From 20fafd47a8a5b673994b81795c998de496d18d7f Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 3 Mar 2025 11:11:07 +0000 Subject: [PATCH 1/6] endpoints --- .../serverless/security-endpoints-page.md | 145 ------------------ raw-migrated-files/toc.yml | 1 - .../manage-elastic-defend/endpoints.md | 31 +--- 3 files changed, 6 insertions(+), 171 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-endpoints-page.md diff --git a/raw-migrated-files/docs-content/serverless/security-endpoints-page.md b/raw-migrated-files/docs-content/serverless/security-endpoints-page.md deleted file mode 100644 index 100ec71cab..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-endpoints-page.md +++ /dev/null @@ -1,145 +0,0 @@ -# Endpoints [security-endpoints-page] - -The **Endpoints** page (**Assets** → **Endpoints**) allows administrators to view and manage endpoints that are running the [{{elastic-defend}} integration](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md). - -::::{admonition} Requirements -:class: note - -* {{fleet}} must be enabled for administrative actions to function correctly. -* You must have the appropriate user role to use this feature. - -:::: - - - -## Endpoints list [endpoints-list-ov] - -The **Endpoints** list displays all hosts running {{elastic-defend}} and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top. - -:::{image} ../../../images/serverless--management-admin-endpoints-pg.png -:alt: Endpoints page -:class: screenshot -::: - -The Endpoints list provides the following data: - -* **Endpoint**: The system hostname. Click the link to display [endpoint details](../../../solutions/security/manage-elastic-defend/endpoints.md#endpoint-details) in a flyout. -* **Agent Status**: The current status of the {{agent}}, which is one of the following: - - * `Healthy`: The agent is online and communicating with {{elastic-sec}}. - * `Unenrolling`: The agent is currently unenrolling and will soon be removed from Fleet. Afterward, the endpoint will also uninstall. - * `Unhealthy`: The agent is online but requires attention from an administrator because it’s reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to [Endpoint management troubleshooting](../../../troubleshoot/security/elastic-defend.md) for more on resolving an unhealthy agent status. - * `Updating`: The agent is online and is updating the agent policy or binary, or is enrolling or unenrolling. - * `Offline`: The agent is still enrolled but may be on a machine that is shut down or currently does not have internet access. In this state, the agent is no longer communicating with {{elastic-sec}} at a regular interval. - - ::::{note} - {{agent}} statuses in {{fleet}} correspond to the agent statuses in the {{security-app}}. - - :::: - -* **Policy:** The name of the associated integration policy when the agent was installed. Click the link to display the [integration policy details](../../../solutions/security/manage-elastic-defend/endpoints.md#integration-policy-details) page. -* **Policy status:** Indicates whether the integration policy was successfully applied. Click the link to view [policy status](../../../solutions/security/manage-elastic-defend/endpoints.md#policy-status) response details in a flyout. -* **OS**: The host’s operating system. -* **IP address**: All IP addresses associated with the hostname. -* **Version**: The {{agent}} version currently running. -* **Last active**: A date and timestamp of the last time the {{agent}} was active. -* **Actions**: Select the context menu (*…​*) to do the following: - - * **Isolate host**: [Isolate the host](../../../solutions/security/endpoint-response-actions/isolate-host.md) from your network, blocking communication until the host is released. - * **Respond**: Open the [response console](../../../solutions/security/endpoint-response-actions.md) to perform response actions directly on the host. - * **View response actions history**: View a [history of response actions](../../../solutions/security/manage-elastic-defend/endpoints.md#response-action-history-tab) performed on the host. - * **View host details**: View host details on the **Hosts** page in the {{security-app}}. - * **View agent policy**: View the agent policy in {{fleet}}. - * **View agent details**: View {{agent}} details and activity logs in {{fleet}}. - * **Reassign agent policy**: Change the [agent policy](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/agent-policy.md#apply-a-policy) assigned to the host in {{fleet}}. - - - -### Endpoint details [endpoint-details] - -Click any link in the **Endpoint** column to display host details in a flyout. You can also use the **Take Action** menu button to perform the same actions as those listed in the Actions context menu, such as isolating the host, viewing host details, and viewing or reassigning the agent policy. - -:::{image} ../../../images/serverless--management-admin-host-flyout.png -:alt: Endpoint details flyout -:class: screenshot -::: - - -### Response actions history [response-action-history-tab] - -The endpoint details flyout also includes the **Response actions history** tab, which provides a log of the [response actions](../../../solutions/security/endpoint-response-actions.md) performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to [Response actions history](../../../solutions/security/endpoint-response-actions/response-actions-history.md) for more details. - -:::{image} ../../../images/serverless--management-admin-response-actions-history-endpoint-details.png -:alt: Response actions history with a few past actions -:class: screenshot -::: - - -### Integration policy details [integration-policy-details] - -To view the integration policy page, click the link in the **Policy** column. If you are viewing host details, you can also click the **Policy** link on the flyout. - -On this page, you can view and configure endpoint protection and event collection settings. In the upper-right corner are Key Performance Indicators (KPIs) that provide current endpoint status. If you need to update the policy, make changes as appropriate, then click the **Save** button to apply the new changes. - -::::{note} -Users must have permission to read/write to {{fleet}} APIs to make changes to the configuration. - -:::: - - -:::{image} ../../../images/serverless--management-admin-integration-pg.png -:alt: Integration page -:class: screenshot -::: - -Users who have unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. - -::::{note} -Advanced settings are not recommended for most users. - -:::: - - -:::{image} ../../../images/serverless--management-admin-integration-advanced-settings.png -:alt: Integration page -:class: screenshot -::: - - -### Policy status [policy-status] - -The status of the integration policy appears in the **Policy status** column and displays one of the following: - -* `Success`: The policy was applied successfully. -* `Warning` or `Partially Applied`: The policy is pending application, or the policy was not applied in its entirety. - - ::::{note} - In some cases, actions taken on the endpoint may fail during policy application, but these cases are not critical failures - meaning there may be a failure, but the endpoints are still protected. In this case, the policy status will display as "Partially Applied." - - :::: - -* `Failure`: The policy did not apply correctly, and endpoints are not protected. -* `Unknown`: The user interface is waiting for the API response to return, or, in rare cases, the API returned an undefined error or