elastic · natasha-moore-elastic · Feb 28, 2025 · Feb 27, 2025 · Feb 28, 2025
@@ -6,4 +6,21 @@ redirects:
     anchors:
       'anonymous-authentication':
       'basic-authentication':
-      'http-authentication':
+      'http-authentication':
+  'reference/security/elastic-defend/index.md': 'solutions/security/configure-elastic-defend.md'
+  'reference/security/elastic-defend/elastic-endpoint-deploy-reqs.md': 'solutions/security/configure-elastic-defend/elastic-defend-requirements.md'
+  'reference/security/elastic-defend/install-endpoint.md': 'solutions/security/configure-elastic-defend/install-elastic-defend.md'
+  'reference/security/elastic-defend/deploy-elastic-endpoint.md': 'solutions/security/configure-elastic-defend/enable-access-for-macos-monterey.md'
+  'reference/security/elastic-defend/deploy-elastic-endpoint-ven.md': 'solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md'
+  'reference/security/elastic-defend/deploy-with-mdm.md': 'solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md'
+  'reference/security/elastic-defend/agent-tamper-protection.md': 'solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md'
+  'reference/security/elastic-defend/endpoint-management-req.md': 'solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md'
+  'reference/security/elastic-defend/configure-endpoint-integration-policy.md': 'solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md'
+  'reference/security/elastic-defend/artifact-control.md': 'solutions/security/configure-elastic-defend/configure-updates-for-protection-artifacts.md'
+  'reference/security/elastic-defend/endpoint-diagnostic-data.md': 'solutions/security/configure-elastic-defend/turn-off-diagnostic-data-for-elastic-defend.md'
+  'reference/security/elastic-defend/self-healing-rollback.md': 'solutions/security/configure-elastic-defend/configure-self-healing-rollback-for-windows-endpoints.md'
+  'reference/security/elastic-defend/linux-file-monitoring.md': 'solutions/security/configure-elastic-defend/configure-linux-file-system-monitoring.md'
+  'reference/security/elastic-defend/endpoint-data-volume.md': 'solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint.md'
+  'reference/security/elastic-defend/create-defend-policy-api.md': 'solutions/security/configure-elastic-defend/create-an-elastic-defend-policy-using-api.md'
+  'reference/security/elastic-defend/offline-endpoint.md': 'solutions/security/configure-elastic-defend/configure-offline-endpoints-air-gapped-environments.md'
+  'reference/security/elastic-defend/uninstall-agent.md': 'solutions/security/configure-elastic-defend/uninstall-elastic-agent.md'
@@ -575,7 +575,7 @@ For more information about custom certificates, refer to [Configure SSL/TLS for
 `--base-path <string>`
 :   Install {{agent}} in a location other than the [default](/reference/ingestion-tools/fleet/installation-layout.md). Specify the custom base path for the install.
 
-    The `--base-path` option is not currently supported with [{{elastic-defend}}](/reference/security/elastic-defend/install-endpoint.md).
+    The `--base-path` option is not currently supported with [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md).
 
 
 `--ca-sha256 <string>`

@@ -15,7 +15,7 @@ The {{package-registry}} must therefore be accessible from {{kib}} via an HTTP P
 The {{artifact-registry}} must therefore be accessible from {{kib}} via an HTTP Proxy and/or self-hosted.
 
 ::::{tip}
-See the {{elastic-sec}} Solution documentation for air-gapped [offline endpoints](/reference/security/elastic-defend/offline-endpoint.md).
+See the {{elastic-sec}} Solution documentation for air-gapped [offline endpoints](/solutions/security/configure-elastic-defend/configure-offline-endpoints-air-gapped-environments.md).
 
 ::::
 

@@ -99,7 +99,7 @@ Example response:
 To create an integration policy (also known as a package policy) and add it to an existing agent policy, call `POST /api/fleet/package_policies`.
 
 ::::{tip}
-You can use the {{fleet}} API to [Create and customize an {{elastic-defend}} policy](/reference/security/elastic-defend/create-defend-policy-api.md).
+You can use the {{fleet}} API to [Create and customize an {{elastic-defend}} policy](/solutions/security/configure-elastic-defend/create-an-elastic-defend-policy-using-api.md).
 ::::
 
 

@@ -34,7 +34,7 @@ To use {{fleet}} go to **Management > {{fleet}}** in {{kib}}. The following tabl
 | [{{agent}}s](/reference/ingestion-tools/fleet/manage-agents.md) | Enroll, unenroll, upgrade, add tags, and view {{agent}} status and logs. |
 | [Policies](/reference/ingestion-tools/fleet/agent-policy.md) | Create and edit agent policies and add integrations to them. |
 | [{{fleet}} enrollment tokens](/reference/ingestion-tools/fleet/fleet-enrollment-tokens.md) | Create and revoke enrollment tokens. |
-| [Uninstall tokens](/reference/security/elastic-defend/agent-tamper-protection.md) | ({{elastic-defend}} integration only) Access tokens to allow uninstalling {{agent}} from endpoints with Agent tamper protection enabled. |
+| [Uninstall tokens](/solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md) | ({{elastic-defend}} integration only) Access tokens to allow uninstalling {{agent}} from endpoints with Agent tamper protection enabled. |
 | [Data streams](/reference/ingestion-tools/fleet/data-streams.md) | View data streams and navigate to dashboards to analyze your data. |
 
 

