Nav changes for "Manage Elastic Defend" and "Endpoint response actions" sections (#6073)

* Update "Trusted applications"

* Update "Event filters"

* Update "Host isolation exceptions"

* Update "Blocklist"

* Update "Isolate a host"

* Update "Response actions history"

* Update "Configure third-party response actions"

* Fix "Configure third-party response actions"

* Apply suggestions from Nastasha's review

Co-authored-by: Nastasha Solomon <[email protected]>

* Revise to "navigation menu"

---------

Co-authored-by: Nastasha Solomon <[email protected]>
(cherry picked from commit 5f71cc1)

# Conflicts:
#	docs/serverless/edr-manage/blocklist.asciidoc
#	docs/serverless/edr-manage/event-filters.asciidoc
#	docs/serverless/edr-manage/host-isolation-exceptions.asciidoc
#	docs/serverless/edr-manage/trusted-apps-ov.asciidoc
#	docs/serverless/endpoint-response-actions/host-isolation-ov.asciidoc
#	docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
#	docs/serverless/endpoint-response-actions/response-actions-history.asciidoc

Author: joepeeples

docs/management/admin/blocklist.asciidoc

@@ -16,7 +16,7 @@ The blocklist is not intended to broadly block benign applications for non-secur
 
 By default, a blocklist entry is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {elastic-defend} integration policies, which blocks the process only on hosts assigned to that policy.
 
-. Go to **Manage** -> **Blocklist**.
+. Find **Blocklist** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 
 . Click **Add blocklist entry**. The **Add blocklist** flyout appears.
 
@@ -49,7 +49,7 @@ NOTE: You can also select the `Per Policy` option without immediately assigning
 . Click **Add blocklist**. The new entry is added to the **Blocklist** page.
 
 . When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the {elastic-defend} integration policies that you just assigned:
-.. Go to **Manage** -> **Policies**, then click on an integration policy.
+.. Go to the **Policies** page, then click on an integration policy.
 .. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default.
 
 [discrete]

docs/management/admin/event-filters.asciidoc

@@ -22,7 +22,6 @@ Create event filters from the Hosts page or the Event filters page.
 +
 --
 * To create an event filter from the Hosts page:
-.. Go to *Explore* -> *Hosts*.
 .. Select the *Events* tab to view the Events table.
 +
 .. Find the event to filter, click the *More actions* menu (*...*), then select *Add Endpoint event filter*.
@@ -31,8 +30,7 @@ TIP: Since you can only create filters for endpoint events, be sure to filter th
 For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`.
 
 * To create an event filter from the Event filters page:
-.. Go to *Manage* -> *Event filters*.
-.. Click *Add event filter*. The *Add event filter* flyout opens.
+.. Cick *Add event filter*, which opens a flyout.
 --
 +
 [role="screenshot"]

docs/management/admin/host-isolation-exceptions.asciidoc

@@ -21,7 +21,7 @@ You must have the *Host Isolation Exceptions* <<endpoint-management-req,privileg
 
 Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. By default, a host isolation exception is recognized globally across all hosts running {elastic-defend}. You can also assign a host isolation exception to a specific {elastic-defend} integration policy, affecting only the hosts assigned to that policy.
 
-. Go to **Manage** -> **Host isolation exceptions**.
+. Find **Host isolation exceptions** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 . Click **Add Host isolation exception**.
 . Fill in these fields in the **Add Host isolation exception** flyout:
 .. `Name your host isolation exceptions`: Enter a name to identify the host isolation exception.

docs/management/admin/host-isolation-ov.asciidoc

@@ -55,7 +55,7 @@ All actions executed on a host are tracked in the host’s response actions hist
 .Isolate a host from an endpoint
 [%collapsible]
 ====
-. Go to *Manage -> Endpoints*, then either:
+. Find **Endpoints** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then either:
     * Select the appropriate endpoint in the *Endpoint* column, and click *Take action -> Isolate host* in the endpoint details flyout.
     * Click the *Actions* menu (*...*) on the appropriate endpoint, then select *Isolate host*.
 . Enter a comment describing why you’re isolating the host (optional).
@@ -112,7 +112,7 @@ image::images/host-isolated-notif.png[Host isolated notification message,350]
 .Release a host from an endpoint
 [%collapsible]
 ====
-. Go to *Manage -> Endpoints*, then either:
+. Find **Endpoints** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then either:
     * Select the appropriate endpoint in the *Endpoint* column, and click *Take action -> Release host* in the endpoint details flyout.
     * Click the *Actions* menu (*...*) on the appropriate endpoint, then select *Release host*.
 . Enter a comment describing why you're releasing the host (optional).
@@ -142,7 +142,7 @@ image::images/host-released-notif.png[Host released notification message,350]
 
 To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host.
 
-Go to *Manage* -> *Endpoints*, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <<response-actions-history>> for more details.
+Go to the *Endpoints* page, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <<response-actions-history>> for more details.
 
 [role="screenshot"]
 image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%]

docs/management/admin/response-actions-config.asciidoc

@@ -43,7 +43,7 @@ Expand a section below for your endpoint security system:
 . **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration]
  collects and ingests logs into {elastic-sec}.
 +
-.. Go to **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**.
+.. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **CrowdStrike**, then select **Add CrowdStrike**.
 .. Configure the integration with an **Integration name** and optional **Description**.
 .. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**:
    - **Client ID**: Client ID for the API client used to read CrowdStrike data.
@@ -58,7 +58,7 @@ Expand a section below for your endpoint security system:
 +
 IMPORTANT: Do not create more than one CrowdStrike connector.
 +
-.. Go to **Stack Management** → **Connectors**, then select **Create connector**.
+.. Find **Connectors** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Create connector**.
 .. Select the CrowdStrike connector.
 .. Enter the configuration information:
    - **Connector name**: A name to identify the connector.
@@ -92,7 +92,7 @@ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or S
 
 . **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}.
 +
-.. Go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**.
+.. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **SentinelOne**, then select **Add SentinelOne**.
 .. Configure the integration with an **Integration name** and optional **Description**.
 .. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**:
    - **URL**: The SentinelOne console URL.
@@ -105,7 +105,7 @@ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or S
 +
 IMPORTANT: Do not create more than one SentinelOne connector.
 