value. - -For more details on what’s causing a policy status, click the link in the **Policy status** column and review the details flyout. Expand each section and subsection to display individual responses from the agent. - -::::{tip} -If you need help troubleshooting a configuration failure, refer to [Endpoint management troubleshooting](../../../troubleshoot/security/elastic-defend.md) and [{{fleet}} troubleshooting](../../../troubleshoot/ingest/fleet/common-problems.md). - -:::: - - -:::{image} ../../../images/serverless--management-admin-config-status.png -:alt: Config status details -:class: screenshot -::: - - -### Filter endpoints [security-endpoints-page-filter-endpoints] - -To filter the Endpoints list, use the search bar to enter a query using **https://www.elastic.co/guide/en/kibana/current/kuery-query.html[{{kib}} Query Language (KQL)]**. To refresh the search results, click **Refresh**. - -::::{note} -The date and time picker on the right side of the page allows you to set a time interval to automatically refresh the Endpoints list — for example, to check if new endpoints were added or deleted. - -:::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 9866403943..04acb5acf8 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -218,7 +218,6 @@ toc: - file: docs-content/serverless/security-detection-engine-overview.md - file: docs-content/serverless/security-detection-response-dashboard.md - file: docs-content/serverless/security-detections-requirements.md - - file: docs-content/serverless/security-endpoints-page.md - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-event-filters.md - file: docs-content/serverless/security-get-started-with-kspm.md diff --git a/solutions/security/manage-elastic-defend/endpoints.md b/solutions/security/manage-elastic-defend/endpoints.md index ab3c636dbb..f1fb4c27a7 100644 --- a/solutions/security/manage-elastic-defend/endpoints.md +++ b/solutions/security/manage-elastic-defend/endpoints.md @@ -6,33 +6,15 @@ mapped_urls: # Endpoints -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/admin-page-ov.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-endpoints-page.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$endpoint-details$$$ - -$$$integration-policy-details$$$ - -$$$policy-status$$$ - -$$$response-action-history-tab$$$ The Endpoints page allows administrators to view and manage endpoints that are running the [{{elastic-defend}} integration](/solutions/security/configure-elastic-defend/install-elastic-defend.md). ::::{admonition} Requirements * {{fleet}} must be enabled in a {{kib}} space for administrative actions to function correctly. -* You must have the **Endpoint List** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +* You must have the **Endpoint List** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. :::: - ## Endpoints list [endpoints-list-ov] The **Endpoints** list displays all hosts running {{elastic-defend}} and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top. @@ -49,7 +31,7 @@ The Endpoints list provides the following data: * `Healthy`: The agent is online and communicating with {{kib}}. * `Unenrolling`: The agent is currently unenrolling and will soon be removed from Fleet. Afterward, the endpoint will also uninstall. - * `Unhealthy`: The agent is online but requires attention from an administrator because it’s reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to [Endpoint management troubleshooting](/troubleshoot/security/elastic-defend.md#ts-unhealthy-agent) for more on resolving an unhealthy agent status. + * `Unhealthy`: The agent is online but requires attention from an administrator because it’s reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to [](/troubleshoot/security/elastic-defend.md#ts-unhealthy-agent) for more on resolving an unhealthy agent status. * `Updating`: The agent is online and is updating the agent policy or binary, or is enrolling or unenrolling. * `Offline`: The agent is still enrolled but may be on a machine that is shut down or currently does not have internet access. In this state, the agent is no longer communicating with {{kib}} at a regular interval. @@ -61,7 +43,7 @@ The Endpoints list provides the following data: * **Policy status:** Indicates whether the integration policy was successfully applied. Click the link to view [policy status](/solutions/security/manage-elastic-defend/endpoints.md#policy-status) response details in a flyout. * **OS**: The host’s operating system. * **IP address**: All IP addresses associated with the hostname. -* **Version**: The {{stack}} version currently running. +* **Version**: The {{agent}} version currently running. * **Last active**: A date and timestamp of the last time the {{agent}} was active. * **Actions**: Select the context menu (**…​**) to do the following: @@ -74,7 +56,6 @@ The Endpoints list provides the following data: * **Reassign agent policy**: Change the [agent policy](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/agent-policy.md#apply-a-policy) assigned to the host in {{fleet}}. - ### Endpoint details [endpoint-details] Click any link in the **Endpoint** column to display host details in a flyout. You can also use the **Take Action** menu button to perform the same actions as those listed in the Actions context menu, such as isolating the host, viewing host details, and viewing or reassigning the agent policy. @@ -87,7 +68,7 @@ Click any link in the **Endpoint** column to display host details in a flyout. Y ### Response actions history [response-action-history-tab] -The endpoint details flyout also includes the **Response actions history** tab, which provides a log of the [response actions](/solutions/security/endpoint-response-actions.md) performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to [*Response actions history*](/solutions/security/endpoint-response-actions/response-actions-history.md) for more details. +The endpoint details flyout also includes the **Response actions history** tab, which provides a log of the [response actions](/solutions/security/endpoint-response-actions.md) performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to [](/solutions/security/endpoint-response-actions/response-actions-history.md) for more details. :::{image} ../../../images/security-response-actions-history-endpoint-details.png :alt: Response actions history with a few past actions @@ -141,7 +122,7 @@ The status of the integration policy appears in the **Policy status** column and For more details on what’s causing a policy status, click the link in the **Policy status** column and review the details flyout. Expand each section and subsection to display individual responses from the agent. ::::{tip} -If you need help troubleshooting a configuration failure, refer to [Endpoint management troubleshooting](/troubleshoot/security/elastic-defend.md#ts-unhealthy-agent) and [{{fleet}} troubleshooting](/troubleshoot/ingest/fleet/common-problems.md). +If you need help troubleshooting a configuration failure, refer to [](/troubleshoot/security/elastic-defend.md#ts-unhealthy-agent) and [](/troubleshoot/ingest/fleet/common-problems.md). :::: @@ -153,7 +134,7 @@ If you need help troubleshooting a configuration failure, refer to [Endpoint man ### Filter endpoints [_filter_endpoints] -To filter the Endpoints list, use the search bar to enter a query using **https://www.elastic.co/guide/en/kibana/current/kuery-query.html[{{kib}} Query Language (KQL)]**. To refresh the search results, click **Refresh**. +To filter the Endpoints list, use the search bar to enter a query using [{{kib}} Query Language (KQL)](/explore-analyze/query-filter/languages/kql.md). To refresh the search results, click **Refresh**. :::{image} ../../../images/security-filter-endpoints.png :alt: filter endpoints From 93977a1cfc675da8af74ead271161da41343a6e7 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 3 Mar 2025 11:16:00 +0000 Subject: [PATCH 2/6] policies --- .../serverless/security-policies-page.md | 18 ------------------ raw-migrated-files/toc.yml | 1 - .../security/manage-elastic-defend/policies.md | 12 ++---------- 3 files changed, 2 insertions(+), 29 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-policies-page.md diff --git a/raw-migrated-files/docs-content/serverless/security-policies-page.md b/raw-migrated-files/docs-content/serverless/security-policies-page.md deleted file mode 100644 index da387ed736..