From 4a640dc59c18199eb246c8a99547ba73689d5cc1 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Fri, 2 Aug 2024 14:42:01 +0100 Subject: [PATCH 1/4] Adds Allowlist Elastic Endpoint in third-party antivirus apps page to serverless docs (#5639) * Adds Allowlist Elastic Endpoint in third-party antivirus apps page to serverless docs * Adds page description * Apply suggestions from code review Co-authored-by: Joe Peeples * Removes div id * Adds note to allowlist pages --------- Co-authored-by: Joe Peeples (cherry picked from commit f8e7ca6e32243193bcc4519304530e4cf8377d94) # Conflicts: # docs/management/admin/trusted-apps.asciidoc # docs/serverless/edr-manage/trusted-apps-ov.mdx # docs/serverless/serverless-security.docnav.json --- .../allowlist-endpoint-3rd-party-av.asciidoc | 2 + docs/management/admin/trusted-apps.asciidoc | 6 + .../allowlist-endpoint-3rd-party-av.mdx | 69 ++ .../serverless/edr-manage/trusted-apps-ov.mdx | 105 +++ .../serverless-security.docnav.json | 684 ++++++++++++++++++ 5 files changed, 866 insertions(+) create mode 100644 docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx create mode 100644 docs/serverless/edr-manage/trusted-apps-ov.mdx create mode 100644 docs/serverless/serverless-security.docnav.json diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index 3a53338b53..2dc920c781 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -1,6 +1,8 @@ [[allowlist-endpoint-3rd-party-av-apps]] = Allowlist Elastic Endpoint in third-party antivirus apps +NOTE: If you use other antivirus (AV) software along with {elastic-defend}, you may need to add the other system as a trusted application in the {security-app}. Refer to <> for more information. + Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index ecd73bcd1c..a663b82418 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -2,7 +2,13 @@ [chapter, role="xpack"] = Trusted applications +<<<<<<< HEAD You can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use {elastic-sec} without compatibility or performance issues with other installed applications on your system. Trusted applications are applied only to hosts running {endpoint-sec}. +======= +NOTE: If you use {elastic-defend} along with other antivirus (AV) software, you might need to configure the other system to trust {elastic-endpoint}. Refer to <> for more information. + +You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration. +>>>>>>> f8e7ca6e (Adds Allowlist Elastic Endpoint in third-party antivirus apps page to serverless docs (#5639)) NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. diff --git a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx new file mode 100644 index 0000000000..992d8ac5d7 --- /dev/null +++ b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx @@ -0,0 +1,69 @@ +--- +slug: /serverless/security/allowlist-endpoint +title: Allowlist ((elastic-endpoint)) in third-party antivirus apps +description: Add ((elastic-endpoint)) as a trusted application in third-party antivirus (AV) software. +tags: [ 'serverless', 'security', 'overview' ] +status: in review +--- + + + + +If you use other antivirus (AV) software along with ((elastic-defend)), you may need to add the other system as a trusted application in the ((security-app)). Refer to for more information. + + +Third-party antivirus (AV) applications may identify the expected behavior of ((elastic-endpoint)) as a potential threat. Add ((elastic-endpoint))'s digital signatures and file paths to your AV software's allowlist to ensure ((elastic-endpoint)) continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. + + +Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. + + +## Allowlist ((elastic-endpoint)) on Windows + +File paths: + +* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` +* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` +* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` + + + The executable runs as `elastic-endpoint.exe`. + + +Digital signatures: + +* `Elasticsearch, Inc.` +* `Elasticsearch B.V.` + +For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software). + +## Allowlist ((elastic-endpoint)) on macOS + +File paths: + +* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` + + + The system extension runs as `co.elastic.systemextension`. + + +* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` + + + The executable runs as `elastic-endpoint`. + + +Digital signatures: + +* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` +* Team ID: `2BT3HPN62Z` + +## Allowlist ((elastic-endpoint)) on Linux + +File path: + +* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` + + + The executable runs as `elastic-endpoint`. + \ No newline at end of file diff --git a/docs/serverless/edr-manage/trusted-apps-ov.mdx b/docs/serverless/edr-manage/trusted-apps-ov.mdx new file mode 100644 index 0000000000..2576a17d41 --- /dev/null +++ b/docs/serverless/edr-manage/trusted-apps-ov.mdx @@ -0,0 +1,105 @@ +--- +slug: /serverless/security/trusted-applications +title: Trusted applications +# description: Description to be written +tags: [ 'serverless', 'security', 'how-to' ] +status: in review +--- + + +
+ + +If you use ((elastic-defend)) along with other antivirus (AV) software, you might need to configure the other system to trust ((elastic-endpoint)). Refer to for more information. + + +On the **Trusted applications** page (**Assets** → **Trusted applications**), you can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the ((elastic-defend)) integration. + + + +You must have the appropriate user role to use this feature. +{/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} +{/* You must have the **Trusted Applications** privilege to access this feature. */} + + + +Trusted applications create blindspots for ((elastic-defend)), because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. + +Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents ((elastic-defend)) from generating alerts. To compare trusted applications with other endpoint artifacts, refer to . + +Additionally, trusted applications