diff --git a/raw-migrated-files/docs-content/serverless/security-deploy-elastic-endpoint-ven.md b/raw-migrated-files/docs-content/serverless/security-deploy-elastic-endpoint-ven.md deleted file mode 100644 index 1f8461ee31..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-deploy-elastic-endpoint-ven.md +++ /dev/null @@ -1,102 +0,0 @@ -# Enable access for macOS Ventura and higher [security-deploy-elastic-endpoint-ven] - -To properly install and configure {{elastic-defend}} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional: - -* [Approve the system extension](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md#system-extension-endpoint-ven) -* [Approve network content filtering](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md#allow-filter-content-ven) -* [Enable Full Disk Access](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md#enable-fda-endpoint-ven) - -::::{note} -The following permissions that need to be enabled are required after you [configure and install the {{elastic-defend}} integration](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md), which includes [enrolling the {{agent}}](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md#enroll-security-agent). - -:::: - - - -## Approve the system extension for {{elastic-endpoint}} [system-extension-endpoint-ven] - -For macOS Ventura (13.0) and later, {{elastic-endpoint}} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. - -The following message appears during installation: - -:::{image} ../../../images/serverless--getting-started-install-endpoint-ven-system_extension_blocked_warning_ven.png -:alt: getting started install endpoint ven system extension blocked warning ven -:class: screenshot -::: - -1. Click **Open System Settings**. -2. In the left pane, click **Privacy & Security**. - - :::{image} ../../../images/serverless--getting-started-install-endpoint-ven-privacy_security_ven.png - :alt: getting started install endpoint ven privacy security ven - :class: screenshot - ::: - -3. On the right pane, scroll down to the Security section. Click **Allow** to allow the ElasticEndpoint system extension to load. - - :::{image} ../../../images/serverless--getting-started-install-endpoint-ven-allow_system_extension_ven.png - :alt: getting started install endpoint ven allow system extension ven - :class: screenshot - ::: - -4. Enter your username and password and click **Modify Settings** to save your changes. - - :::{image} ../../../images/serverless--getting-started-install-endpoint-ven-enter_login_details_to_confirm_ven.png - :alt: getting started install endpoint ven enter login details to confirm ven - :class: screenshot - ::: - - - -## Approve network content filtering for {{elastic-endpoint}} [allow-filter-content-ven] - -After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow {{elastic-endpoint}} to filter network content. - -:::{image} ../../../images/serverless--getting-started-install-endpoint-ven-allow_network_filter_ven.png -:alt: getting started install endpoint ven allow network filter ven -:class: screenshot -::: - -Click **Allow** to enable content filtering for the ElasticEndpoint system extension. Without this approval, {{elastic-endpoint}} cannot receive network events and, therefore, cannot enable network-related features such as [host isolation](../../../solutions/security/endpoint-response-actions/isolate-host.md). - - -## Enable Full Disk Access for {{elastic-endpoint}} [enable-fda-endpoint-ven] - -{{elastic-endpoint}} requires Full Disk Access to subscribe to system events using the {{elastic-defend}} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. - -If you have not granted Full Disk Access, the following notification prompt will appear. - -:::{image} ../../../images/serverless--getting-started-install-endpoint-ven-allow_full_disk_access_notification_ven.png -:alt: getting started install endpoint ven allow full disk access notification ven -:class: screenshot -::: - -To enable Full Disk Access, you must manually approve {{elastic-endpoint}}. - -::::{note} -The following instructions apply only to {{elastic-endpoint}} version 8.0.0 and later. Versions 7.17.0 and earlier are not supported. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame’s documentation. - -:::: - - -1. Open the **System Settings** application. -2. In the left pane, select **Privacy & Security**. - - :::{image} ../../../images/serverless--getting-started-install-endpoint-ven-privacy_security_ven.png - :alt: getting started install endpoint ven privacy security ven - :class: screenshot - ::: - -3. From the right pane, select **Full Disk Access**. - - :::{image} ../../../images/serverless--getting-started-install-endpoint-ven-select_fda_ven.png - :alt: Select Full Disk Access - :class: screenshot - ::: - -4. Enable `ElasticEndpoint` and `co.elastic` to properly enable Full Disk Access. - - :::{image} ../../../images/serverless--getting-started-install-endpoint-ven-allow_fda_ven.png - :alt: getting started install endpoint ven allow fda ven - :class: screenshot - ::: diff --git a/raw-migrated-files/docs-content/serverless/security-deploy-with-mdm.md b/raw-migrated-files/docs-content/serverless/security-deploy-with-mdm.md deleted file mode 100644 index c7fa463e25..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-deploy-with-mdm.md +++ /dev/null @@ -1,142 +0,0 @@ ---- -navigation_title: "Deploy on macOS with MDM" ---- - -# Deploy {{elastic-defend}} on macOS with mobile device management [security-deploy-with-mdm] - - -To silently install and deploy {{elastic-defend}} without the need for user interaction, you need to configure a mobile device management (MDM) profile for {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. This allows you to pre-approve the {{elastic-endpoint}} system extension and grant Full Disk Access to all the necessary components. - -This page explains how to deploy {{elastic-defend}} silently using Jamf. - - -## Configure a Jamf MDM profile [security-deploy-with-mdm-configure-a-jamf-mdm-profile] - -In Jamf, create a configuration profile for {{elastic-endpoint}}. Follow these steps to configure the profile: - -1. [Approve the system extension](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#security-deploy-with-mdm-approve-the-system-extension). -2. [Approve network content filtering](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#security-deploy-with-mdm-approve-network-content-filtering). -3. [Enable notifications](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#security-deploy-with-mdm-enable-notifications). -4. [Enable Full Disk Access](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#security-deploy-with-mdm-enable-full-disk-access). - - -### Approve the system extension [security-deploy-with-mdm-approve-the-system-extension] - -1. Select the **System Extensions** option to configure the system extension policy for the {{elastic-endpoint}} configuration profile. -2. Make sure that **Allow users to approve system extensions** is selected. -3. In the **Allowed Team IDs and System Extensions** section, add the {{elastic-endpoint}} system extension: - - 1. (Optional) Enter a **Display Name** for the {{elastic-endpoint}} system extension. - 2. From the **System Extension Types** dropdown, select **Allowed System Extensions**. - 3. Under **Team Identifier**, enter `2BT3HPN62Z`. - 4. Under **Allowed System Extensions**, enter `co.elastic.systemextension`. - -4. Save the configuration. - -:::{image} ../../../images/serverless-system-extension-jamf.png -:alt: system extension jamf -:class: screenshot -::: - - -### Approve network content filtering [security-deploy-with-mdm-approve-network-content-filtering] - -1. Select the **Content Filter** option to configure the Network Extension policy for the {{elastic-endpoint}} configuration profile. -2. Under **Filter Name**, enter `ElasticEndpoint`. -3. Under **Identifier**, enter `co.elastic.endpoint`. -4. In the **Socket Filter** section, fill in these fields: - - 1. **Socket Filter Bundle Identifier**: Enter `co.elastic.systemextension` - 2. **Socket Filter Designated Requirement**: Enter the following: - - ```txt - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - -5. In the **Network Filter** section, fill in these fields: - - 1. **Network Filter Bundle Identifier**: Enter `co.elastic.systemextension` - 2. **Network Filter Designated Requirement**: Enter the following: - - ```txt - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - -6. Save the configuration. - -:::{image} ../../../images/serverless-content-filtering-jamf.png -:alt: content filtering jamf -:class: screenshot -::: - - -### Enable notifications [security-deploy-with-mdm-enable-notifications] - -1. Select the **Notifications** option to configure the Notification Center policy for the {{elastic-endpoint}} configuration profile. -2. Under **App Name**, enter `Elastic Security.app`. -3. Under **Bundle ID**, enter `co.elastic.alert`. -4. In the **Settings** section, include these options with the following settings: - - 1. **Critical Alerts**: Enable - 2. **Notifications**: Enable - 3. **Banner alert type**: Persistent - 4. **Notifications on Lock Screen**: Display - 5. **Notifications in Notification Center**: Display - 6. **Badge app icon**: Display - 7. **Play sound for notifications**: Enable - -5. Save the configuration. - -:::{image} ../../../images/serverless-notifications-jamf.png -:alt: notifications jamf -:class: screenshot -::: - - -### Enable Full Disk Access [security-deploy-with-mdm-enable-full-disk-access] - -1. Select the **Privacy Preferences Policy Control** option to configure the Full Disk Access policy for the {{elastic-endpoint}} configuration profile. -2. Add a new entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.systemextension`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```txt - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -3. Add a second entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.endpoint`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```txt - identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -4. Add a third entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.elastic-agent`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```txt - identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -5. Save the configuration. - -:::{image} ../../../images/serverless-fda-jamf.png -:alt: fda jamf -:class: screenshot -::: - -After you complete these steps, generate the mobile configuration profile and install it onto the macOS machines. Once the profile is installed, {{elastic-defend}} can be deployed without the need for user interaction. diff --git a/raw-migrated-files/docs-content/serverless/security-elastic-endpoint-deploy-reqs.md b/raw-migrated-files/docs-content/serverless/security-elastic-endpoint-deploy-reqs.md deleted file mode 100644 index 144ad3775e..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-elastic-endpoint-deploy-reqs.md +++ /dev/null @@ -1,15 +0,0 @@ -# {{elastic-defend}} requirements [security-elastic-endpoint-deploy-reqs] - -To properly deploy {{elastic-defend}} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional. For more information, refer to the instructions for your macOS version: - -* [Enable access for macOS Monterey](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-monterey.md) -* [Enable access for macOS Ventura and higher](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md) - - -## Minimum system requirements [security-elastic-endpoint-deploy-reqs-minimum-system-requirements] - -| Requirement | Value | -| --- | --- | -| **CPU** | Under 2% | -| **Disk space** | 1 GB | -| **Resident set size (RSS) memory** | 500 MB | diff --git a/raw-migrated-files/docs-content/serverless/security-endpoint-data-volume.md b/raw-migrated-files/docs-content/serverless/security-endpoint-data-volume.md deleted file mode 100644 index 5bc95151dc..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-endpoint-data-volume.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -navigation_title: "Configure data volume" ---- - -# Configure {{elastic-endpoint}}'s data volume [security-endpoint-data-volume] - - -::::{note} -
-**This is a placeholder for future documentation.** - -
-:::: diff --git a/raw-migrated-files/docs-content/serverless/security-endpoint-diagnostic-data.md b/raw-migrated-files/docs-content/serverless/security-endpoint-diagnostic-data.md deleted file mode 100644 index 5d636404c3..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-endpoint-diagnostic-data.md +++ /dev/null @@ -1,20 +0,0 @@ -# Turn off diagnostic data for {{elastic-defend}} [security-endpoint-diagnostic-data] - -By default, {{elastic-defend}} streams diagnostic data to your cluster, which Elastic uses to tune protection features. You can stop producing this diagnostic data by configuring the advanced settings in the {{elastic-defend}} integration policy. - -::::{note} -{{elastic-sec}} also collects usage telemetry, which includes {{elastic-defend}} diagnostic data. You can modify telemetry preferences in [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/telemetry-settings-kbn.html). - -:::: - - -1. Go to **Assets** → **Endpoints** to view the Endpoints list. -2. Locate the endpoint for which you want to disable diagnostic data, then click the integration policy in the **Policy** column. -3. Scroll down to the bottom of the policy and click **Show advanced settings**. -4. Enter `false` for these settings: - - * `windows.advanced.diagnostic.enabled` - * `linux.advanced.diagnostic.enabled` - * `mac.advanced.diagnostic.enabled` - -5. Click **Save**. diff --git a/raw-migrated-files/docs-content/serverless/security-endpoint-protection-intro.md b/raw-migrated-files/docs-content/serverless/security-endpoint-protection-intro.md deleted file mode 100644 index 5cc9d456a9..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-endpoint-protection-intro.md +++ /dev/null @@ -1,9 +0,0 @@ -# Configure endpoint protection with {{elastic-defend}} [security-endpoint-protection-intro] - -This section contains information on installing and configuring {{elastic-defend}} for endpoint protection. - - - - - - diff --git a/raw-migrated-files/docs-content/serverless/security-protection-artifact-control.md b/raw-migrated-files/docs-content/serverless/security-protection-artifact-control.md deleted file mode 100644 index 1e4972fd1e..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-protection-artifact-control.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -navigation_title: "Configure protection updates" ---- - -# Configure updates for protection artifacts [security-protection-artifact-control] - - -On the **Protection updates** tab of the {{elastic-defend}} integration policy, you can configure how {{elastic-defend}} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections. - -You can disable automatic updates and freeze your protection artifacts to a specific date, allowing you to control when to receive and install the updates. For example, you might want to temporarily disable updates to ensure resource availability during a high-volume period, test updates in a controlled staging environment before rolling out to production, or roll back to a previous version of protections. - -Protection artifacts will expire after 18 months, and you’ll no longer be able to select them as a deployed version. If you’re already using a specific version when it expires, you’ll keep using it until you either select a later non-expired version or re-enable automatic updates. - -::::{warning} -It is strongly advised to keep automatic updates enabled to ensure the highest level of security for your environment. Proceed with caution if you decide to disable automatic updates. - -:::: - - -To configure the protection artifacts version deployed in your environment: - -1. Go to **Manage** → **Policies**, select an {{elastic-defend}} integration policy, then select the **Protection updates** tab. -2. Turn off the **Enable automatic updates** toggle. -3. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment. -4. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts. -5. Select **Save**. diff --git a/raw-migrated-files/docs-content/serverless/security-uninstall-agent.md b/raw-migrated-files/docs-content/serverless/security-uninstall-agent.md deleted file mode 100644 index 6bcbd8c21a..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-uninstall-agent.md +++ /dev/null @@ -1,94 +0,0 @@ -# Uninstall {{agent}} [security-uninstall-agent] - -To uninstall {{agent}} from a host, run the `uninstall` command from the directory where it’s running. Refer to the [{{fleet}} and {{agent}} documentation](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) for more information. - -If [Agent tamper protection](../../../solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md) is enabled on the Agent policy for the host, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can [find the uninstall token](../../../solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md#fleet-uninstall-tokens) on the Agent policy or at **{{fleet}}** → **Uninstall tokens**. - -For example: - -:::::::{tab-set} - -::::::{tab-item} macOS -```shell -sudo elastic-agent uninstall --uninstall-token 12345678901234567890123456789012 -``` -:::::: - -::::::{tab-item} Linux -```shell -sudo elastic-agent uninstall --uninstall-token 12345678901234567890123456789012 -``` -:::::: - -::::::{tab-item} Windows -```shell -C:\"Program Files"\Elastic\Agent\elastic-agent.exe uninstall --uninstall-token 12345678901234567890123456789012 -``` -:::::: - -::::::: - -## Provide multiple uninstall tokens [multiple-uninstall-tokens] - -If you have multiple tamper-protected {{agent}} policies, you may want to provide multiple uninstall tokens in a single command. There are two ways to do this: - -* The `--uninstall-token` command can receive multiple uninstall tokens separated by a comma, without spaces. - - ```shell - sudo elastic-agent uninstall -f --uninstall-token 7b3d364db8e0deb1cda696ae85e42644,a7336b71e243e7c92d9504b04a774266 - ``` - -* `--uninstall-token`'s argument can also be a path to a text file with one uninstall token per line. - - ::::{note} - You must use the full file path, otherwise the file may not be found. - :::: - - - ```shell - sudo elastic-agent uninstall -f --uninstall-token /tmp/tokens.txt - ``` - - In this example, `tokens.txt` would contain: - - ```txt - 7b3d364db8e0deb1cda696ae85e42644 - a7336b71e243e7c92d9504b04a774266 - ``` - - - -## Uninstall {{elastic-endpoint}} [uninstall-endpoint] - -Use these commands to uninstall {{elastic-endpoint}} from a host **ONLY** if [uninstalling an {{agent}}](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) is unsuccessful. - -:::::::{tab-set} - -::::::{tab-item} macOS -```shell -cd /tmp -cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint -sudo ./elastic-endpoint uninstall -rm elastic-endpoint -``` -:::::: - -::::::{tab-item} Linux -```shell -cd /tmp -cp /opt/Elastic/Endpoint/elastic-endpoint elastic-endpoint -sudo ./elastic-endpoint uninstall -rm elastic-endpoint -``` -:::::: - -::::::{tab-item} Windows -```shell -cd %TEMP% -copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe -.\elastic-endpoint.exe uninstall -del .\elastic-endpoint.exe -``` -:::::: - -::::::: diff --git a/raw-migrated-files/security-docs/security/artifact-control.md b/raw-migrated-files/security-docs/security/artifact-control.md deleted file mode 100644 index 1250d02c75..0000000000 --- a/raw-migrated-files/security-docs/security/artifact-control.md +++ /dev/null @@ -1,21 +0,0 @@ -# Configure updates for protection artifacts [artifact-control] - -On the **Protection updates** tab of the {{elastic-defend}} integration policy, you can configure how {{elastic-defend}} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections. - -You can disable automatic updates and freeze your protection artifacts to a specific date, allowing you to control when to receive and install the updates. For example, you might want to temporarily disable updates to ensure resource availability during a high-volume period, test updates in a controlled staging environment before rolling out to production, or roll back to a previous version of protections. - -Protection artifacts will expire after 18 months, and you’ll no longer be able to select them as a deployed version. If you’re already using a specific version when it expires, you’ll keep using it until you either select a later non-expired version or re-enable automatic updates. - -::::{warning} -It is strongly advised to keep automatic updates enabled to ensure the highest level of security for your environment. Proceed with caution if you decide to disable automatic updates. -:::: - - -To configure the protection artifacts version deployed in your environment: - -1. Find **Policies** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Select an {{elastic-defend}} integration policy, then select the **Protection updates** tab. -3. Turn off the **Enable automatic updates** toggle. -4. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment. -5. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts. -6. Select **Save**. diff --git a/raw-migrated-files/security-docs/security/deploy-elastic-endpoint-ven.md b/raw-migrated-files/security-docs/security/deploy-elastic-endpoint-ven.md deleted file mode 100644 index a432dfb977..0000000000 --- a/raw-migrated-files/security-docs/security/deploy-elastic-endpoint-ven.md +++ /dev/null @@ -1,120 +0,0 @@ -# Enable access for macOS Ventura and higher [deploy-elastic-endpoint-ven] - -To properly install and configure {{elastic-defend}} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional: - -* [Approve the system extension](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md#system-extension-endpoint-ven) -* [Approve network content filtering](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md#allow-filter-content-ven) -* [Enable Full Disk Access](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md#enable-fda-endpoint-ven) - -::::{note} -The following permissions that need to be enabled are required after you [configure and install the {{elastic-defend}} integration](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md), which includes [enrolling the {{agent}}](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md#enroll-security-agent). -:::: - - - -## Approve the system extension for {{elastic-endpoint}} [system-extension-endpoint-ven] - -For macOS Ventura (13.0) and later, {{elastic-endpoint}} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. - -The following message appears during installation: - -:::{image} ../../../images/security-system_extension_blocked_warning_ven.png -:alt: system extension blocked warning ven -:class: screenshot -::: - -1. Click **Open System Settings**. -2. In the left pane, click **Privacy & Security**. - - :::{image} ../../../images/security-privacy_security_ven.png - :alt: privacy security ven - :class: screenshot - ::: - -3. On the right pane, scroll down to the Security section. Click **Allow** to allow the ElasticEndpoint system extension to load. - - :::{image} ../../../images/security-allow_system_extension_ven.png - :alt: allow system extension ven - :class: screenshot - ::: - -4. Enter your username and password and click **Modify Settings** to save your changes. - - :::{image} ../../../images/security-enter_login_details_to_confirm_ven.png - :alt: enter login details to confirm ven - :class: screenshot - ::: - - - -## Approve network content filtering for {{elastic-endpoint}} [allow-filter-content-ven] - -After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow {{elastic-endpoint}} to filter network content. - -:::{image} ../../../images/security-allow_network_filter_ven.png -:alt: allow network filter ven -:class: screenshot -::: - -Click **Allow** to enable content filtering for the ElasticEndpoint system extension. Without this approval, {{elastic-endpoint}} cannot receive network events and, therefore, cannot enable network-related features such as [host isolation](../../../solutions/security/endpoint-response-actions/isolate-host.md). - - -## Enable Full Disk Access for {{elastic-endpoint}} [enable-fda-endpoint-ven] - -{{elastic-endpoint}} requires Full Disk Access to subscribe to system events via the {{elastic-defend}} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. - -If you have not granted Full Disk Access, the following notification prompt will appear. - -:::{image} ../../../images/security-allow_full_disk_access_notification_ven.png -:alt: allow full disk access notification ven -:class: screenshot -::: - -To enable Full Disk Access, you must manually approve {{elastic-endpoint}}. - -::::{note} -The following instructions apply only to {{elastic-endpoint}} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame’s documentation. -:::: - - -1. Open the **System Settings** application. -2. In the left pane, select **Privacy & Security**. - - :::{image} ../../../images/security-privacy_security_ven.png - :alt: privacy security ven - :class: screenshot - ::: - -3. From the right pane, select **Full Disk Access**. - - :::{image} ../../../images/security-select_fda_ven.png - :alt: Select Full Disk Access - :class: screenshot - ::: - -4. Enable `ElasticEndpoint` and `co.elastic` to properly enable Full Disk Access. - - :::{image} ../../../images/security-allow_fda_ven.png - :alt: allow fda ven - :class: screenshot - ::: - - -If the endpoint is running {{elastic-endpoint}} version 7.17.0 or earlier: - -1. Click the **+** button to view **Finder**. -2. The system may prompt you to enter your username and password if you haven’t already. - - :::{image} ../../../images/security-enter_login_details_to_confirm_ven.png - :alt: enter login details to confirm ven - :class: screenshot - ::: - -3. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. -4. Click **Open**. -5. In the **Privacy** tab, confirm that `ElasticEndpoint` and `co.elastic.systemextension` are selected to properly enable Full Disk Access. - - :::{image} ../../../images/security-verify_fed_granted_ven.png - :alt: Select Full Disk Access - :class: screenshot - ::: diff --git a/raw-migrated-files/security-docs/security/deploy-with-mdm.md b/raw-migrated-files/security-docs/security/deploy-with-mdm.md deleted file mode 100644 index 61f0b5be76..0000000000 --- a/raw-migrated-files/security-docs/security/deploy-with-mdm.md +++ /dev/null @@ -1,142 +0,0 @@ ---- -navigation_title: "Deploy on macOS with MDM" ---- - -# Deploy {{elastic-defend}} on macOS with mobile device management [deploy-with-mdm] - - -To silently install and deploy {{elastic-defend}}, you need to configure a mobile device management (MDM) profile for {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. This allows you to pre-approve the {{elastic-endpoint}} system extension and grant Full Disk Access to all the necessary components. - -This page explains how to deploy {{elastic-defend}} silently using Jamf. - - -## Configure a Jamf MDM profile [configure-jamf-profile] - -In Jamf, create a configuration profile for {{elastic-endpoint}}. Follow these steps to configure the profile: - -1. [Approve the system extension.](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#system-extension-jamf) -2. [Approve network content filtering.](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#content-filtering-jamf) -3. [Enable notifications.](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#notifications-jamf) -4. [Enable Full Disk Access.](../../../solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md#fda-jamf) - - -### Approve the system extension [system-extension-jamf] - -1. Select the **System Extensions** option to configure the system extension policy for the {{elastic-endpoint}} configuration profile. -2. Make sure that **Allow users to approve system extensions** is selected. -3. In the **Allowed Team IDs and System Extensions** section, add the {{elastic-endpoint}} system extension: - - 1. (Optional) Enter a **Display Name** for the {{elastic-endpoint}} system extension. - 2. From the **System Extension Types** dropdown, select **Allowed System Extensions**. - 3. Under **Team Identifier**, enter `2BT3HPN62Z`. - 4. Under **Allowed System Extensions**, enter `co.elastic.systemextension`. - -4. Save the configuration. - -:::{image} ../../../images/security-system-extension-jamf.png -:alt: system extension jamf -:class: screenshot -::: - - -### Approve network content filtering [content-filtering-jamf] - -1. Select the **Content Filter** option to configure the Network Extension policy for the {{elastic-endpoint}} configuration profile. -2. Under **Filter Name**, enter `ElasticEndpoint`. -3. Under **Identifier**, enter `co.elastic.endpoint`. -4. In the **Socket Filter** section, fill in these fields: - - 1. **Socket Filter Bundle Identifier**: Enter `co.elastic.systemextension` - 2. **Socket Filter Designated Requirement**: Enter the following: - - ```shell - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - -5. In the **Network Filter** section, fill in these fields: - - 1. **Network Filter Bundle Identifier**: Enter `co.elastic.systemextension` - 2. **Network Filter Designated Requirement**: Enter the following: - - ```shell - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - -6. Save the configuration. - -:::{image} ../../../images/security-content-filtering-jamf.png -:alt: content filtering jamf -:class: screenshot -::: - - -### Enable notifications [notifications-jamf] - -1. Select the **Notifications** option to configure the Notification Center policy for the {{elastic-endpoint}} configuration profile. -2. Under **App Name**, enter `Elastic Security.app`. -3. Under **Bundle ID**, enter `co.elastic.alert`. -4. In the **Settings** section, include these options with the following settings: - - 1. **Critical Alerts**: Enable - 2. **Notifications**: Enable - 3. **Banner alert type**: Persistent - 4. **Notifications on Lock Screen**: Display - 5. **Notifications in Notification Center**: Display - 6. **Badge app icon**: Display - 7. **Play sound for notifications**: Enable - -5. Save the configuration. - -:::{image} ../../../images/security-notifications-jamf.png -:alt: notifications jamf -:class: screenshot -::: - - -### Enable Full Disk Access [fda-jamf] - -1. Select the **Privacy Preferences Policy Control** option to configure the Full Disk Access policy for the {{elastic-endpoint}} configuration profile. -2. Add a new entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.systemextension`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```shell - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -3. Add a second entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.endpoint`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```shell - identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -4. Add a third entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.elastic-agent`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```shell - identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -5. Save the configuration. - -:::{image} ../../../images/security-fda-jamf.png -:alt: fda jamf -:class: screenshot -::: - -After you complete these steps, generate the mobile configuration profile and install it onto the macOS machines. Once the profile is installed, {{elastic-defend}} can be deployed without the need for user interaction. diff --git a/raw-migrated-files/security-docs/security/elastic-endpoint-deploy-reqs.md b/raw-migrated-files/security-docs/security/elastic-endpoint-deploy-reqs.md deleted file mode 100644 index 7d1065cdd9..0000000000 --- a/raw-migrated-files/security-docs/security/elastic-endpoint-deploy-reqs.md +++ /dev/null @@ -1,15 +0,0 @@ -# {{elastic-defend}} requirements [elastic-endpoint-deploy-reqs] - -To properly deploy {{elastic-defend}} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional. For more information, refer to the instructions for your macOS version: - -* [Enable access for macOS Monterey](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-monterey.md) -* [Enable access for macOS Ventura and higher](../../../solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md) - - -## Minimum system requirements [_minimum_system_requirements] - -| Requirement | Value | -| --- | --- | -| **CPU** | Under 2% | -| **Disk space** | 1 GB | -| **Resident set size (RSS) memory** | 500 MB | diff --git a/raw-migrated-files/security-docs/security/endpoint-data-volume.md b/raw-migrated-files/security-docs/security/endpoint-data-volume.md deleted file mode 100644 index 677fa491ae..0000000000 --- a/raw-migrated-files/security-docs/security/endpoint-data-volume.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -navigation_title: "Configure data volume" ---- - -# Configure data volume for {{elastic-endpoint}} [endpoint-data-volume] - - -{{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention, is optimized to reduce data volume and CPU usage. You can disable or modify some of these optimizations by reconfiguring the following [advanced settings](../../../solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings) in the {{elastic-defend}} integration policy. - -::::{important} -Modifying these advanced settings from their defaults will increase the volume of data that {{elastic-endpoint}} processes and ingests, and increase {{elastic-endpoint}}'s CPU usage. Make sure you’re aware of how these changes will affect your storage capabilities and performance. -:::: - - -Each setting has several OS-specific variants, represented by `[linux|mac|windows]` in the names listed below. Use the variant relevant to your hosts' operating system (for example, `windows.advanced.events.deduplicate_network_events` to configure network event deduplication for Windows hosts). - - -## Network event deduplication [network-event-deduplication] - -[8.15] When repeated network connections are detected from the same process, {{elastic-endpoint}} will not produce network events for subsequent connections. To disable or reduce deduplication of network events, use these advanced settings: - -`[linux|mac|windows].advanced.events.deduplicate_network_events` -: Enter `false` to completely disable network event deduplication. Default: `true` - -`[linux|mac|windows].advanced.events.deduplicate_network_events_below_bytes` -: Enter a transfer size threshold (in bytes) for events you want to deduplicate. Connections below the threshold are deduplicated, and connections above it are not deduplicated. This allows you to suppress repeated connections for smaller data transfers but always generate events for larger transfers. Default: `1048576` (1MB) - - -## Data in `host.*` fields [host-fields] - -[8.18] {{elastic-endpoint}} includes only a small subset of the data in the `host.*` fieldset in event documents. Full `host.*` information is still included in documents written to the `metrics-*` index pattern and in {{elastic-endpoint}} alerts. To override this behavior and include all `host.*` data for events, use this advanced setting: - -`[linux|mac|windows].advanced.set_extended_host_information` -: Enter `true` to include all `host.*` event data. Default: `false` - -::::{note} -Users should take note of how a lack of some `host.*` information may affect their [event filters](../../../solutions/security/manage-elastic-defend/event-filters.md) or [Endpoint alert exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions). -:::: - - - -## Merged process and network events [merged-process-network] - -[8.18] {{elastic-endpoint}} merges process `create`/`terminate` events (Windows) and `fork`/`exec`/`end` events (macOS/Linux) when possible. This means short-lived processes only generate a single event containing the details from when the process terminated. {{elastic-endpoint}} also merges network `connection/termination` events (Windows/macOS/Linux) when possible for short-lived connections. To disable this behavior, use these advanced settings: - -`[linux|mac|windows].advanced.events.aggregate_process` -: Enter `false` to disable merging of process events. Default: `true` - -`[linux|mac|windows].advanced.events.aggregate_network` -: Enter `false` to disable merging of network events. Default: `true` - -::::{note} -Merged events can affect the results of [event filters](../../../solutions/security/manage-elastic-defend/event-filters.md). Notably, for merged events, `event.action` is an array containing all actions merged into the single event, such as `event.action=[fork, exec, end]`. In that example, if your event filter omits all fork events (`event.action : fork`), it will also filter out all merged events that include a `fork` action. To prevent such issues, you’ll need to modify your event filters accordingly, or set the `[linux|mac|windows].advanced.events.aggregate_process` and `[linux|mac|windows].advanced.events.aggregate_network` advanced settings to `false` to prevent {{elastic-endpoint}} from merging events. -:::: - - - -## MD5 and SHA-1 hashes [md5-sha1-hashes] - -[8.18] {{elastic-endpoint}} does not report MD5 and SHA-1 hashes in event data by default. These will still be reported if any [trusted applications](../../../solutions/security/manage-elastic-defend/trusted-applications.md), [blocklist entries](../../../solutions/security/manage-elastic-defend/blocklist.md), [event filters](../../../solutions/security/manage-elastic-defend/event-filters.md), or [Endpoint exceptions](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) require