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-policies-page.md +++ /dev/null @@ -1,18 +0,0 @@ -# Policies [security-policies-page] - -The **Policies** page (**Assets** → **Policies**) lists all of the integration policies configured for {{elastic-defend}}. - -::::{admonition} Requirements -:class: note - -You must have the appropriate user role to use this feature. - -:::: - - -Click on an integration policy’s name to configure its settings. For more information on configuring an integration policy, refer to [Configure an integration policy for {{elastic-defend}}](../../../solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). - -:::{image} ../../../images/serverless--management-admin-policy-list.png -:alt: management admin policy list -:class: screenshot -::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 04acb5acf8..7975e8f803 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -228,7 +228,6 @@ toc: - file: docs-content/serverless/security-llm-connector-guides.md - file: docs-content/serverless/security-llm-performance-matrix.md - file: docs-content/serverless/security-overview-dashboard.md - - file: docs-content/serverless/security-policies-page.md - file: docs-content/serverless/security-posture-faq.md - file: docs-content/serverless/security-posture-management.md - file: docs-content/serverless/security-prebuilt-rules-management.md diff --git a/solutions/security/manage-elastic-defend/policies.md b/solutions/security/manage-elastic-defend/policies.md index ab3423608a..6475b32004 100644 --- a/solutions/security/manage-elastic-defend/policies.md +++ b/solutions/security/manage-elastic-defend/policies.md @@ -6,22 +6,14 @@ mapped_urls: # Policies -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/policies-page-ov.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-policies-page.md The **Policies** page lists all of the integration policies configured for {{elastic-defend}}. ::::{admonition} Requirements -You must have the **{{elastic-defend}} Policy Management** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +You must have the **{{elastic-defend}} Policy Management** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. :::: - -Click on an integration policy’s name to configure its settings. For more information on configuring an integration policy, refer to [*Configure an integration policy for {{elastic-defend}}*](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). +Click on an integration policy’s name to configure its settings. For more information on configuring an integration policy, refer to [](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md). :::{image} ../../../images/security-policy-list.png :alt: policy list From 42e3b698972989cadeb3eed1a8653e8a5f6ec154 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 3 Mar 2025 11:25:53 +0000 Subject: [PATCH 3/6] trusted apps --- .../security-trusted-applications.md | 100 ------------------ raw-migrated-files/toc.yml | 1 - .../trusted-applications.md | 22 ++-- 3 files changed, 7 insertions(+), 116 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-trusted-applications.md diff --git a/raw-migrated-files/docs-content/serverless/security-trusted-applications.md b/raw-migrated-files/docs-content/serverless/security-trusted-applications.md deleted file mode 100644 index 46e3ac063f..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-trusted-applications.md +++ /dev/null @@ -1,100 +0,0 @@ -# Trusted applications [security-trusted-applications] - -::::{note} -If you use {{elastic-defend}} along with other antivirus (AV) software, you might need to configure the other system to trust {{elastic-endpoint}}. Refer to [Allowlist {{elastic-endpoint}} in third-party antivirus apps](../../../solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) for more information. - -:::: - - -You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {{elastic-defend}} integration. - -::::{admonition} Requirements -:class: note - -You must have the appropriate user role to use this feature. - -:::: - - -Trusted applications create blindspots for {{elastic-defend}}, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application’s process. - -Trusted applications might still generate alerts in some cases, such as if the application’s process events indicate malicious behavior. To reduce false positive alerts, add an [Endpoint alert exception](../../../solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions), which prevents {{elastic-defend}} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to [Optimize {{elastic-defend}}](../../../solutions/security/manage-elastic-defend/optimize-elastic-defend.md). - -Additionally, trusted applications still generate process events for visualizations and other internal use by the {{stack}}. To prevent process events from being written to {{es}}, use an [event filter](../../../solutions/security/manage-elastic-defend/event-filters.md) to filter out the specific events that you don’t want stored in {{es}}, but be aware that features that depend on these process events may not function correctly. - -By default, a trusted application is recognized globally across all hosts running {{elastic-defend}}. You can also assign a trusted application to a specific {{elastic-defend}} integration policy, enabling the application to be trusted by only the hosts assigned to that policy. - -To add a trusted application: - -1. Find **Trusted applications** in the navigation menu or use the global search field. -2. Click **Add trusted application**. -3. Fill in the following fields in the **Add trusted application** flyout: - - * `Name your trusted application`: Enter a name for the trusted application. - * `Description`(Optional): Enter a description for the trusted application. - * `Select operating system`: Select the appropriate operating system from the drop-down. - * `Field`: Select a field to identify the trusted application: - - * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application’s executable. - * `Path`: The full file path of the application’s executable. - * `Signature`: (Windows and macOS only) The name of the application’s digital signer. - - ::::{tip} - To find the signer’s name for an application, go to **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`). - - :::: - - * `Operator`: Select an operator to define the condition: - - * `is`: Must be *exactly* equal to `Value`; wildcards are not supported. This operation is required for the `Hash` and `Signature` field types. - * `matches`: Can include wildcards in `Value`, such as `C:\path*\app.exe`. This operator is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters). - - * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**. - - ::::{note} - You can only add a single field type value per trusted application. For example, if you try to add two `Path` values, you’ll get an error message. Also, an application’s hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the {{security-app}}, be as specific as possible in your entries. For example, combine `Signature` information with a known `Path`. - - :::: - -4. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy: - - * `Global`: Assign the trusted application to all integration policies for {{elastic-defend}}. - * `Per Policy`: Assign the trusted application to one or more specific {{elastic-defend}} integration policies. Select each policy in which you want the application to be trusted. - - ::::{note} - You can also select the `Per Policy` option without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy. - - :::: - -5. Click **Add trusted application**. The application is added to the **Trusted applications** list. - - -## View and manage trusted applications [trusted-apps-list] - -The **Trusted applications** page (**Assets** → **Trusted applications**) displays all the trusted applications that have been added to the {{security-app}}. To refine the list, use the search bar to search by name, description, or field value. - -:::{image} ../../../images/serverless--management-admin-trusted-apps-list.png -:alt: management admin trusted apps list -:class: screenshot -::: - - -### Edit a trusted application [edit-trusted-app] - -You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to. - -To edit a trusted application: - -1. Click the actions menu (*…​*) on the trusted application you want to edit, then select **Edit trusted application**. -2. Modify details as needed. -3. Click **Save**. - - -### Delete a trusted application [delete-trusted-app] - -You can delete a trusted application, which removes it entirely from all {{elastic-defend}} integration policies. - -To delete a trusted application: - -1. Click the actions menu (*…​*) on the trusted application you want to delete, then select **Delete trusted application**. -2. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message is displayed. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 7975e8f803..bfeb702828 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -244,7 +244,6 @@ toc: - file: docs-content/serverless/security-signals-to-cases.md - file: docs-content/serverless/security-third-party-actions.md - file: docs-content/serverless/security-triage-alerts-with-elastic-ai-assistant.md - - file: docs-content/serverless/security-trusted-applications.md - file: docs-content/serverless/security-tune-detection-signals.md - file: docs-content/serverless/security-view-alert-details.md - file: docs-content/serverless/security-visualize-alerts.md diff --git a/solutions/security/manage-elastic-defend/trusted-applications.md b/solutions/security/manage-elastic-defend/trusted-applications.md index 8d70e803b4..f604ab731a 100644 --- a/solutions/security/manage-elastic-defend/trusted-applications.md +++ b/solutions/security/manage-elastic-defend/trusted-applications.md @@ -6,33 +6,25 @@ mapped_urls: # Trusted applications -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/trusted-apps-ov.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-trusted-applications.md - ::::{note} -If you use {{elastic-defend}} along with other antivirus (AV) software, you might need to configure the other system to trust {{elastic-endpoint}}. Refer to [*Allowlist {{elastic-endpoint}} in third-party antivirus apps*](/solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) for more information. +If you use {{elastic-defend}} along with other antivirus (AV) software, you might need to configure the other system to trust {{elastic-endpoint}}. Refer to [](/solutions/security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) for more information. :::: You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {{elastic-defend}} integration. ::::{admonition} Requirements -You must have the **Trusted Applications** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +You must have the **Trusted Applications** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. :::: Trusted applications create blindspots for {{elastic-defend}}, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application’s process. -Trusted applications might still generate alerts in some cases, such as if the application’s process events indicate malicious behavior. To reduce false positive alerts, add an [Endpoint alert exception](/solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions), which prevents {{elastic-defend}} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to [*Optimize {{elastic-defend}}*](/solutions/security/manage-elastic-defend/optimize-elastic-defend.md). +Trusted applications might still generate alerts in some cases, such as if the application’s process events indicate malicious behavior. To reduce false positive alerts, add an [Endpoint alert exception](/solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions), which prevents {{elastic-defend}} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to [](/solutions/security/manage-elastic-defend/optimize-elastic-defend.md). Additionally, trusted applications still generate process events for visualizations and other internal use by the {{stack}}. To prevent process events from being written to {{es}}, use an [event filter](/solutions/security/manage-elastic-defend/event-filters.md) to filter out the specific events that you don’t want stored in {{es}}, but be aware that features that depend on these process events may not function correctly. -By default, a trusted application is recognized globally across all hosts running {{elastic-defend}}. If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also assign a trusted application to a specific {{elastic-defend}} integration policy, enabling the application to be trusted by only the hosts assigned to that policy. +By default, a trusted application is recognized globally across all hosts running {{elastic-defend}}. You can also assign a trusted application to a specific {{elastic-defend}} integration policy, enabling the application to be trusted by only the hosts assigned to that policy. To add a trusted application: @@ -50,7 +42,7 @@ To add a trusted application: * `Signature`: (Windows and macOS only) The name of the application’s digital signer. ::::{tip} - To find the signer’s name for an application, go to **Kibana** → **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`). + To find the signer’s name for an application, go to **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`). :::: * `Operator`: Select an operator to define the condition: @@ -67,7 +59,7 @@ To add a trusted application: 4. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy: * `Global`: Assign the trusted application to all integration policies for {{elastic-defend}}. - * `Per Policy` (Platinum or Enterprise subscription only): Assign the trusted application to one or more specific {{elastic-defend}} integration policies. Select each policy in which you want the application to be trusted. + * `Per Policy`: Assign the trusted application to one or more specific {{elastic-defend}} integration policies. Select each policy in which you want the application to be trusted. ::::{note} You can also select the `Per Policy` option without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy. @@ -88,7 +80,7 @@ The **Trusted applications** page displays all the trusted applications that hav ### Edit a trusted application [edit-trusted-app] -You can individually modify each trusted application. With a Platinum or Enterprise subscription, you can also change the policies that a trusted application is assigned to. +You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to. To edit a trusted application: From 3e8f81a01afc584aea481c6ca4df7cb31142037e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 3 Mar 2025 11:40:47 +0000 Subject: [PATCH 4/6] event filters --- .../serverless/security-event-filters.md | 120 ------------------ raw-migrated-files/toc.yml | 1 - .../manage-elastic-defend/event-filters.md | 25 ++-- 3 files changed, 8 insertions(+), 138 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-event-filters.md diff --git a/raw-migrated-files/docs-content/serverless/security-event-filters.md b/raw-migrated-files/docs-content/serverless/security-event-filters.md deleted file mode 100644 index 5a854e97c4..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-event-filters.md +++ /dev/null @@ -1,120 +0,0 @@ -# Event filters [security-event-filters] - -Event filters allow you to filter out endpoint events that you don’t want stored in {{es}} — for example, high-volume events. By creating event filters, you can optimize your storage in {{es}}. - -Event filters do not lower CPU usage on hosts; {{elastic-endpoint}} still monitors events to detect and prevent possible threats, but without writing event data to {{es}}. To compare event filters with other endpoint artifacts, refer to [Optimize {{elastic-defend}}](../../../solutions/security/manage-elastic-defend/optimize-elastic-defend.md). - -::::{admonition} Requirements -:class: note - -You must have the appropriate user role to use this feature. - -:::: - - -::::{important} -Since an event filter blocks an event from streaming to {{es}}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters. - -:::: - - -By default, event filters are recognized globally across all hosts running {{elastic-defend}}. You can also assign an event filter to a specific {{elastic-defend}} integration policy, which would filter endpoint events from the hosts assigned to that policy. - -Create event filters from the **Hosts** page or the **Event filters** page. - -1. Do one of the following: - - * To create an event filter from the **Hosts** page: - - 1. Select the **Events** tab to view the Events table. - 2. Find the event to filter, click the **More actions** menu (![More actions menu icon](../../../images/serverless-boxesHorizontal.svg "")), then select **Add Endpoint event filter**. - - ::::{tip} - Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {{elastic-endpoint}}. For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. - - :::: - - * To create an event filter from the **Event filters** page: - - 1. Click **Add event filter**, which opens a flyout. - - :::{image} ../../../images/serverless--management-admin-event-filter.png - :alt: management admin event filter - :class: screenshot - ::: - -2. Fill in these fields in the **Details** section: - - 1. `Name`: Enter a name for the event filter. - 2. `Description`: Enter a filter description (optional). - -3. In the **Conditions** section, depending which page you’re using to create the filter, either modify the pre-populated conditions or add new conditions to define how {{elastic-sec}} will filter events. Use these settings: - - 1. `Select operating system`: Select the appropriate operating system. - 2. Select which kind of event filter you’d like to create: - - * `Events`: Create a generic event filter that can match any event type. All matching events are excluded. - * `Process Descendants`: Specify a process, and suppress the activity of its descendant processes. Events from the matched process will be ingested, but events from its descendant processes will be excluded. - - This option adds the condition `event.category is process` to narrow the filter to process-type events. You can add more conditions to identify the process whose descendants you want to exclude. - - 3. `Field`: Select a field to identify the event being filtered. - 4. `Operator`: Select an operator to define the condition. Available options are: - - * `is` - * `is not` - * `is one of` - * `is not one of` - * `matches` | `does not match`: Allows you to use wildcards in `Value`, such as `C:\path*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). - - ::::{important} - Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. - - :::: - - 5. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. - -4. To define multiple conditions, click the `AND` button and configure a new condition. You can also add nested conditions with the `Add nested condition` button. For example, the event filter pictured above excludes events whose `event.category` field is `network`, and whose `process.executable` field is as specified. -5. Select an option in the **Assignment** section to assign the event filter to a specific integration policy: - - * `Global`: Assign the event filter to all integration policies for {{elastic-defend}}. - * `Per Policy`: Assign the event filter to one or more specific {{elastic-defend}} integration policies. Select each policy in which you want the events to be filtered. - - ::::{note} - You can also select the `Per Policy` option without immediately assigning a policy to the event filter. For example, you could do this to create and review your event filter configurations before putting them into action with a policy. - - :::: - -6. Add a comment if you want to provide more information about the event filter (optional). -7. Click **Add event filter**. The new filter is added to the **Event filters** list. - - -## View and manage event filters [manage-event-filters] - -The **Event filters** page (**Assets** → **Event filters**) displays all the event filters that have been added to the {{security-app}}. To refine the list, use the search bar to search by filter name, description, comments, or field value. - -:::{image} ../../../images/serverless--management-admin-event-filters-list.png -:alt: management admin event filters list -:class: screenshot -::: - - -### Edit an event filter [edit-event-filter] - -You can individually modify each event filter. You can also change the policies that an event filter is assigned to. - -To edit an event filter: - -1. Click the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) for the event filter you want to edit, then select **Edit event filter**. -2. Modify details or conditions as needed. -3. Click **Save**. - - -### Delete an event filter [delete-event-filter] - -You can delete an event filter, which removes it entirely from all {{elastic-defend}} integration policies. - -To delete an event filter: - -1. Click the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) on the event filter you want to delete, then select **Delete event filter**. -2. On the dialog that opens, verify that you are removing the correct event filter, then click **Delete**. A confirmation message is displayed. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index bfeb702828..449e211769 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -219,7 +219,6 @@ toc: - file: docs-content/serverless/security-detection-response-dashboard.md - file: docs-content/serverless/security-detections-requirements.md - file: docs-content/serverless/security-environment-variable-capture.md - - file: docs-content/serverless/security-event-filters.md - file: docs-content/serverless/security-get-started-with-kspm.md - file: docs-content/serverless/security-host-isolation-exceptions.md - file: docs-content/serverless/security-interactive-investigation-guides.md diff --git a/solutions/security/manage-elastic-defend/event-filters.md b/solutions/security/manage-elastic-defend/event-filters.md index 70ae306e4c..0c502a9100 100644 --- a/solutions/security/manage-elastic-defend/event-filters.md +++ b/solutions/security/manage-elastic-defend/event-filters.md @@ -6,20 +6,13 @@ mapped_urls: # Event filters -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/event-filters.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-event-filters.md Event filters allow you to filter out endpoint events that you don’t want stored in {{es}} — for example, high-volume events. By creating event filters, you can optimize your storage in {{es}}. -Event filters do not lower CPU usage on hosts; {{elastic-endpoint}} still monitors events to detect and prevent possible threats, but without writing event data to {{es}}. To compare event filters with other endpoint artifacts, refer to [*Optimize {{elastic-defend}}*](/solutions/security/manage-elastic-defend/optimize-elastic-defend.md). +Event filters do not lower CPU usage on hosts; {{elastic-endpoint}} still monitors events to detect and prevent possible threats, but without writing event data to {{es}}. To compare event filters with other endpoint artifacts, refer to [](/solutions/security/manage-elastic-defend/optimize-elastic-defend.md). ::::{admonition} Requirements -You must have the **Event Filters** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +You must have the **Event Filters** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. :::: @@ -28,7 +21,7 @@ Since an event filter blocks an event from streaming to {{es}}, be conscious of :::: -By default, event filters are recognized globally across all hosts running {{elastic-defend}}. If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also assign an event filter to a specific {{elastic-defend}} integration policy, which would filter endpoint events from the hosts assigned to that policy. +By default, event filters are recognized globally across all hosts running {{elastic-defend}}. You can also assign an event filter to a specific {{elastic-defend}} integration policy, which would filter endpoint events from the hosts assigned to that policy. Create event filters from the **Hosts** page or the **Event filters** page. @@ -40,12 +33,10 @@ Create event filters from the **Hosts** page or the **Event filters** page. 2. Find the event to filter, click the **More actions** menu (**…​**), then select **Add Endpoint event filter**. ::::{tip} - Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {{elastic-endpoint}}.
For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. + Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by {{elastic-endpoint}}.
For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. :::: - * To create an event filter from the **Event filters** page: - - 1. Cick **Add event filter**, which opens a flyout. + * To create an event filter from the **Event filters** page, click **Add event filter**. :::{image} ../../../images/security-event-filter.png @@ -61,7 +52,7 @@ Create event filters from the **Hosts** page or the **Event filters** page. 3. In the **Conditions** section, depending which page you’re using to create the filter, either modify the pre-populated conditions or add new conditions to define how {{elastic-sec}} will filter events. Use these settings: 1. `Select operating system`: Select the appropriate operating system. - 2. Select which kind of event filter you’d like to create: [8.15.0] + 2. Select which kind of event filter you’d like to create: * `Events`: Create a generic event filter that can match any event type. All matching events are excluded. * `Process Descendants`: Specify a process, and suppress the activity of its descendant processes. Events from the matched process will be ingested, but events from its descendant processes will be excluded. @@ -87,7 +78,7 @@ Create event filters from the **Hosts** page or the **Event filters** page. 5. Select an option in the **Assignment** section to assign the event filter to a specific integration policy: * `Global`: Assign the event filter to all integration policies for {{elastic-defend}}. - * `Per Policy` (Platinum or Enterprise subscription only): Assign the event filter to one or more specific {{elastic-defend}} integration policies. Select each policy in which you want the events to be filtered. + * `Per Policy`: Assign the event filter to one or more specific {{elastic-defend}} integration policies. Select each policy in which you want the events to be filtered. ::::{note} You can also select the `Per Policy` option without immediately assigning a policy to the event filter. For example, you could do this to create and review your event filter configurations before putting them into action with a policy. @@ -109,7 +100,7 @@ The **Event filters** page displays all the event filters that have been added t ### Edit an event filter [edit-event-filter] -You can individually modify each event filter. With a Platinum or Enterprise subscription, you can also change the policies that an event filter is assigned to. +You can individually modify each event filter. You can also change the policies that an event filter is assigned to. To edit an event filter: From 63096b5d06c2901a2e750e97798d81b0df2cd71e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 3 Mar 2025 11:58:59 +0000 Subject: [PATCH 5/6] host isolation --- .../security-host-isolation-exceptions.md | 73 ------------------- raw-migrated-files/toc.yml | 1 - .../host-isolation-exceptions.md | 15 +--- 3 files changed, 4 insertions(+), 85 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-host-isolation-exceptions.md diff --git a/raw-migrated-files/docs-content/serverless/security-host-isolation-exceptions.md b/raw-migrated-files/docs-content/serverless/security-host-isolation-exceptions.md deleted file mode 100644 index d6661fbec6..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-host-isolation-exceptions.md +++ /dev/null @@ -1,73 +0,0 @@ -# Host isolation exceptions [security-host-isolation-exceptions] - -You can configure host isolation exceptions for specific IP addresses that [isolated hosts](../../../solutions/security/endpoint-response-actions/isolate-host.md) are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to {{elastic-sec}}, so you don’t need to set up host isolation exceptions for them. - -Host isolation exceptions support IPv4 addresses, with optional classless inter-domain routing (CIDR) notation. - -::::{admonition} Requirements -:class: note - -You must have the appropriate user role to use this feature. - -:::: - - -::::{important} -* Each host isolation exception IP address should be a highly trusted and secure location since you’re allowing it to communicate with hosts that have been isolated to prevent a potential threat from spreading. -* If your hosts depend on VPNs for network communication, you should also set up host isolation exceptions for those VPN servers' IP addresses. - -:::: - - -Host isolation requires the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). By default, a host isolation exception is recognized globally across all hosts running {{elastic-defend}}. You can also assign a host isolation exception to a specific {{elastic-defend}} integration policy, affecting only the hosts assigned to that policy. - -1. Find **Host isolation exceptions** in the navigation menu or use the global search field. -2. Click **Add Host isolation exception**. -3. Fill in these fields in the **Add Host isolation exception** flyout: - - 1. `Name your host isolation exceptions`: Enter a name to identify the host isolation exception. - 2. `Description`: Enter a description to provide more information on the host isolation exception (optional). - 3. `Enter IP Address`: Enter the IP address for which you want to allow communication with an isolated host. This must be an IPv4 address, with optional CIDR notation (for example, `0.0.0.0` or `1.0.0.0/24`, respectively). - -4. Select an option in the **Assignment** section to assign the host isolation exception to a specific integration policy: - - * `Global`: Assign the host isolation exception to all integration policies for {{elastic-defend}}. - * `Per Policy`: Assign the host isolation exception to one or more specific {{elastic-defend}} integration policies. Select each policy where you want the host isolation exception to apply. - - ::::{note} - You can also select the `Per Policy` option without immediately assigning a policy to the host isolation exception. For example, you could do this to create and review your host isolation exception configurations before putting them into action with a policy. - - :::: - -5. Click **Add Host isolation exception**. The new exception is added to the **Host isolation exceptions** list. - - -## View and manage host isolation exceptions [manage-host-isolation-exceptions] - -The **Host isolation exceptions** page displays all the host isolation exceptions that have been configured for {{elastic-sec}}. To refine the list, use the search bar to search by name, description, or IP address. - -:::{image} ../../../images/serverless--management-admin-host-isolation-exceptions-ui.png -:alt: List of host isolation exceptions -:class: screenshot -::: - - -### Edit a host isolation exception [edit-host-isolation-exception] - -You can individually modify each host isolation exception and change the policies that a host isolation exception is assigned to. - -To edit a host isolation exception: - -1. Click the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) for the exception you want to edit, then select **Edit Exception**. -2. Modify details as needed. -3. Click **Save**. The newly modified exception appears at the top of the list. - - -### Delete a host isolation exception [delete-host-isolation-exception] - -You can delete a host isolation exception, which removes it entirely from all {{elastic-defend}} integration policies. - -To delete a host isolation exception: - -1. Click the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) on the exception you want to delete, then select **Delete Exception**. -2. On the dialog that opens, verify that you are removing the correct host isolation exception, then click **Delete**. A confirmation message is displayed. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 449e211769..4364d9355e 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -220,7 +220,6 @@ toc: - file: docs-content/serverless/security-detections-requirements.md - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-get-started-with-kspm.md - - file: docs-content/serverless/security-host-isolation-exceptions.md - file: docs-content/serverless/security-interactive-investigation-guides.md - file: docs-content/serverless/security-isolate-host.md - file: docs-content/serverless/security-kspm.md diff --git a/solutions/security/manage-elastic-defend/host-isolation-exceptions.md b/solutions/security/manage-elastic-defend/host-isolation-exceptions.md index bf6b9d4e8e..938eeefab6 100644 --- a/solutions/security/manage-elastic-defend/host-isolation-exceptions.md +++ b/solutions/security/manage-elastic-defend/host-isolation-exceptions.md @@ -6,20 +6,14 @@ mapped_urls: # Host isolation exceptions -% What needs to be done: Align serverless/stateful -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/host-isolation-exceptions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-host-isolation-exceptions.md - -You can configure host isolation exceptions for specific IP addresses that [isolated hosts](/solutions/security/endpoint-response-actions/isolate-host.md) are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to {{es}} and {{kib}}, so you don’t need to set up host isolation exceptions for them. +You can configure host isolation exceptions for specific IP addresses that [isolated hosts](/solutions/security/endpoint-response-actions/isolate-host.md) are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to {{elastic-sec}}, so you don’t need to set up host isolation exceptions for them. Host isolation exceptions support IPv4 addresses, with optional classless inter-domain routing (CIDR) notation. ::::{admonition} Requirements -You must have the **Host Isolation Exceptions** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +* You must have the **Host Isolation Exceptions** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. +* Host isolation requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. :::: @@ -29,8 +23,7 @@ You must have the **Host Isolation Exceptions** [privilege](/solutions/security/ :::: - -Host isolation is a [Platinum or Enterprise subscription](https://www.elastic.co/pricing) feature. By default, a host isolation exception is recognized globally across all hosts running {{elastic-defend}}. You can also assign a host isolation exception to a specific {{elastic-defend}} integration policy, affecting only the hosts assigned to that policy. +By default, a host isolation exception is recognized globally across all hosts running {{elastic-defend}}. You can also assign a host isolation exception to a specific {{elastic-defend}} integration policy, affecting only the hosts assigned to that policy. 1. Find **Host isolation exceptions** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Click **Add Host isolation exception**. From 17fcf08f404b0dffa4246b9a8e031c2bd260e7f1 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 3 Mar 2025 12:11:29 +0000 Subject: [PATCH 6/6] blocklist --- .../serverless/security-blocklist.md | 93 ------------------- raw-migrated-files/toc.yml | 1 - .../manage-elastic-defend/blocklist.md | 17 +--- 3 files changed, 5 insertions(+), 106 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-blocklist.md diff --git a/raw-migrated-files/docs-content/serverless/security-blocklist.md b/raw-migrated-files/docs-content/serverless/security-blocklist.md deleted file mode 100644 index 9a830d85d9..