still generate process events for visualizations and other internal use by the ((stack)). To prevent process events from being written to ((es)), use an event filter to filter out the specific events that you don't want stored in ((es)), but be aware that features that depend on these process events may not function correctly. + +By default, a trusted application is recognized globally across all hosts running ((elastic-defend)). You can also assign a trusted application to a specific ((elastic-defend)) integration policy, enabling the application to be trusted by only the hosts assigned to that policy. + +To add a trusted application: + +1. Go to **Manage** → **Trusted applications**. + +1. Click **Add trusted application**. + +1. Fill in the following fields in the **Add trusted application** flyout: + + * `Name your trusted application`: Enter a name for the trusted application. + + * `Description`(Optional): Enter a description for the trusted application. + + * `Select operating system`: Select the appropriate operating system from the drop-down. + + * `Field`: Select a field to identify the trusted application: + * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. + * `Path`: The full file path of the application's executable. + * `Signature`: (Windows only) The name of the application's digital signer. + + + To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`). + + + * `Operator`: Select an operator to define the condition: + * `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operation is required for the `Hash` and `Signature` field types. + * `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This operator is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + + * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**. + + + You can only add a single field type value per trusted application. For example, if you try to add two `Path` values, you'll get an error message. Also, an application's hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the ((security-app)), be as specific as possible in your entries. For example, combine `Signature` information with a known `Path`. + + +1. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy: + * `Global`: Assign the trusted application to all integration policies for ((elastic-defend)). + * `Per Policy`: Assign the trusted application to one or more specific ((elastic-defend)) integration policies. Select each policy in which you want the application to be trusted. + + + You can also select the `Per Policy` option without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy. + + +1. Click **Add trusted application**. The application is added to the **Trusted applications** list. + +
+ +## View and manage trusted applications + +The **Trusted applications** page (**Assets** → **Trusted applications**) displays all the trusted applications that have been added to the ((security-app)). To refine the list, use the search bar to search by name, description, or field value. + +![](../images/trusted-apps-ov/-management-admin-trusted-apps-list.png) + +
+ +### Edit a trusted application +You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to. + +To edit a trusted application: + +1. Click the actions menu (*...*) on the trusted application you want to edit, then select **Edit trusted application**. +1. Modify details as needed. +1. Click **Save**. + +
+ +### Delete a trusted application +You can delete a trusted application, which removes it entirely from all ((elastic-defend)) integration policies. + +To delete a trusted application: + +1. Click the actions menu (*...*) on the trusted application you want to delete, then select **Delete trusted application**. +1. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message is displayed. + diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json new file mode 100644 index 0000000000..d9ad8925bb --- /dev/null +++ b/docs/serverless/serverless-security.docnav.json @@ -0,0 +1,684 @@ +{ + "mission": "Elastic Security", + "id": "serverless-security", + "landingPageSlug": "/serverless/security/what-is-security-serverless", + "icon": "logoSecurity", + "description": "Description to be written", + "items": [ + { + "slug": "/serverless/security/overview", + "classic-sources": [ "enSecurityEsOverview" ] + }, + { + "slug": "/serverless/security/security-billing" + }, + { + "slug": "/serverless/security/create-project" + }, + { + "slug": "/serverless/security/security-ui", + "classic-sources": [ "enSecurityEsUiOverview" ] + }, + { + "label": "AI for security", + "slug": "/serverless/security/ai-for-security", + "items": [ + { + "slug": "/serverless/security/ai-assistant" + }, + { + "slug": "/serverless/security/attack-discovery" + }, + { + "slug": "/serverless/security/llm-connector-guides", + "items": [ + { + "slug": "/serverless/security/connect-to-azure-openai" + }, + { + "slug": "/serverless/security/connect-to-bedrock" + }, + { + "slug": "/serverless/security/connect-to-openai" + }, + { + "slug": "/serverless/security/connect-to-google-vertex" + }, + { + "slug": "/serverless/security/connect-to-byo-llm" + } + ] + }, + { + "slug": "/serverless/security/ai-use-cases", + "items": [ + { + "slug": "/serverless/security/ai-usecase-incident-reporting" + }, + { + "slug": "/serverless/security/triage-alerts-with-elastic-ai-assistant" + }, + { + "slug": "/serverless/security/ai-assistant-esql-queries" + } + ] + }, + { + "slug": "/serverless/security/llm-performance-matrix" + } + ] + }, + { + "label": "Ingest data", + "slug": "/serverless/security/ingest-data", + "classic-sources": [ "enSecurityIngestData" ], + "items": [ + { + "slug": "/serverless/security/threat-intelligence", + "classic-sources": [ "enSecurityEsThreatIntelIntegrations" ] + } + ] + }, + { + "label": "Secure your endpoints", + "slug": "/serverless/security/install-edr", + "classic-sources": [ "enSecurityInstallEndpoint" ], + "items": [ + { + "label": "Prevent Agent uninstallation", + "slug": "/serverless/security/agent-tamper-protection" + }, + { + "label": "Configure an integration