them. To include these hashes in all event data, use these advanced settings: - -`[linux|mac|windows].advanced.events.hash.md5` -: Enter `true` to compute and include MD5 hashes for processes and libraries in events. Default: `false` - -`[linux|mac|windows].advanced.events.hash.sha1` -: Enter `true` to compute and include SHA-1 hashes for processes and libraries in events. Default: `false` - -`[linux|mac|windows].advanced.alerts.hash.md5` -: Enter `true` to compute and include MD5 hashes for processes and libraries in alerts. Default: `false` - -`[linux|mac|windows].advanced.alerts.hash.sha1` -: Enter `true` to compute and include SHA-1 hashes for processes and libraries in alerts. Default: `false` - diff --git a/raw-migrated-files/security-docs/security/endpoint-diagnostic-data.md b/raw-migrated-files/security-docs/security/endpoint-diagnostic-data.md deleted file mode 100644 index 6245c9baf8..0000000000 --- a/raw-migrated-files/security-docs/security/endpoint-diagnostic-data.md +++ /dev/null @@ -1,19 +0,0 @@ -# Turn off diagnostic data for {{elastic-defend}} [endpoint-diagnostic-data] - -By default, {{elastic-defend}} streams diagnostic data to your cluster, which Elastic uses to tune protection features. You can stop producing this diagnostic data by configuring the advanced settings in the {{elastic-defend}} integration policy. - -::::{note} -{{kib}} also collects usage telemetry, which includes {{elastic-defend}} diagnostic data. You can modify telemetry preferences in [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/telemetry-settings-kbn.html). -:::: - - -1. To view the Endpoints list, find **Endpoints** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). -2. Locate the endpoint for which you want to disable diagnostic data, then click the integration policy in the **Policy** column. -3. Scroll down to the bottom of the policy and click **Show advanced settings**. -4. Enter `false` for these settings: - - * `windows.advanced.diagnostic.enabled` - * `linux.advanced.diagnostic.enabled` - * `mac.advanced.diagnostic.enabled` - -5. Click **Save**. diff --git a/raw-migrated-files/security-docs/security/endpoint-protection-intro.md b/raw-migrated-files/security-docs/security/endpoint-protection-intro.md deleted file mode 100644 index 4d34f95663..0000000000 --- a/raw-migrated-files/security-docs/security/endpoint-protection-intro.md +++ /dev/null @@ -1,3 +0,0 @@ -# Configure endpoint protection with {{elastic-defend}} [endpoint-protection-intro] - -This section contains information on installing and configuring {{elastic-defend}} for endpoint protection. diff --git a/raw-migrated-files/security-docs/security/uninstall-agent.md b/raw-migrated-files/security-docs/security/uninstall-agent.md deleted file mode 100644 index a96226a926..0000000000 --- a/raw-migrated-files/security-docs/security/uninstall-agent.md +++ /dev/null @@ -1,73 +0,0 @@ -# Uninstall {{agent}} [uninstall-agent] - -To uninstall {{agent}} from a host, run the `uninstall` command from the directory where it’s running. Refer to the [{{fleet}} and {{agent}} documentation](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) for more information. - -If [Agent tamper protection](../../../solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md) is enabled on the Agent policy for the host, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can [find the uninstall token](../../../solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md#fleet-uninstall-tokens) on the Agent policy. Alternatively, find **{{fleet}}** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Uninstall tokens**. - -For example, to uninstall {{agent}} on a macOS or Linux host: - -```shell -sudo elastic-agent uninstall --uninstall-token 12345678901234567890123456789012 -``` - - -## Provide multiple uninstall tokens [multiple-uninstall-tokens] - -If you have multiple tamper-protected {{agent}} policies, you may want to provide multiple uninstall tokens in a single command. There are two ways to do this: - -* The `--uninstall-token` command can receive multiple uninstall tokens separated by a comma, without spaces. - - ```shell - sudo elastic-agent uninstall -f --uninstall-token 7b3d364db8e0deb1cda696ae85e42644,a7336b71e243e7c92d9504b04a774266 - ``` - -* `--uninstall-token`'s argument can also be a path to a text file with one uninstall token per line. - - ::::{note} - You must use the full file path, otherwise the file may not be found. - :::: - - - ```shell - sudo elastic-agent uninstall -f --uninstall-token /tmp/tokens.txt - ``` - - In this example, `tokens.txt` would contain: - - ```txt - 7b3d364db8e0deb1cda696ae85e42644 - a7336b71e243e7c92d9504b04a774266 - ``` - - - -## Uninstall {{elastic-endpoint}} [uninstall-endpoint] - -Use these commands to uninstall {{elastic-endpoint}} from a host **ONLY** if [uninstalling an {{agent}}](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) is unsuccessful. - -Windows - -```shell -cd %TEMP% -copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe -.\elastic-endpoint.exe uninstall -del .\elastic-endpoint.exe -``` - -macOS - -```shell -cd /tmp -cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint -sudo ./elastic-endpoint uninstall -rm elastic-endpoint -``` - -Linux - -```shell -cd /tmp -cp /opt/Elastic/Endpoint/elastic-endpoint elastic-endpoint -sudo ./elastic-endpoint uninstall -rm elastic-endpoint -``` diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index a676db37bf..f31f5724d4 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -433,17 +433,11 @@ toc: - file: docs-content/serverless/security-dashboards-overview.md - file: docs-content/serverless/security-data-quality-dash.md - file: docs-content/serverless/security-data-views-in-sec.md - - file: docs-content/serverless/security-deploy-elastic-endpoint-ven.md - - file: docs-content/serverless/security-deploy-with-mdm.md - file: docs-content/serverless/security-detection-engine-overview.md - file: docs-content/serverless/security-detection-entity-dashboard.md - file: docs-content/serverless/security-detection-response-dashboard.md - file: docs-content/serverless/security-detections-requirements.md - - file: docs-content/serverless/security-elastic-endpoint-deploy-reqs.md - - file: docs-content/serverless/security-endpoint-data-volume.md - - file: docs-content/serverless/security-endpoint-diagnostic-data.md - file: docs-content/serverless/security-endpoint-management-req.md - - file: docs-content/serverless/security-endpoint-protection-intro.md - file: docs-content/serverless/security-endpoints-page.md - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-ers-requirements.md @@ -475,7 +469,6 @@ toc: - file: docs-content/serverless/security-posture-faq.md - file: docs-content/serverless/security-posture-management.md - file: docs-content/serverless/security-prebuilt-rules-management.md - - file: docs-content/serverless/security-protection-artifact-control.md - file: docs-content/serverless/security-query-alert-indices.md - file: docs-content/serverless/security-query-operating-systems.md - file: docs-content/serverless/security-reduce-notifications-alerts.md @@ -499,7 +492,6 @@ toc: - file: docs-content/serverless/security-tune-detection-signals.md - file: docs-content/serverless/security-turn-on-risk-engine.md - file: docs-content/serverless/security-ui.md - - file: docs-content/serverless/security-uninstall-agent.md - file: docs-content/serverless/security-users-page.md - file: docs-content/serverless/security-view-alert-details.md - file: docs-content/serverless/security-visual-event-analyzer.md @@ -766,7 +758,6 @@ toc: - file: security-docs/security/alert-suppression.md - file: security-docs/security/alerts-run-osquery.md - file: security-docs/security/alerts-ui-manage.md - - file: security-docs/security/artifact-control.md - file: security-docs/security/assistant-connect-to-azure-openai.md - file: security-docs/security/assistant-connect-to-bedrock.md - file: security-docs/security/assistant-connect-to-openai.md @@ -804,19 +795,13 @@ toc: - file: security-docs/security/dashboards-overview.md - file: security-docs/security/data-quality-dash.md - file: security-docs/security/data-views-in-sec.md - - file: security-docs/security/deploy-elastic-endpoint-ven.md - file: security-docs/security/deploy-elastic-endpoint.md - - file: security-docs/security/deploy-with-mdm.md - file: security-docs/security/detection-engine-overview.md - file: security-docs/security/detection-entity-dashboard.md - file: security-docs/security/detection-response-dashboard.md - file: security-docs/security/detections-logsdb-index-mode-impact.md - file: security-docs/security/detections-permissions-section.md - - file: security-docs/security/elastic-endpoint-deploy-reqs.md - - file: security-docs/security/endpoint-data-volume.md - - file: security-docs/security/endpoint-diagnostic-data.md - file: security-docs/security/endpoint-management-req.md - - file: security-docs/security/endpoint-protection-intro.md - file: security-docs/security/environment-variable-capture.md - file: security-docs/security/ers-requirements.md - file: security-docs/security/es-overview.md @@ -873,7 +858,6 @@ toc: - file: security-docs/security/trusted-apps-ov.md - file: security-docs/security/tuning-detection-signals.md - file: security-docs/security/turn-on-risk-engine.md - - file: security-docs/security/uninstall-agent.md - file: security-docs/security/use-osquery.md - file: security-docs/security/users-page.md - file: security-docs/security/view-alert-details.md diff --git a/solutions/security/configure-elastic-defend.md b/solutions/security/configure-elastic-defend.md index 3a6b57b02d..5047b2928f 100644 --- a/solutions/security/configure-elastic-defend.md +++ b/solutions/security/configure-elastic-defend.md @@ -4,11 +4,6 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-endpoint-protection-intro.html --- -# Configure endpoint protection with Elastic Defend +# Configure endpoint protection with {{elastic-defend}} [endpoint-protection-intro] -% What needs to be done: Lift-and-shift - -% Use migrated content from existing pages that map to this page: - -% - [ ] ./raw-migrated-files/security-docs/security/endpoint-protection-intro.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-endpoint-protection-intro.md \ No newline at end of file +This section contains information on installing and configuring {{elastic-defend}} for endpoint protection. diff --git a/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint.md b/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint.md index eb4504b2c9..5764a2046b 100644 --- a/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint.md +++ b/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint.md @@ -1,14 +1,75 @@ --- +navigation_title: "Configure data volume" mapped_urls: - https://www.elastic.co/guide/en/security/current/endpoint-data-volume.html - https://www.elastic.co/guide/en/serverless/current/security-endpoint-data-volume.html --- -# Configure data volume for Elastic Endpoint +# Configure data volume for {{elastic-endpoint}} [endpoint-data-volume] -% What needs to be done: Lift-and-shift -% Use migrated content from existing pages that map to this page: +{{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention, is optimized to reduce data volume and CPU usage. You can disable or modify some of these optimizations by reconfiguring the following [advanced settings](configure-an-integration-policy-for-elastic-defend.md#adv-policy-settings) in the {{elastic-defend}} integration policy. -% - [ ] ./raw-migrated-files/security-docs/security/endpoint-data-volume.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-endpoint-data-volume.md \ No newline at end of file +::::{important} +Modifying these advanced settings from their defaults will increase the volume of data that {{elastic-endpoint}} processes and ingests, and increase {{elastic-endpoint}}'s CPU usage. Make sure you’re aware of how these changes will affect your storage capabilities and performance. +:::: + + +Each setting has several OS-specific variants, represented by `[linux|mac|windows]` in the names listed below. Use the variant relevant to your hosts' operating system (for example, `windows.advanced.events.deduplicate_network_events` to configure network event deduplication for Windows hosts). + + +## Network event deduplication [network-event-deduplication] + +When repeated network connections are detected from the same process, {{elastic-endpoint}} will not produce network events for subsequent connections. To disable or reduce deduplication of network events, use these advanced settings: + +`[linux|mac|windows].advanced.events.deduplicate_network_events` +: Enter `false` to completely disable network event deduplication. Default: `true` + +`[linux|mac|windows].advanced.events.deduplicate_network_events_below_bytes` +: Enter a transfer size threshold (in bytes) for events you want to deduplicate. Connections below the threshold are deduplicated, and connections above it are not deduplicated. This allows you to suppress repeated connections for smaller data transfers but always generate events for larger transfers. Default: `1048576` (1MB) + + +## Data in `host.*` fields [host-fields] + +{{elastic-endpoint}} includes only a small subset of the data in the `host.*` fieldset in event documents. Full `host.*` information is still included in documents written to the `metrics-*` index pattern and in {{elastic-endpoint}} alerts. To override this behavior and include all `host.*` data for events, use this advanced setting: + +`[linux|mac|windows].advanced.set_extended_host_information` +: Enter `true` to include all `host.*` event data. Default: `false` + +::::{note} +Users should take note of how a lack of some `host.*` information may affect their [event filters](../manage-elastic-defend/event-filters.md) or [Endpoint alert exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions). +:::: + + + +## Merged process and network events [merged-process-network] + +{{elastic-endpoint}} merges process `create`/`terminate` events (Windows) and `fork`/`exec`/`end` events (macOS/Linux) when possible. This means short-lived processes only generate a single event containing the details from when the process terminated. {{elastic-endpoint}} also merges network `connection/termination` events (Windows/macOS/Linux) when possible for short-lived connections. To disable this behavior, use these advanced settings: + +`[linux|mac|windows].advanced.events.aggregate_process` +: Enter `false` to disable merging of process events. Default: `true` + +`[linux|mac|windows].advanced.events.aggregate_network` +: Enter `false` to disable merging of network events. Default: `true` + +::::{note} +Merged events can affect the results of [event filters](../manage-elastic-defend/event-filters.md). Notably, for merged events, `event.action` is an array containing all actions merged into the single event, such as `event.action=[fork, exec, end]`. In that example, if your event filter omits all fork events (`event.action : fork`), it will also filter out all merged events that include a `fork` action. To prevent such issues, you’ll need to modify your event filters accordingly, or set the `[linux|mac|windows].advanced.events.aggregate_process` and `[linux|mac|windows].advanced.events.aggregate_network` advanced settings to `false` to prevent {{elastic-endpoint}} from merging events. +:::: + + + +## MD5 and SHA-1 hashes [md5-sha1-hashes] + +{{elastic-endpoint}} does not report MD5 and SHA-1 hashes in event data by default. These will still be reported if any [trusted applications](../manage-elastic-defend/trusted-applications.md), [blocklist entries](../manage-elastic-defend/blocklist.md), [event filters](../manage-elastic-defend/event-filters.md), or [Endpoint exceptions](../detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) require them. To include these hashes in all event data, use these advanced settings: + +`[linux|mac|windows].advanced.events.hash.md5` +: Enter `true` to compute and include MD5 hashes for processes and libraries in events. Default: `false` + +`[linux|mac|windows].advanced.events.hash.sha1` +: Enter `true` to compute and include SHA-1 hashes for processes and libraries in events. Default: `false` + +`[linux|mac|windows].advanced.alerts.hash.md5` +: Enter `true` to compute and include MD5 hashes for processes and libraries in alerts. Default: `false` + +`[linux|mac|windows].advanced.alerts.hash.sha1` +: Enter `true` to compute and include SHA-1 hashes for processes and libraries in alerts. Default: `false` diff --git a/solutions/security/configure-elastic-defend/configure-updates-for-protection-artifacts.md b/solutions/security/configure-elastic-defend/configure-updates-for-protection-artifacts.md index 0a4543b2c7..3ed0d0262b 100644 --- a/solutions/security/configure-elastic-defend/configure-updates-for-protection-artifacts.md +++ b/solutions/security/configure-elastic-defend/configure-updates-for-protection-artifacts.md @@ -4,11 +4,25 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-protection-artifact-control.html --- -# Configure updates for protection artifacts +# Configure updates for protection artifacts [artifact-control] -% What needs to be done: Lift-and-shift +On the **Protection updates** tab of the {{elastic-defend}} integration policy, you can configure how {{elastic-defend}} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections. -% Use migrated content from existing pages that map to this page: +You can disable automatic updates and freeze your protection artifacts to a specific date, allowing you to control when to receive and install the updates. For example, you might want to temporarily disable updates to ensure resource availability during a high-volume period, test updates in a controlled staging environment before rolling out to production, or roll back to a previous version of protections. + +Protection artifacts will expire after 18 months, and you’ll no longer be able to select them as a deployed version. If you’re already using a specific version when it expires, you’ll keep using it until you either select a later non-expired version or re-enable automatic updates. + +::::{warning} +It is strongly advised to keep automatic updates enabled to ensure the highest level of security for your environment. Proceed with caution if you decide to disable automatic updates. +:::: + + +To configure the protection artifacts version deployed in your environment: + +1. Find **Policies** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Select an {{elastic-defend}} integration policy, then select the **Protection updates** tab. +3. Turn off the **Enable automatic updates** toggle. +4. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment. +5. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts. +6. Select **Save**. -% - [ ] ./raw-migrated-files/security-docs/security/artifact-control.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-protection-artifact-control.md \ No newline at end of file diff --git a/solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md b/solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md index 1512f046e4..bfbdd5b75c 100644 --- a/solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md +++ b/solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md @@ -1,32 +1,145 @@ --- +navigation_title: "Deploy on macOS with MDM" mapped_urls: - https://www.elastic.co/guide/en/security/current/deploy-with-mdm.html - https://www.elastic.co/guide/en/serverless/current/security-deploy-with-mdm.html --- -# Deploy on macOS with MDM +# Deploy {{elastic-defend}} on macOS with mobile device management [deploy-with-mdm] -% What needs to be done: Lift-and-shift -% Use migrated content from existing pages that map to this page: +To silently install and deploy {{elastic-defend}}, you need to configure a mobile device management (MDM) profile for {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. This allows you to pre-approve the {{elastic-endpoint}} system extension and grant Full Disk Access to all the necessary components. -% - [ ] ./raw-migrated-files/security-docs/security/deploy-with-mdm.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-deploy-with-mdm.md +This page explains how to deploy {{elastic-defend}} silently using Jamf. -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): -$$$system-extension-jamf$$$ +## Configure a Jamf MDM profile [configure-jamf-profile] -$$$fda-jamf$$$ +In Jamf, create a configuration profile for {{elastic-endpoint}}. Follow these steps to configure the profile: -$$$content-filtering-jamf$$$ +1. [Approve the system extension.](#system-extension-jamf) +2. [Approve network content filtering.](#content-filtering-jamf) +3. [Enable notifications.](#notifications-jamf) +4. [Enable Full Disk Access.](#fda-jamf) -$$$security-deploy-with-mdm-approve-the-system-extension$$$ -$$$security-deploy-with-mdm-enable-full-disk-access$$$ +### Approve the system extension [system-extension-jamf] -$$$security-deploy-with-mdm-approve-network-content-filtering$$$ +1. Select the **System Extensions** option to configure the system extension policy for the {{elastic-endpoint}} configuration profile. +2. Make sure that **Allow users to approve system extensions** is selected. +3. In the **Allowed Team IDs and System Extensions** section, add the {{elastic-endpoint}} system extension: -$$$notifications-jamf$$$ + 1. (Optional) Enter a **Display Name** for the {{elastic-endpoint}} system extension. + 2. From the **System Extension Types** dropdown, select **Allowed System Extensions**. + 3. Under **Team Identifier**, enter `2BT3HPN62Z`. + 4. Under **Allowed System Extensions**, enter `co.elastic.systemextension`. -$$$security-deploy-with-mdm-enable-notifications$$$ \ No newline at end of file +4. Save the configuration. + +:::{image} ../../../images/security-system-extension-jamf.png +:alt: system extension jamf +:class: screenshot +::: + + +### Approve network content filtering [content-filtering-jamf] + +1. Select the **Content Filter** option to configure the Network Extension policy for the {{elastic-endpoint}} configuration profile. +2. Under **Filter Name**, enter `ElasticEndpoint`. +3. Under **Identifier**, enter `co.elastic.endpoint`. +4. In the **Socket Filter** section, fill in these fields: + + 1. **Socket Filter Bundle Identifier**: Enter `co.elastic.systemextension` + 2. **Socket Filter Designated Requirement**: Enter the following: + + ```shell + identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" + ``` + +5. In the **Network Filter** section, fill in these fields: + + 1. **Network Filter Bundle Identifier**: Enter `co.elastic.systemextension` + 2. **Network Filter Designated Requirement**: Enter the following: + + ```shell + identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" + ``` + +6. Save the configuration. + +:::{image} ../../../images/security-content-filtering-jamf.png +:alt: content filtering jamf +:class: screenshot +::: + + +### Enable notifications [notifications-jamf] + +1. Select the **Notifications** option to configure the Notification Center policy for the {{elastic-endpoint}} configuration profile. +2. Under **App Name**, enter `Elastic Security.app`. +3. Under **Bundle ID**, enter `co.elastic.alert`. +4. In the **Settings** section, include these options with the following settings: + + 1. **Critical Alerts**: Enable + 2. **Notifications**: Enable + 3. **Banner alert type**: Persistent + 4. **Notifications on Lock Screen**: Display + 5. **Notifications in Notification Center**: Display + 6. **Badge app icon**: Display + 7. **Play sound for notifications**: Enable + +5. Save the configuration. + +:::{image} ../../../images/security-notifications-jamf.png +:alt: notifications jamf +:class: screenshot +::: + + +### Enable Full Disk Access [fda-jamf] + +1. Select the **Privacy Preferences Policy Control** option to configure the Full Disk Access policy for the {{elastic-endpoint}} configuration profile. +2. Add a new entry with the following details: + + 1. Under **Identifier**, enter `co.elastic.systemextension`. + 2. From the **Identifier Type** dropdown, select **Bundle ID**. + 3. Under **Code Requirement**, enter the following: + + ```shell + identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" + ``` + + 4. Make sure that **Validate the Static Code Requirement** is selected. + +3. Add a second entry with the following details: + + 1. Under **Identifier**, enter `co.elastic.endpoint`. + 2. From the **Identifier Type** dropdown, select **Bundle ID**. + 3. Under **Code Requirement**, enter the following: + + ```shell + identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" + ``` + + 4. Make sure that **Validate the Static Code Requirement** is selected. + +4. Add a third entry with the following details: + + 1. Under **Identifier**, enter `co.elastic.elastic-agent`. + 2. From the **Identifier Type** dropdown, select **Bundle ID**. + 3. Under **Code Requirement**, enter the following: + + ```shell + identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" + ``` + + 4. Make sure that **Validate the Static Code Requirement** is selected. + +5. Save the configuration. + +:::{image} ../../../images/security-fda-jamf.png +:alt: fda jamf +:class: screenshot +::: + +After you complete these steps, generate the mobile configuration profile and install it onto the macOS machines. Once the profile is installed, {{elastic-defend}} can be deployed without the need for user interaction. diff --git a/solutions/security/configure-elastic-defend/elastic-defend-requirements.md b/solutions/security/configure-elastic-defend/elastic-defend-requirements.md index 511f254ac7..7c4c36e4b3 100644 --- a/solutions/security/configure-elastic-defend/elastic-defend-requirements.md +++ b/solutions/security/configure-elastic-defend/elastic-defend-requirements.md @@ -4,11 +4,18 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-elastic-endpoint-deploy-reqs.html --- -# Elastic Defend requirements +# {{elastic-defend}} requirements [elastic-endpoint-deploy-reqs] -% What needs to be done: Lift-and-shift +To properly deploy {{elastic-defend}} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional. For more information, refer to the instructions for your macOS version: -% Use migrated content from existing pages that map to this page: +* [Enable access for macOS Monterey](enable-access-for-macos-monterey.md) +* [Enable access for macOS Ventura and higher](enable-access-for-macos-ventura-higher.md) -% - [ ] ./raw-migrated-files/security-docs/security/elastic-endpoint-deploy-reqs.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-elastic-endpoint-deploy-reqs.md \ No newline at end of file + +## Minimum system requirements [_minimum_system_requirements] + +| Requirement | Value | +| --- | --- | +| **CPU** | Under 2% | +| **Disk space** | 1 GB | +| **Resident set size (RSS) memory** | 500 MB | diff --git a/solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md b/solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md index 464652eec3..af0a0633ab 100644 --- a/solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md +++ b/solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md @@ -4,19 +4,124 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-deploy-elastic-endpoint-ven.html --- -# Enable access for macOS Ventura and higher +# Enable access for macOS Ventura and higher [deploy-elastic-endpoint-ven] -% What needs to be done: Lift-and-shift +To properly install and configure {{elastic-defend}} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional: -% Use migrated content from existing pages that map to this page: +* [Approve the system extension](#system-extension-endpoint-ven) +* [Approve network content filtering](#allow-filter-content-ven) +* [Enable Full Disk Access](#enable-fda-endpoint-ven) -% - [ ] ./raw-migrated-files/security-docs/security/deploy-elastic-endpoint-ven.