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-blocklist.md +++ /dev/null @@ -1,93 +0,0 @@ -# Blocklist [security-blocklist] - -The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. This helps ensure that known malicious processes aren’t accidentally executed by end users. - -The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to [Optimize {{elastic-defend}}](../../../solutions/security/manage-elastic-defend/optimize-elastic-defend.md). - -::::{admonition} Requirements -:class: note - -* In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {{elastic-defend}} integration policy in the [Malware protection settings](../../../solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection). This setting is enabled by default. -* You must have the appropriate user role to use this feature. - -:::: - - -By default, a blocklist entry is recognized globally across all hosts running {{elastic-defend}}. You can also assign a blocklist entry to specific {{elastic-defend}} integration policies, which blocks the process only on hosts assigned to that policy. - -1. Find **Blocklist** in the navigation menu or use the global search field. -2. Click **Add blocklist entry**. The **Add blocklist** flyout appears. -3. Fill in these fields in the **Details** section: - - 1. `Name`: Enter a name to identify the application in the blocklist. - 2. `Description`: Enter a description to provide more information on the blocklist entry (optional). - -4. In the **Conditions** section, enter the following information about the application you want to block: - - 1. `Select operating system`: Select the appropriate operating system from the drop-down. - 2. `Field`: Select a field to identify the application being blocked: - - * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application’s executable. - * `Path`: The full file path of the application’s executable. - * `Signature`: (Windows only) The name of the application’s digital signer. - - ::::{tip} - To find the signer’s name for an application, go to **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`). - - :::: - - 3. `Operator`: For hash and path conditions, the operator is `is one of` and can’t be modified. For signature conditions, choose `is one of` to enter multiple values or `is` for one value. - 4. `Value`: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press **Return**. - - ::::{note} - Hash values must be valid to add them to the blocklist. - - :::: - -5. Select an option in the **Assignment** section to assign the blocklist entry to a specific integration policy: - - * `Global`: Assign the blocklist entry to all {{elastic-defend}} integration policies. - * `Per Policy`: Assign the blocklist entry to one or more specific {{elastic-defend}} integration policies. Select each policy where you want the blocklist entry to apply. - - ::::{note} - You can also select the `Per Policy` option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy. - - :::: - -6. Click **Add blocklist**. The new entry is added to the **Blocklist** page. -7. When you’re done adding entries to the blocklist, ensure that the blocklist is enabled for the {{elastic-defend}} integration policies that you just assigned: - - 1. Go to the **Policies** page, then click on an integration policy. - 2. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default. - - - -## View and manage the blocklist [manage-blocklist] - -The **Blocklist** page displays all the blocklist entries that have been added to the {{security-app}}. To refine the list, use the search bar to search by name, description, or field value. - -:::{image} ../../../images/serverless--management-admin-blocklist.png -:alt: management admin blocklist -:class: screenshot -::: - - -### Edit a blocklist entry [edit-blocklist-entry] - -You can individually modify each blocklist entry. You can also change the policies that a blocklist entry is assigned to. - -To edit a blocklist entry: - -1. Click the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) for the blocklist entry you want to edit, then select **Edit blocklist**. -2. Modify details as needed. -3. Click **Save**. - - -### Delete a blocklist entry [delete-blocklist-entry] - -You can delete a blocklist entry, which removes it entirely from all {{elastic-defend}} policies. This allows end users to access the application that was previously blocked. - -To delete a blocklist entry: - -1. Click the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) for the blocklist entry you want to delete, then select **Delete blocklist**. -2. On the dialog that opens, verify that you are removing the correct blocklist entry, then click **Delete**. A confirmation message displays. diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 4364d9355e..c68fc6560f 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -195,7 +195,6 @@ toc: - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-benchmark-rules-kspm.md - file: docs-content/serverless/security-benchmark-rules.md - - file: docs-content/serverless/security-blocklist.md - file: docs-content/serverless/security-building-block-rules.md - file: docs-content/serverless/security-cloud-native-security-overview.md - file: docs-content/serverless/security-cloud-posture-dashboard-dash-cspm.md diff --git a/solutions/security/manage-elastic-defend/blocklist.md b/solutions/security/manage-elastic-defend/blocklist.md index 0d5728a669..3e97c65596 100644 --- a/solutions/security/manage-elastic-defend/blocklist.md +++ b/solutions/security/manage-elastic-defend/blocklist.md @@ -6,25 +6,18 @@ mapped_urls: # Blocklist -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/blocklist.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-blocklist.md The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. This helps ensure that known malicious processes aren’t accidentally executed by end users. -The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to [*Optimize {{elastic-defend}}*](/solutions/security/manage-elastic-defend/optimize-elastic-defend.md). +The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to [](/solutions/security/manage-elastic-defend/optimize-elastic-defend.md). ::::{admonition} Requirements * In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {{elastic-defend}} integration policy in the [Malware protection settings](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection). This setting is enabled by default. -* You must have the **Blocklist** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +* You must have the **Blocklist** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. :::: -By default, a blocklist entry is recognized globally across all hosts running {{elastic-defend}}. If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also assign a blocklist entry to specific {{elastic-defend}} integration policies, which blocks the process only on hosts assigned to that policy. +By default, a blocklist entry is recognized globally across all hosts running {{elastic-defend}}. You can also assign a blocklist entry to specific {{elastic-defend}} integration policies, which blocks the process only on hosts assigned to that policy. 1. Find **Blocklist** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Click **Add blocklist entry**. The **Add blocklist** flyout appears. @@ -43,7 +36,7 @@ By default, a blocklist entry is recognized globally across all hosts running {{ * `Signature`: (Windows only) The name of the application’s digital signer. ::::{tip} - To find the signer’s name for an application, go to **Kibana** → **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`). + To find the signer’s name for an application, go to **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`). :::: 3. `Operator`: For hash and path conditions, the operator is `is one of` and can’t be modified. For signature conditions, choose `is one of` to enter multiple values or `is` for one value. @@ -82,7 +75,7 @@ The **Blocklist** page displays all the blocklist entries that have been added t ### Edit a blocklist entry [edit-blocklist-entry] -You can individually modify each blocklist entry. With a Platinum or Enterprise subscription, you can also change the policies that a blocklist entry is assigned to. +You can individually modify each blocklist entry. You can also change the policies that a blocklist entry is assigned to. To edit a blocklist entry: