.
+6. Click **Add trusted device**.
+
+## Add a Trusted Device to a policy
+
+1. Navigate to the {{elastic-defend}} policy to which you want to add a Trusted Device.
+2. Go to the **Trusted Devices** tab, and click **Assign trusted devices to policy**.
+3. Next, select one or more existing trusted devices, then click **+ Assign trusted devices to policy**.
+
+
+## View the Device Control dashboard
+
+By default, each new {{kib}} instance includes a Device Control dashboard. When at least one of your {{elastic-defend}} policies has Device Control enabled, the dashboard displays data about attempted device connections and their outcomes. To access it and review information about blocked connections, search for `device control` in the **Dashboards** page's Custom Dashboards section.

solutions/toc.yml

@@ -621,6 +621,7 @@ toc:
           - file: security/manage-elastic-defend/endpoints.md
           - file: security/manage-elastic-defend/policies.md
           - file: security/manage-elastic-defend/trusted-applications.md
+          - file: security/manage-elastic-defend/trusted-devices.md
           - file: security/manage-elastic-defend/event-filters.md
           - file: security/manage-elastic-defend/host-isolation-exceptions.md
           - file: security/manage-elastic-defend/blocklist.md