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-deploy-elastic-endpoint-ven.md +::::{note} +The following permissions that need to be enabled are required after you [configure and install the {{elastic-defend}} integration](install-elastic-defend.md), which includes [enrolling the {{agent}}](install-elastic-defend.md#enroll-security-agent). +:::: -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): -$$$enable-fda-endpoint-ven$$$ -$$$allow-filter-content-ven$$$ +## Approve the system extension for {{elastic-endpoint}} [system-extension-endpoint-ven] + +For macOS Ventura (13.0) and later, {{elastic-endpoint}} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. + +The following message appears during installation: + +:::{image} ../../../images/security-system_extension_blocked_warning_ven.png +:alt: system extension blocked warning ven +:class: screenshot +::: + +1. Click **Open System Settings**. +2. In the left pane, click **Privacy & Security**. + + :::{image} ../../../images/security-privacy_security_ven.png + :alt: privacy security ven + :class: screenshot + ::: + +3. On the right pane, scroll down to the Security section. Click **Allow** to allow the ElasticEndpoint system extension to load. + + :::{image} ../../../images/security-allow_system_extension_ven.png + :alt: allow system extension ven + :class: screenshot + ::: + +4. Enter your username and password and click **Modify Settings** to save your changes. + + :::{image} ../../../images/security-enter_login_details_to_confirm_ven.png + :alt: enter login details to confirm ven + :class: screenshot + ::: + + + +## Approve network content filtering for {{elastic-endpoint}} [allow-filter-content-ven] + +After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow {{elastic-endpoint}} to filter network content. + +:::{image} ../../../images/security-allow_network_filter_ven.png +:alt: allow network filter ven +:class: screenshot +::: + +Click **Allow** to enable content filtering for the ElasticEndpoint system extension. Without this approval, {{elastic-endpoint}} cannot receive network events and, therefore, cannot enable network-related features such as [host isolation](../endpoint-response-actions/isolate-host.md). + + +## Enable Full Disk Access for {{elastic-endpoint}} [enable-fda-endpoint-ven] + +{{elastic-endpoint}} requires Full Disk Access to subscribe to system events via the {{elastic-defend}} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. + +If you have not granted Full Disk Access, the following notification prompt will appear. + +:::{image} ../../../images/security-allow_full_disk_access_notification_ven.png +:alt: allow full disk access notification ven +:class: screenshot +::: + +To enable Full Disk Access, you must manually approve {{elastic-endpoint}}. + +::::{note} +The following instructions apply only to {{elastic-endpoint}} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame’s documentation. +:::: + + +1. Open the **System Settings** application. +2. In the left pane, select **Privacy & Security**. + + :::{image} ../../../images/security-privacy_security_ven.png + :alt: privacy security ven + :class: screenshot + ::: + +3. From the right pane, select **Full Disk Access**. + + :::{image} ../../../images/security-select_fda_ven.png + :alt: Select Full Disk Access + :class: screenshot + ::: + +4. Enable `ElasticEndpoint` and `co.elastic` to properly enable Full Disk Access. + + :::{image} ../../../images/security-allow_fda_ven.png + :alt: allow fda ven + :class: screenshot + ::: + + +If the endpoint is running {{elastic-endpoint}} version 7.17.0 or earlier: + +1. Click the **+** button to view **Finder**. +2. The system may prompt you to enter your username and password if you haven’t already. + + :::{image} ../../../images/security-enter_login_details_to_confirm_ven.png + :alt: enter login details to confirm ven + :class: screenshot + ::: + +3. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. +4. Click **Open**. +5. In the **Privacy** tab, confirm that `ElasticEndpoint` and `co.elastic.systemextension` are selected to properly enable Full Disk Access. + + :::{image} ../../../images/security-verify_fed_granted_ven.png + :alt: Select Full Disk Access + :class: screenshot + ::: -$$$system-extension-endpoint-ven$$$ \ No newline at end of file diff --git a/solutions/security/configure-elastic-defend/turn-off-diagnostic-data-for-elastic-defend.md b/solutions/security/configure-elastic-defend/turn-off-diagnostic-data-for-elastic-defend.md index 0544636027..940d689385 100644 --- a/solutions/security/configure-elastic-defend/turn-off-diagnostic-data-for-elastic-defend.md +++ b/solutions/security/configure-elastic-defend/turn-off-diagnostic-data-for-elastic-defend.md @@ -4,11 +4,22 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-endpoint-diagnostic-data.html --- -# Turn off diagnostic data for Elastic Defend +# Turn off diagnostic data for {{elastic-defend}} [endpoint-diagnostic-data] -% What needs to be done: Lift-and-shift +By default, {{elastic-defend}} streams diagnostic data to your cluster, which Elastic uses to tune protection features. You can stop producing this diagnostic data by configuring the advanced settings in the {{elastic-defend}} integration policy. -% Use migrated content from existing pages that map to this page: +::::{note} +{{elastic-sec}} also collects usage telemetry, which includes {{elastic-defend}} diagnostic data. You can modify telemetry preferences in [Advanced Settings](https://www.elastic.co/guide/en/kibana/current/telemetry-settings-kbn.html). +:::: -% - [ ] ./raw-migrated-files/security-docs/security/endpoint-diagnostic-data.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-endpoint-diagnostic-data.md \ No newline at end of file + +1. To view the Endpoints list, find **Endpoints** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). +2. Locate the endpoint for which you want to disable diagnostic data, then click the integration policy in the **Policy** column. +3. Scroll down to the bottom of the policy and click **Show advanced settings**. +4. Enter `false` for these settings: + + * `windows.advanced.diagnostic.enabled` + * `linux.advanced.diagnostic.enabled` + * `mac.advanced.diagnostic.enabled` + +5. Click **Save**. diff --git a/solutions/security/configure-elastic-defend/uninstall-elastic-agent.md b/solutions/security/configure-elastic-defend/uninstall-elastic-agent.md index f0a9ba95a2..ad3bb2c746 100644 --- a/solutions/security/configure-elastic-defend/uninstall-elastic-agent.md +++ b/solutions/security/configure-elastic-defend/uninstall-elastic-agent.md @@ -4,17 +4,76 @@ mapped_urls: - https://www.elastic.co/guide/en/serverless/current/security-uninstall-agent.html --- -# Uninstall Elastic Agent +# Uninstall {{agent}} [uninstall-agent] -% What needs to be done: Lift-and-shift +To uninstall {{agent}} from a host, run the `uninstall` command from the directory where it’s running. Refer to the [{{fleet}} and {{agent}} documentation](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) for more information. -% Use migrated content from existing pages that map to this page: +If [Agent tamper protection](prevent-elastic-agent-uninstallation.md) is enabled on the Agent policy for the host, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can [find the uninstall token](prevent-elastic-agent-uninstallation.md#fleet-uninstall-tokens) on the Agent policy. Alternatively, find **{{fleet}}** in the navigation menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), and select **Uninstall tokens**. -% - [ ] ./raw-migrated-files/security-docs/security/uninstall-agent.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-uninstall-agent.md +For example, to uninstall {{agent}} on a macOS or Linux host: -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): +```shell +sudo elastic-agent uninstall --uninstall-token 12345678901234567890123456789012 +``` -$$$multiple-uninstall-tokens$$$ -$$$uninstall-endpoint$$$ \ No newline at end of file +## Provide multiple uninstall tokens [multiple-uninstall-tokens] + +If you have multiple tamper-protected {{agent}} policies, you may want to provide multiple uninstall tokens in a single command. There are two ways to do this: + +* The `--uninstall-token` command can receive multiple uninstall tokens separated by a comma, without spaces. + + ```shell + sudo elastic-agent uninstall -f --uninstall-token 7b3d364db8e0deb1cda696ae85e42644,a7336b71e243e7c92d9504b04a774266 + ``` + +* `--uninstall-token`'s argument can also be a path to a text file with one uninstall token per line. + + ::::{note} + You must use the full file path, otherwise the file may not be found. + :::: + + + ```shell + sudo elastic-agent uninstall -f --uninstall-token /tmp/tokens.txt + ``` + + In this example, `tokens.txt` would contain: + + ```txt + 7b3d364db8e0deb1cda696ae85e42644 + a7336b71e243e7c92d9504b04a774266 + ``` + + + +## Uninstall {{elastic-endpoint}} [uninstall-endpoint] + +Use these commands to uninstall {{elastic-endpoint}} from a host **ONLY** if [uninstalling an {{agent}}](https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html) is unsuccessful. + +Windows + +```shell +cd %TEMP% +copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe +.\elastic-endpoint.exe uninstall +del .\elastic-endpoint.exe +``` + +macOS + +```shell +cd /tmp +cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint +sudo ./elastic-endpoint uninstall +rm elastic-endpoint +``` + +Linux + +```shell +cd /tmp +cp /opt/Elastic/Endpoint/elastic-endpoint elastic-endpoint +sudo ./elastic-endpoint uninstall +rm elastic-endpoint +```