-.. Go to **Stack Management** → **Connectors**, then select **Create connector**.
+.. Find **Connectors** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Create connector**.
 .. Select the **SentinelOne** connector.
 .. Enter the configuration information:
    - **Connector name**: A name to identify the connector.

docs/management/admin/response-actions-history.asciidoc

@@ -14,7 +14,7 @@
 You must have the *Response Actions History* <<endpoint-management-req,privilege>> to access this feature.
 --
 
-To access the response actions history for all endpoints, go to *Manage* -> *Response actions history*. You can also access the response actions history for an individual endpoint from these areas:
+To access the response actions history for all endpoints, find **Response actions history** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. You can also access the response actions history for an individual endpoint from these areas:
 
 * *Endpoints* page: Click an endpoint's name to open the details flyout, then click the *Response actions history* tab.
 * *Response console* page: Click the *Response actions history* button.

docs/management/admin/trusted-apps.asciidoc

@@ -22,7 +22,7 @@ By default, a trusted application is recognized globally across all hosts runnin
 
 To add a trusted application:
 
-. Go to *Manage* -> *Trusted applications*.
+. Find **Trusted applications** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 
 . Click *Add trusted application*.
 

docs/serverless/edr-manage/blocklist.asciidoc

@@ -0,0 +1,96 @@
+[[security-blocklist]]
+= Blocklist
+
+// :keywords: serverless, security, how-to
+
+preview:[]
+
+The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users.
+
+The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to <<security-optimize-edr>>.
+
+.Requirements
+[NOTE]
+====
+* In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {elastic-defend} integration policy in the <<malware-protection,Malware protection settings>>. This setting is enabled by default.
+* You must have the appropriate user role to use this feature.
+
+// Placeholder statement until we know which specific roles are required. Classic statement below for reference.
+
+// * You must have the **Blocklist** <DocLink slug="/serverless/security/endpoint-management-req">privilege</DocLink> to access this feature.
+====
+
+By default, a blocklist entry is recognized globally across all hosts running {elastic-defend}. You can also assign a blocklist entry to specific {elastic-defend} integration policies, which blocks the process only on hosts assigned to that policy.
+
+. Find **Blocklist** in the navigation menu or use the global search field.
+. Click **Add blocklist entry**. The **Add blocklist** flyout appears.
+. Fill in these fields in the **Details** section:
++
+.. `Name`: Enter a name to identify the application in the blocklist.
+.. `Description`: Enter a description to provide more information on the blocklist entry (optional).
+. In the **Conditions** section, enter the following information about the application you want to block:
++
+.. `Select operating system`: Select the appropriate operating system from the drop-down.
+.. `Field`: Select a field to identify the application being blocked:
++
+*** `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable.
+*** `Path`: The full file path of the application's executable.
+*** `Signature`: (Windows only) The name of the application's digital signer.
++
+[TIP]
+====
+To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`).
+====
+.. `Operator`: For hash and path conditions, the operator is `is one of` and can't be modified. For signature conditions, choose `is one of` to enter multiple values or `is` for one value.
+.. `Value`: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press **Return**.
++
+[NOTE]
+====
+Hash values must be valid to add them to the blocklist.
+====
+. Select an option in the **Assignment** section to assign the blocklist entry to a specific integration policy:
++
+** `Global`: Assign the blocklist entry to all {elastic-defend} integration policies.
+** `Per Policy`: Assign the blocklist entry to one or more specific {elastic-defend} integration policies. Select each policy where you want the blocklist entry to apply.
++
+[NOTE]
+====
+You can also select the `Per Policy` option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy.
+====
+. Click **Add blocklist**. The new entry is added to the **Blocklist** page.
+. When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the {elastic-defend} integration policies that you just assigned:
++
+.. Go to the **Policies** page, then click on an integration policy.
+.. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default.
+
+[discrete]
+[[manage-blocklist]]
+== View and manage the blocklist
+
+The **Blocklist** page displays all the blocklist entries that have been added to the {security-app}. To refine the list, use the search bar to search by name, description, or field value.
+
+[role="screenshot"]
+image::images/blocklist/-management-admin-blocklist.png[]
+
+[discrete]
+[[edit-blocklist-entry]]
+=== Edit a blocklist entry
+
+You can individually modify each blocklist entry. You can also change the policies that a blocklist entry is assigned to.
+
+To edit a blocklist entry:
+
+. Click the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) for the blocklist entry you want to edit, then select **Edit blocklist**.
+. Modify details as needed.
+. Click **Save**.
+
+[discrete]
+[[delete-blocklist-entry]]
+=== Delete a blocklist entry
+
+You can delete a blocklist entry, which removes it entirely from all {elastic-defend} policies. This allows end users to access the application that was previously blocked.
+
+To delete a blocklist entry:
+
+. Click the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) for the blocklist entry you want to delete, then select **Delete blocklist**.
+. On the dialog that opens, verify that you are removing the correct blocklist entry, then click **Delete**. A confirmation message displays.