@@ -23,18 +23,18 @@ The following table describes the integrations you can use instead of {{auditbea
 | --- | --- | --- |
 | [Auditd](asciidocalypse://docs/reference/auditbeat/auditbeat-module-auditd.md) module | [Auditd Manager](asciidocalypse://docs/reference/auditd_manager.md) integration | This integration is a direct replacement of the module. You can port rules andconfiguration to this integration. Starting in {{stack}} 8.4, you can also set the`immutable` flag in the audit configuration. |
 | [Auditd Logs](asciidocalypse://docs/reference/auditd.md) integration | Use this integration if you don’t need to manage rules. It only parses logs fromthe audit daemon `auditd`. Please note that the events created by this integrationare different than the ones created by[Auditd Manager](asciidocalypse://docs/reference/auditd_manager.md), since the latter merges allrelated messages in a single event while [Auditd Logs](asciidocalypse://docs/reference/auditd.md)creates one event per message. |
-| [File Integrity](asciidocalypse://docs/reference/auditbeat/auditbeat-module-file_integrity.md) module | [File Integrity Monitoring](asciidocalypse://docs/reference/fim.md) integration | This integration is a direct replacement of the module. It reports real-timeevents, but cannot report who made the changes. If you need to track thisinformation, use [{{elastic-defend}}](/reference/security/elastic-defend/install-endpoint.md)instead. |
+| [File Integrity](asciidocalypse://docs/reference/auditbeat/auditbeat-module-file_integrity.md) module | [File Integrity Monitoring](asciidocalypse://docs/reference/fim.md) integration | This integration is a direct replacement of the module. It reports real-timeevents, but cannot report who made the changes. If you need to track thisinformation, use [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md) instead. |
 | [System](asciidocalypse://docs/reference/auditbeat/auditbeat-module-system.md) module | It depends… | There is not a single integration that collects all this information. |
 | [System.host](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-host.md) dataset | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Schedule collection of information like:<br><br>* [system_info](https://www.osquery.io/schema/5.1.0/#system_info) for hostname, unique ID, and architecture<br>* [os_version](https://www.osquery.io/schema/5.1.0/#os_version)<br>* [interface_addresses](https://www.osquery.io/schema/5.1.0/#interface_addresses) for IPs and MACs<br> |
-| [System.login](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-login.md) dataset | [Endpoint](/reference/security/elastic-defend/install-endpoint.md) | Report login events. |
+| [System.login](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-login.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Report login events. |
 | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Use the [last](https://www.osquery.io/schema/5.1.0/#last) table for Linux and macOS. |
 | {{fleet}} [system](asciidocalypse://docs/reference/system.md) integration | Collect login events for Windows through the [Security event log](asciidocalypse://docs/reference/system.md#system-security). |
 | [System.package](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-package.md) dataset | [System Audit](asciidocalypse://docs/reference/system_audit.md) integration | This integration is a direct replacement of the System Package dataset. Starting in {{stack}} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br> |
 | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Schedule collection of information like:<br><br>* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)<br>* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)<br>* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)<br>* [apps](https://www.osquery.io/schema/5.1.0/#apps) (MacOS)<br>* [programs](https://www.osquery.io/schema/5.1.0/#programs) (Windows)<br>* [npm_packages](https://www.osquery.io/schema/5.1.0/#npm_packages)<br>* [atom_packages](https://www.osquery.io/schema/5.1.0/#atom_packages)<br>* [chocolatey_packages](https://www.osquery.io/schema/5.1.0/#chocolatey_packages)<br>* [portage_packages](https://www.osquery.io/schema/5.1.0/#portage_packages)<br>* [python_packages](https://www.osquery.io/schema/5.1.0/#python_packages)<br> |
-| [System.process](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/reference/security/elastic-defend/install-endpoint.md) | Best replacement because out of the box it reports events forevery process in [ECS](asciidocalypse://docs/reference/index.md) format and has excellentintegration in [Kibana](/get-started/the-stack.md). |
+| [System.process](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](asciidocalypse://docs/reference/index.md) format and has excellentintegration in [Kibana](/get-started/the-stack.md). |
 | [Custom Windows event log](asciidocalypse://docs/reference/winlog.md) and{{integrations-docs}}/windows#sysmonoperational[Sysmon] integrations | Provide process data. |
 | [Osquery](asciidocalypse://docs/reference/osquery.md) or[Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Collect data from the [process](https://www.osquery.io/schema/5.1.0/#process) table on some OSeswithout polling. |
-| [System.socket](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/reference/security/elastic-defend/install-endpoint.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). |
+| [System.socket](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). |
 | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Monitor socket events via the [socket_events](https://www.osquery.io/schema/5.1.0/#socket_events) tablefor Linux and MacOS. |
 | [System.user](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-user.md) dataset | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Monitor local users via the [user](https://www.osquery.io/schema/5.1.0/#user) table for Linux, Windows, and MacOS. |
 
@@ -64,7 +64,7 @@ If you run into problems, refer to [Troubleshoot common problems](/troubleshoot/
 If you are using DEB or RPM, you can use the package manager to remove the installed package.
 
 ::::{note}
-For hosts enrolled in the {{elastic-defend}} integration with Agent tamper protection enabled, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. Refer to the [Agent tamper protection docs](/reference/security/elastic-defend/agent-tamper-protection.md) for more information.
+For hosts enrolled in the {{elastic-defend}} integration with Agent tamper protection enabled, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. For more information, refer to [](/solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md).
 ::::