policy", + "slug": "/serverless/security/configure-endpoint-integration-policy", + "classic-sources": [ "enSecurityConfigureEndpointIntegrationPolicy" ], + "items": [ + { + "label": "Configure protection updates", + "slug": "/serverless/security/protection-artifact-control" + }, + { + "slug": "/serverless/security/endpoint-diagnostic-data", + "classic-sources": [ "enSecurityEndpointDiagnosticData" ] + }, + { + "label": "Self-healing rollback (Windows)", + "slug": "/serverless/security/self-healing-rollback", + "classic-sources": [ "enSecuritySelfHealingRollback" ] + }, + { + "label": "File system monitoring (Linux)", + "slug": "/serverless/security/linux-file-monitoring", + "classic-sources": [ "enSecurityLinuxFileMonitoring" ] + } + ] + }, + { + "slug": "/serverless/security/elastic-endpoint-deploy-reqs", + "classic-sources": [ "enSecurityElasticEndpointDeployReqs" ], + "items": [ + { + "label": "macOS Catalina through Monterey", + "slug": "/serverless/security/install-endpoint-manually", + "classic-sources": [ "enSecurityDeployElasticEndpoint" ] + }, + { + "label": "macOS Ventura and higher", + "slug": "/serverless/security/deploy-elastic-endpoint-ven", + "classic-sources": [ "enSecurityDeployElasticEndpointVen" ] + }, + { + "label": "Enable the Endgame sensor (Optional)", + "slug": "/serverless/security/endgame-sensor-full-disk-access", + "classic-sources": [ "enSecurityEndgameSensorFullDiskAccess" ] + } + ] + }, + { + "slug": "/serverless/security/uninstall-agent" + }, + { + "label": "Uninstall Elastic Endpoint", + "slug": "/serverless/security/uninstall-endpoint", + "classic-sources": [ "enSecurityUninstallEndpoint" ] + } + ] + }, + { + "slug": "/serverless/security/cloud-native-security-overview", + "classic-sources": [ "enSecurityCloudNativeSecurityOverview" ], + "items": [ + { + "slug": "/serverless/security/security-posture-management", + "classic-sources": [ "enSecuritySecurityPostureManagement" ] + }, + { + "slug": "/serverless/security/enable-cloudsec" + }, + { + "slug": "/serverless/security/cspm", + "classic-sources": [ "enSecurityCspm" ], + "items": [ + { + "slug": "/serverless/security/cspm-get-started", + "classic-sources": [ "enSecurityCspmGetStarted" ] + }, + { + "slug": "/serverless/security/cspm-get-started-gcp", + "classic-sources": [ "enSecurityCspmGetStartedGcp" ] + }, + { + "slug": "/serverless/security/cspm-get-started-azure", + "classic-sources": [ "enSecurityCspmGetStartedAzure" ] + }, + { + "slug": "/serverless/security/cspm-findings-page", + "classic-sources": [ "enSecurityCspmFindingsPage" ] + }, + { + "slug": "/serverless/security/benchmark-rules", + "classic-sources": [ "enSecurityCspmBenchmarkRules" ] + }, + { + "slug": "/serverless/security/cloud-posture-dashboard-dash", + "classic-sources": [ "enSecurityCloudPostureDashboard" ] + }, + { + "slug": "/serverless/security/cspm-security-posture-faq", + "classic-sources": [ "enSecurityCspmSecurityPostureFaq" ] + } + ] + }, + { + "slug": "/serverless/security/kspm", + "classic-sources": [ "enSecurityKspm" ], + "items": [ + { + "slug": "/serverless/security/get-started-with-kspm", + "classic-sources": [ "enSecurityGetStartedWithKspm" ] + }, + { + "slug": "/serverless/security/cspm-findings-page", + "classic-sources": [ "enSecurityCspmFindingsPage" ] + }, + { + "slug": "/serverless/security/benchmark-rules", + "classic-sources": [ "enSecurityBenchmarkRules" ] + }, + { + "slug": "/serverless/security/cloud-posture-dashboard-dash", + "classic-sources": [ "enSecurityCloudPostureDashboard" ] + }, + { + "slug": "/serverless/security/security-posture-faq", + "classic-sources": [ "enSecuritySecurityPostureFaq" ] + } + ] + }, + { + "slug": "/serverless/security/vuln-management-overview", + "classic-sources": [ "enSecurityVulnManagementOverview" ], + "items": [ + { + "slug": "/serverless/security/vuln-management-get-started", + "classic-sources": [ "enSecurityVulnManagementGetStarted" ] + }, + { + "slug": "/serverless/security/vuln-management-findings", + "classic-sources": [ "enSecurityVulnManagementFindings" ] + }, + { + "slug": "/serverless/security/vuln-management-dashboard-dash", + "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] + }, + { + "slug": "/serverless/security/vuln-management-faq", + "classic-sources": [ "enSecurityVulnManagementFaq" ] + } + ] + }, + { + "slug": "/serverless/security/d4c-overview", + "classic-sources": [ "enSecurityD4cOverview" ], + "items": [ + { + "slug": "/serverless/security/d4c-get-started", + "classic-sources": [ "enSecurityD4cGetStarted" ] + }, + { + "slug": "/serverless/security/d4c-policy-guide", + "classic-sources": [ "enSecurityD4cPolicyGuide" ] + }, + { + "slug": "/serverless/security/kubernetes-dashboard-dash", + "classic-sources": [ "enSecurityKubernetesDashboard" ] + } + ] + }, + { + "slug": "/serverless/security/cloud-workload-protection", + "classic-sources": [ "enSecurityCloudWorkloadProtection" ], + "items": [ + { + "slug": "/serverless/security/session-view", + "classic-sources": [ "enSecuritySessionView" ] + }, + { + "slug": "/serverless/security/environment-variable-capture", + "classic-sources": [ "enSecurityEnvironmentVariableCapture" ] + } + ] + } + ] + }, + { + "slug": "/serverless/security/explore-your-data", + "classic-sources": [ "enSecurityExploreYourData" ], + "items": [ + { + "slug": "/serverless/security/hosts-overview", + "classic-sources": [ "enSecurityHostsOverview" ] + }, + { + "slug": "/serverless/security/network-page-overview", + "classic-sources": [ "enSecurityNetworkPageOverview" ] + }, + { + "slug": "/serverless/security/users-page", + "classic-sources": [ "enSecurityUsersPage" ] + }, + { + "slug": "/serverless/security/data-views-in-sec", + "classic-sources": [ "enSecurityDataViewsInSec" ] + }, + { + "label": "Create runtime fields", + "slug": "/serverless/security/runtime-fields", + "classic-sources": [ "enSecurityRuntimeFields" ] + }, + { + "slug": "/serverless/security/siem-field-reference", + "classic-sources": [ "enSecuritySiemFieldReference" ] + } + ] + }, + { + "slug": "/serverless/security/dashboards-overview", + "classic-sources": [ "enSecurityDashboardsOverview" ], + "items": [ + { + "label": "Overview", + "slug": "/serverless/security/overview-dashboard", + "classic-sources": [ "enSecurityOverviewDashboard" ] + }, + { + "label": "Detection & Response", + "slug": "/serverless/security/detection-response-dashboard", + "classic-sources": [ "enSecurityDetectionResponseDashboard" ] + }, + { + "label": "Kubernetes", + "slug": "/serverless/security/kubernetes-dashboard-dash", + "classic-sources": [ "enSecurityKubernetesDashboard" ] + }, + { + "label": "Cloud Security Posture", + "slug": "/serverless/security/cloud-posture-dashboard-dash", + "classic-sources": [ "enSecurityCloudPostureDashboard" ] + }, + { + "label": "Entity Analytics", + "slug": "/serverless/security/detection-entity-dashboard", + "classic-sources": [ "enSecurityDetectionEntityDashboard" ] + }, + { + "label": "Data Quality", + "slug": "/serverless/security/data-quality-dash" + }, + { + "label": "Cloud Native Vulnerability Management", + "slug": "/serverless/security/vuln-management-dashboard-dash", + "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] + }, + { + "label": "Detection rule monitoring", + "slug": "/serverless/security/rule-monitoring-dashboard", + "classic-sources": [ "enSecurityRuleMonitoringDashboard" ] + } ] + }, + { + "slug": "/serverless/security/detection-engine-overview", + "classic-sources": [ "enSecurityDetectionEngineOverview" ] + }, + { + "label": "Rules", + "slug": "/serverless/security/about-rules", + "classic-sources": [ "enSecurityAboutRules" ], + "items": [ + { + "slug": "/serverless/security/rules-create", + "classic-sources": [ "enSecurityRulesUiCreate" ], + "items": [ + { + "slug": "/serverless/security/interactive-investigation-guides", + "classic-sources": [ "enSecurityInteractiveInvestigationGuides" ] + }, + { + "slug": "/serverless/security/building-block-rules", + "classic-sources": [ "enSecurityBuildingBlockRule" ] + } + ] + }, + { + "label": "Use Elastic prebuilt rules", + "slug": "/serverless/security/prebuilt-rules-management", + "classic-sources": [ "enSecurityPrebuiltRulesManagement" ] + }, + { + "slug": "/serverless/security/rules-ui-management", + "classic-sources": [ "enSecurityRulesUiManagement" ] + }, + { + "slug": "/serverless/security/alerts-ui-monitor", + "classic-sources": [ "enSecurityAlertsUiMonitor" ] + }, + { + "slug": "/serverless/security/rule-exceptions", + "classic-sources": [ "enSecurityDetectionsUiExceptions" ], + "items": [ + { + "slug": "/serverless/security/value-lists-exceptions", + "classic-sources": [ "enSecurityValueListsExceptions" ] + }, + { + "slug": "/serverless/security/add-exceptions", + "classic-sources": [ "enSecurityAddExceptions" ] + }, + { + "slug": "/serverless/security/shared-exception-lists", + "classic-sources": [ "enSecuritySharedExceptionLists" ] + } + ] + }, + { + "slug": "/serverless/security/rules-coverage", + "classic-sources": [ "enSecurityRulesCoverage" ] + }, + { + "slug": "/serverless/security/tune-detection-signals", + "classic-sources": [ "enSecurityTuningDetectionSignals" ] + }, + { + "slug": "/serverless/security/ts-detection-rules", + "classic-sources": [ "enSecurityTsDetectionRules" ] + }, + { + "slug": "/serverless/security/prebuilt-rules", + "classic-sources": [ "enSecurityPrebuiltRules" ], + "classic-skip": true + } + ] + }, + { + "label": "Alerts", + "slug": "/serverless/security/alerts-manage", + "classic-sources": [ "enSecurityAlertsUiManage" ], + "items": [ + { + "label": "Visualize alerts", + "slug": "/serverless/security/visualize-alerts", + "classic-sources": [ "enSecurityVisualizeAlerts" ] + }, + { + "label": "View alert details", + "slug": "/serverless/security/view-alert-details", + "classic-sources": [ "enSecurityViewAlertDetails" ] + }, + { + "label": "Add alerts to cases", + "slug": "/serverless/security/signals-to-cases", + "classic-sources": [ "enSecuritySignalsToCases" ] + }, + { + "label": "Suppress alerts", + "slug": "/serverless/security/alert-suppression", + "classic-sources": [ "enSecurityAlertSuppression" ] + }, + { + "slug": "/serverless/security/reduce-notifications-alerts", + "classic-sources": [ "enSecurityReduceNotificationsAlerts" ] + }, + { + "slug": "/serverless/security/visual-event-analyzer", + "classic-sources": [ "enSecurityVisualEventAnalyzer" ] + }, + { + "slug": "/serverless/security/query-alert-indices", + "classic-sources": [ "enSecurityQueryAlertIndices" ] + }, + { + "slug": "/serverless/security/alert-schema", + "classic-sources": [ "enSecurityAlertSchema" ] + } + ] + }, + { + "label": "Advanced Entity Analytics", + "slug": "/serverless/security/advanced-entity-analytics", + "items": [ + { + "label": "Entity risk scoring", + "slug": "/serverless/security/entity-risk-scoring", + "items": [ + { + "label": "Asset criticality", + "slug": "/serverless/security/asset-criticality" + }, + { + "label": "Turn on risk scoring", + "slug": "/serverless/security/turn-on-risk-engine" + }, + { + "label": "View risk score data", + "slug": "/serverless/security/analyze-risk-score-data" + } + ] + }, + { + "label": "Advanced behavioral detections", + "slug": "/serverless/security/advanced-behavioral-detections", + "items": [ + { + "slug": "/serverless/security/machine-learning", + "classic-sources": [ "enSecurityMachineLearning" ] + }, + { + "slug": "/serverless/security/tuning-anomaly-results", + "classic-sources": [ "enSecurityTuningAnomalyResults" ] + }, + { + "slug": "/serverless/security/behavioral-detection-use-cases" + }, + { + "slug": "/serverless/security/prebuilt-ml-jobs", + "classic-sources": [ "enSecurityPrebuiltMlJobs" ] + } + ] + } + ] + }, + { + "slug": "/serverless/security/investigate-events", + "classic-sources": [ "enSecurityInvestigateEvents" ], + "items": [ + { + "slug": "/serverless/security/timelines-ui", + "classic-sources": [ "enSecurityTimelinesUi" ], + "items": [ + { + "slug": "/serverless/security/timeline-templates-ui", + "classic-sources": [ "enSecurityTimelineTemplatesUi" ] + }, + { + "slug": "/serverless/security/timeline-object-schema", + "classic-sources": [ "enSecurityTimelineObjectSchema" ] + } + ] + }, + { + "slug": "/serverless/security/cases-overview", + "classic-sources": [ "enSecurityCasesOverview" ], + "items": [ + { + "slug": "/serverless/security/cases-open-manage", + "classic-sources": [ "enSecurityCasesOpenManage" ] + }, + { + "slug": "/serverless/security/cases-settings" + } + ] + }, + { + "slug": "/serverless/security/indicators-of-compromise", + "classic-sources": [ "enSecurityIndicatorsOfCompromise" ] + } + ] + }, + { + "slug": "/serverless/security/query-operating-systems", + "classic-sources": [ "enSecurityUseOsquery" ], + "items": [ + { + "slug": "/serverless/security/osquery-response-action", + "classic-sources": [ "enSecurityOsqueryResponseAction" ] + }, + { + "slug": "/serverless/security/invest-guide-run-osquery", + "classic-sources": [ "enSecurityInvestGuideRunOsquery" ] + }, + { + "slug": "/serverless/security/alerts-run-osquery", + "classic-sources": [ "enSecurityAlertsRunOsquery" ] + }, + { + "slug": "/serverless/security/examine-osquery-results", + "classic-sources": [ "enSecurityViewOsqueryResults" ] + }, + { + "slug": "/serverless/security/osquery-placeholder-fields", + "classic-sources": [ "enSecurityOsqueryPlaceholderFields" ] + } + ] + }, + { + "slug": "/serverless/security/response-actions", + "classic-sources": [ "enSecurityResponseActions" ], + "items": [ + { + "slug": "/serverless/security/automated-response-actions" + }, + { + "slug": "/serverless/security/isolate-host", + "classic-sources": [ "enSecurityHostIsolationOv" ] + }, + { + "slug": "/serverless/security/response-actions-history", + "classic-sources": [ "enSecurityResponseActionsHistory" ] + }, + { + "slug": "/serverless/security/third-party-actions" + }, + { + "slug": "/serverless/security/response-actions-config" + } + ] + }, + { + "slug": "/serverless/security/manage-endpoint-protection", + "classic-sources": [ "enSecuritySecManageIntro" ], + "items": [ + { + "slug": "/serverless/security/endpoints-page", + "classic-sources": [ "enSecurityAdminPageOv" ] + }, + { + "slug": "/serverless/security/policies-page", + "classic-sources": [ "enSecurityPoliciesPageOv" ] + }, + { + "slug": "/serverless/security/trusted-applications", + "classic-sources": [ "enSecurityTrustedAppsOv" ] + }, + { + "slug": "/serverless/security/event-filters", + "classic-sources": [ "enSecurityEventFilters" ] + }, + { + "slug": "/serverless/security/host-isolation-exceptions", + "classic-sources": [ "enSecurityHostIsolationExceptions" ] + }, + { + "slug": "/serverless/security/blocklist", + "classic-sources": [ "enSecurityBlocklist" ] + }, + { + "slug": "/serverless/security/endpoint-event-capture" + }, + { + "slug": "/serverless/security/optimize-edr", + "classic-sources": [ "enSecurityEndpointArtifacts" ] + }, + { + "slug": "/serverless/security/allowlist-endpoint" + }, + { + "slug": "/serverless/security/troubleshoot-endpoints", + "classic-sources": [ "enSecurityTsManagement" ] + } + ] + }, + { + "slug": "/serverless/security/asset-management" + }, + { + "slug": "/serverless/security/manage-settings", + "items": [ + { + "slug": "/serverless/security/project-settings" + }, + { + "slug": "/serverless/security/advanced-settings", + "classic-sources": [ "enSecurityAdvancedSettings" ] + }, + { + "slug": "/serverless/security/requirements-overview", + "classic-sources": [ "enSecuritySecRequirements" ], + "items": [ + { + "slug": "/serverless/security/detections-requirements", + "classic-sources": [ "enSecurityDetectionsPermissionsSection" ] + }, + { + "slug": "/serverless/security/cases-requirements", + "classic-sources": [ "enSecurityCasePermissions" ] + }, + { + "slug": "/serverless/security/ers-requirements" + }, + { + "slug": "/serverless/security/ml-requirements", + "classic-sources": [ "enSecurityMlRequirements" ] + }, + { + "slug": "/serverless/security/conf-map-ui", + "classic-sources": [ "enSecurityConfMapUi" ] + } + ] + } + ] + }, + { + "slug": "/serverless/security/security-technical-preview-limitations" + } + ] +} From 6a406c62628e10fbb92617a0c0ade843da28a4c8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 2 Aug 2024 13:48:29 +0000 Subject: [PATCH 2/4] Delete docs/serverless directory and its contents --- .../allowlist-endpoint-3rd-party-av.mdx | 69 -- .../serverless/edr-manage/trusted-apps-ov.mdx | 105 --- .../serverless-security.docnav.json | 684 ------------------ 3 files changed, 858 deletions(-) delete mode 100644 docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx delete mode 100644 docs/serverless/edr-manage/trusted-apps-ov.mdx delete mode 100644 docs/serverless/serverless-security.docnav.json diff --git a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx deleted file mode 100644 index 992d8ac5d7..0000000000 --- a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /serverless/security/allowlist-endpoint -title: Allowlist ((elastic-endpoint)) in third-party antivirus apps -description: Add ((elastic-endpoint)) as a trusted application in third-party antivirus (AV) software. -tags: [ 'serverless', 'security', 'overview' ] -status: in review ---- - - - - -If you use other antivirus (AV) software along with ((elastic-defend)), you may need to add the other system as a trusted application in the ((security-app)). Refer to for more information. - - -Third-party antivirus (AV) applications may identify the expected behavior of ((elastic-endpoint)) as a potential threat. Add ((elastic-endpoint))'s digital signatures and file paths to your AV software's allowlist to ensure ((elastic-endpoint)) continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. - - -Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. - - -## Allowlist ((elastic-endpoint)) on Windows - -File paths: - -* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` -* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` -* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` - - - The executable runs as `elastic-endpoint.exe`. - - -Digital signatures: - -* `Elasticsearch, Inc.` -* `Elasticsearch B.V.` - -For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software). - -## Allowlist ((elastic-endpoint)) on macOS - -File paths: - -* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` - - - The system extension runs as `co.elastic.systemextension`. - - -* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` - - - The executable runs as `elastic-endpoint`. - - -Digital signatures: - -* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` -* Team ID: `2BT3HPN62Z` - -## Allowlist ((elastic-endpoint)) on Linux - -File path: - -* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` - - - The executable runs as `elastic-endpoint`. - \ No newline at end of file diff --git a/docs/serverless/edr-manage/trusted-apps-ov.mdx b/docs/serverless/edr-manage/trusted-apps-ov.mdx deleted file mode 100644 index 2576a17d41..0000000000 --- a/docs/serverless/edr-manage/trusted-apps-ov.mdx +++ /dev/null @@ -1,105 +0,0 @@ ---- -slug: /serverless/security/trusted-applications -title: Trusted applications -# description: Description to be written -tags: [ 'serverless', 'security', 'how-to' ] -status: in review ---- - - -
- - -If you use ((elastic-defend)) along with other antivirus (AV) software, you might need to configure the other system to trust ((elastic-endpoint)). Refer to for more information. - - -On the **Trusted applications** page (**Assets** → **Trusted applications**), you can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the ((elastic-defend)) integration. - - - -You must have the appropriate user role to use this feature. -{/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **Trusted Applications** privilege to access this feature. */} - - - -Trusted applications create blindspots for ((elastic-defend)), because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. - -Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents ((elastic-defend)) from generating alerts. To compare trusted applications with other endpoint artifacts, refer to . - -Additionally, trusted applications still generate process events for visualizations and other internal use by the ((stack)). To prevent process events from being written to ((es)), use an event filter to filter out the specific events that you don't want stored in ((es)), but be aware that features that depend on these process events may not function correctly. - -By default, a trusted application is recognized globally across all hosts running ((elastic-defend)). You can also assign a trusted application to a specific ((elastic-defend)) integration policy, enabling the application to be trusted by only the hosts assigned to that policy. - -To add a trusted application: - -1. Go to **Manage** → **Trusted applications**. - -1. Click **Add trusted application**. - -1. Fill in the following fields in the **Add trusted application** flyout: - - * `Name your trusted application`: Enter a name for the trusted application. - - * `Description`(Optional): Enter a description for the trusted application. - - * `Select operating system`: Select the appropriate operating system from the drop-down. - - * `Field`: Select a field to identify the trusted application: - * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. - * `Path`: The full file path of the application's executable. - * `Signature`: (Windows only) The name of the application's digital signer. - - - To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`). - - - * `Operator`: Select an operator to define the condition: - * `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operation is required for the `Hash` and `Signature` field types. - * `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This operator is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters). - - * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**. - - - You can only add a single field type value per trusted application. For example, if you try to add two `Path` values, you'll get an error message. Also, an application's hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the ((security-app)), be as specific as possible in your entries. For example, combine `Signature` information with a known `Path`. - - -1. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy: - * `Global`: Assign the trusted application to all integration policies for ((elastic-defend)). - * `Per Policy`: Assign the trusted application to one or more specific ((elastic-defend)) integration policies. Select each policy in which you want the application to be trusted. - - - You can also select the `Per Policy` option without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy. - - -1. Click **Add trusted application**. The application is added to the **Trusted applications** list. - -
- -## View and manage trusted applications - -The **Trusted applications** page (**Assets** → **Trusted applications**) displays all the trusted applications that have been added to the ((security-app)). To refine the list, use the search bar to search by name, description, or field value. - -![](../images/trusted-apps-ov/-management-admin-trusted-apps-list.png) - -
- -### Edit a trusted application -You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to. - -To edit a trusted application: - -1. Click the actions menu (*...*) on the trusted application you want to edit, then select **Edit trusted application**. -1. Modify details as needed. -1. Click **Save**. - -
- -### Delete a trusted application -You can delete a trusted application, which removes it entirely from all ((elastic-defend)) integration policies. - -To delete a trusted application: - -1. Click the actions menu (*...*) on the trusted application you want to delete, then select **Delete trusted application**. -1. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message is displayed. - diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json deleted file mode 100644 index d9ad8925bb..0000000000 --- a/docs/serverless/serverless-security.docnav.json +++ /dev/null @@ -1,684 +0,0 @@ -{ - "mission": "Elastic Security", - "id": "serverless-security", - "landingPageSlug": "/serverless/security/what-is-security-serverless", - "icon": "logoSecurity", - "description": "Description to be written", - "items": [ - { - "slug": "/serverless/security/overview", - "classic-sources": [ "enSecurityEsOverview" ] - }, - { - "slug": "/serverless/security/security-billing" - }, - { - "slug": "/serverless/security/create-project" - }, - { - "slug": "/serverless/security/security-ui", - "classic-sources": [ "enSecurityEsUiOverview" ] - }, - { - "label": "AI for security", - "slug": "/serverless/security/ai-for-security", - "items": [ - { - "slug": "/serverless/security/ai-assistant" - }, - { - "slug": "/serverless/security/attack-discovery" - }, - { - "slug": "/serverless/security/llm-connector-guides", - "items": [ - { - "slug": "/serverless/security/connect-to-azure-openai" - }, - { - "slug": "/serverless/security/connect-to-bedrock" - }, - { - "slug": "/serverless/security/connect-to-openai" - }, - { - "slug": "/serverless/security/connect-to-google-vertex" - }, - { - "slug": "/serverless/security/connect-to-byo-llm" - } - ] - }, - { - "slug": "/serverless/security/ai-use-cases", - "items": [ - { - "slug": "/serverless/security/ai-usecase-incident-reporting" - }, - { - "slug": "/serverless/security/triage-alerts-with-elastic-ai-assistant" - }, - { - "slug": "/serverless/security/ai-assistant-esql-queries" - } - ] - }, - { - "slug": "/serverless/security/llm-performance-matrix" - } - ] - }, - { - "label": "Ingest data", - "slug": "/serverless/security/ingest-data", - "classic-sources": [ "enSecurityIngestData" ], - "items": [ - { - "slug": "/serverless/security/threat-intelligence", - "classic-sources": [ "enSecurityEsThreatIntelIntegrations" ] - } - ] - }, - { - "label": "Secure your endpoints", - "slug": "/serverless/security/install-edr", - "classic-sources": [ "enSecurityInstallEndpoint" ], - "items": [ - { - "label": "Prevent Agent uninstallation", - "slug": "/serverless/security/agent-tamper-protection" - }, - { - "label": "Configure an integration policy", - "slug": "/serverless/security/configure-endpoint-integration-policy", - "classic-sources": [ "enSecurityConfigureEndpointIntegrationPolicy" ], - "items": [ - { - "label": "Configure protection updates", - "slug": "/serverless/security/protection-artifact-control" - }, - { - "slug": "/serverless/security/endpoint-diagnostic-data", - "classic-sources": [ "enSecurityEndpointDiagnosticData" ] - }, - { - "label": "Self-healing rollback (Windows)", - "slug": "/serverless/security/self-healing-rollback", - "classic-sources": [ "enSecuritySelfHealingRollback" ] - }, - { - "label": "File system monitoring (Linux)", - "slug": "/serverless/security/linux-file-monitoring", - "classic-sources": [ "enSecurityLinuxFileMonitoring" ] - } - ] - }, - { - "slug": "/serverless/security/elastic-endpoint-deploy-reqs", - "classic-sources": [ "enSecurityElasticEndpointDeployReqs" ], - "items": [ - { - "label": "macOS Catalina through Monterey", - "slug": "/serverless/security/install-endpoint-manually", - "classic-sources": [ "enSecurityDeployElasticEndpoint" ] - }, - { - "label": "macOS Ventura and higher", - "slug": "/serverless/security/deploy-elastic-endpoint-ven", - "classic-sources": [ "enSecurityDeployElasticEndpointVen" ] - }, - { - "label": "Enable the Endgame sensor (Optional)", - "slug": "/serverless/security/endgame-sensor-full-disk-access", - "classic-sources": [ "enSecurityEndgameSensorFullDiskAccess" ] - } - ] - }, - { - "slug": "/serverless/security/uninstall-agent" - }, - { - "label": "Uninstall Elastic Endpoint", - "slug": "/serverless/security/uninstall-endpoint", - "classic-sources": [ "enSecurityUninstallEndpoint" ] - } - ] - }, - { - "slug": "/serverless/security/cloud-native-security-overview", - "classic-sources": [ "enSecurityCloudNativeSecurityOverview" ], - "items": [ - { - "slug": "/serverless/security/security-posture-management", - "classic-sources": [ "enSecuritySecurityPostureManagement" ] - }, - { - "slug": "/serverless/security/enable-cloudsec" - }, - { - "slug": "/serverless/security/cspm", - "classic-sources": [ "enSecurityCspm" ], - "items": [ - { - "slug": "/serverless/security/cspm-get-started", - "classic-sources": [ "enSecurityCspmGetStarted" ] - }, - { - "slug": "/serverless/security/cspm-get-started-gcp", - "classic-sources": [ "enSecurityCspmGetStartedGcp" ] - }, - { - "slug": "/serverless/security/cspm-get-started-azure", - "classic-sources": [ "enSecurityCspmGetStartedAzure" ] - }, - { - "slug": "/serverless/security/cspm-findings-page", - "classic-sources": [ "enSecurityCspmFindingsPage" ] - }, - { - "slug": "/serverless/security/benchmark-rules", - "classic-sources": [ "enSecurityCspmBenchmarkRules" ] - }, - { - "slug": "/serverless/security/cloud-posture-dashboard-dash", - "classic-sources": [ "enSecurityCloudPostureDashboard" ] - }, - { - "slug": "/serverless/security/cspm-security-posture-faq", - "classic-sources": [ "enSecurityCspmSecurityPostureFaq" ] - } - ] - }, - { - "slug": "/serverless/security/kspm", - "classic-sources": [ "enSecurityKspm" ], - "items": [ - { - "slug": "/serverless/security/get-started-with-kspm", - "classic-sources": [ "enSecurityGetStartedWithKspm" ] - }, - { - "slug": "/serverless/security/cspm-findings-page", - "classic-sources": [ "enSecurityCspmFindingsPage" ] - }, - { - "slug": "/serverless/security/benchmark-rules", - "classic-sources": [ "enSecurityBenchmarkRules" ] - }, - { - "slug": "/serverless/security/cloud-posture-dashboard-dash", - "classic-sources": [ "enSecurityCloudPostureDashboard" ] - }, - { - "slug": "/serverless/security/security-posture-faq", - "classic-sources": [ "enSecuritySecurityPostureFaq" ] - } - ] - }, - { - "slug": "/serverless/security/vuln-management-overview", - "classic-sources": [ "enSecurityVulnManagementOverview" ], - "items": [ - { - "slug": "/serverless/security/vuln-management-get-started", - "classic-sources": [ "enSecurityVulnManagementGetStarted" ] - }, - { - "slug": "/serverless/security/vuln-management-findings", - "classic-sources": [ "enSecurityVulnManagementFindings" ] - }, - { - "slug": "/serverless/security/vuln-management-dashboard-dash", - "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] - }, - { - "slug": "/serverless/security/vuln-management-faq", - "classic-sources": [ "enSecurityVulnManagementFaq" ] - } - ] - }, - { - "slug": "/serverless/security/d4c-overview", - "classic-sources": [ "enSecurityD4cOverview" ], - "items": [ - { - "slug": "/serverless/security/d4c-get-started", - "classic-sources": [ "enSecurityD4cGetStarted" ] - }, - { - "slug": "/serverless/security/d4c-policy-guide", - "classic-sources": [ "enSecurityD4cPolicyGuide" ] - }, - { - "slug": "/serverless/security/kubernetes-dashboard-dash", - "classic-sources": [ "enSecurityKubernetesDashboard" ] - } - ] - }, - { - "slug": "/serverless/security/cloud-workload-protection", - "classic-sources": [ "enSecurityCloudWorkloadProtection" ], - "items": [ - { - "slug": "/serverless/security/session-view", - "classic-sources": [ "enSecuritySessionView" ] - }, - { - "slug": "/serverless/security/environment-variable-capture", - "classic-sources": [ "enSecurityEnvironmentVariableCapture" ] - } - ] - } - ] - }, - { - "slug": "/serverless/security/explore-your-data", - "classic-sources": [ "enSecurityExploreYourData" ], - "items": [ - { - "slug": "/serverless/security/hosts-overview", - "classic-sources": [ "enSecurityHostsOverview" ] - }, - { - "slug": "/serverless/security/network-page-overview", - "classic-sources": [ "enSecurityNetworkPageOverview" ] - }, - { - "slug": "/serverless/security/users-page", - "classic-sources": [ "enSecurityUsersPage" ] - }, - { - "slug": "/serverless/security/data-views-in-sec", - "classic-sources": [ "enSecurityDataViewsInSec" ] - }, - { - "label": "Create runtime fields", - "slug": "/serverless/security/runtime-fields", - "classic-sources": [ "enSecurityRuntimeFields" ] - }, - { - "slug": "/serverless/security/siem-field-reference", - "classic-sources": [ "enSecuritySiemFieldReference" ] - } - ] - }, - { - "slug": "/serverless/security/dashboards-overview", - "classic-sources": [ "enSecurityDashboardsOverview" ], - "items": [ - { - "label": "Overview", - "slug": "/serverless/security/overview-dashboard", - "classic-sources": [ "enSecurityOverviewDashboard" ] - }, - { - "label": "Detection & Response", - "slug": "/serverless/security/detection-response-dashboard", - "classic-sources": [ "enSecurityDetectionResponseDashboard" ] - }, - { - "label": "Kubernetes", - "slug": "/serverless/security/kubernetes-dashboard-dash", - "classic-sources": [ "enSecurityKubernetesDashboard" ] - }, - { - "label": "Cloud Security Posture", - "slug": "/serverless/security/cloud-posture-dashboard-dash", - "classic-sources": [ "enSecurityCloudPostureDashboard" ] - }, - { - "label": "Entity Analytics", - "slug": "/serverless/security/detection-entity-dashboard", - "classic-sources": [ "enSecurityDetectionEntityDashboard" ] - }, - { - "label": "Data Quality", - "slug": "/serverless/security/data-quality-dash" - }, - { - "label": "Cloud Native Vulnerability Management", - "slug": "/serverless/security/vuln-management-dashboard-dash", - "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] - }, - { - "label": "Detection rule monitoring", - "slug": "/serverless/security/rule-monitoring-dashboard", - "classic-sources": [ "enSecurityRuleMonitoringDashboard" ] - } ] - }, - { - "slug": "/serverless/security/detection-engine-overview", - "classic-sources": [ "enSecurityDetectionEngineOverview" ] - }, - { - "label": "Rules", - "slug": "/serverless/security/about-rules", - "classic-sources": [ "enSecurityAboutRules" ], - "items": [ - { - "slug": "/serverless/security/rules-create", - "classic-sources": [ "enSecurityRulesUiCreate" ], - "items": [ - { - "slug": "/serverless/security/interactive-investigation-guides", - "classic-sources": [ "enSecurityInteractiveInvestigationGuides" ] - }, - { - "slug": "/serverless/security/building-block-rules", - "classic-sources": [ "enSecurityBuildingBlockRule" ] - } - ] - }, - { - "label": "Use Elastic prebuilt rules", - "slug": "/serverless/security/prebuilt-rules-management", - "classic-sources": [ "enSecurityPrebuiltRulesManagement" ] - }, - { - "slug": "/serverless/security/rules-ui-management", - "classic-sources": [ "enSecurityRulesUiManagement" ] - }, - { - "slug": "/serverless/security/alerts-ui-monitor", - "classic-sources": [ "enSecurityAlertsUiMonitor" ] - }, - { - "slug": "/serverless/security/rule-exceptions", - "classic-sources": [ "enSecurityDetectionsUiExceptions" ], - "items": [ - { - "slug": "/serverless/security/value-lists-exceptions", - "classic-sources": [ "enSecurityValueListsExceptions" ] - }, - { - "slug": "/serverless/security/add-exceptions", - "classic-sources": [ "enSecurityAddExceptions" ] - }, - { - "slug": "/serverless/security/shared-exception-lists", - "classic-sources": [ "enSecuritySharedExceptionLists" ] - } - ] - }, - { - "slug": "/serverless/security/rules-coverage", - "classic-sources": [ "enSecurityRulesCoverage" ] - }, - { - "slug": "/serverless/security/tune-detection-signals", - "classic-sources": [ "enSecurityTuningDetectionSignals" ] - }, - { - "slug": "/serverless/security/ts-detection-rules", - "classic-sources": [ "enSecurityTsDetectionRules" ] - }, - { - "slug": "/serverless/security/prebuilt-rules", - "classic-sources": [ "enSecurityPrebuiltRules" ], - "classic-skip": true - } - ] - }, - { - "label": "Alerts", - "slug": "/serverless/security/alerts-manage", - "classic-sources": [ "enSecurityAlertsUiManage" ], - "items": [ - { - "label": "Visualize alerts", - "slug": "/serverless/security/visualize-alerts", - "classic-sources": [ "enSecurityVisualizeAlerts" ] - }, - { - "label": "View alert details", - "slug": "/serverless/security/view-alert-details", - "classic-sources": [ "enSecurityViewAlertDetails" ] - }, - { - "label": "Add alerts to cases", - "slug": "/serverless/security/signals-to-cases", - "classic-sources": [ "enSecuritySignalsToCases" ] - }, - { - "label": "Suppress alerts", - "slug": "/serverless/security/alert-suppression", - "classic-sources": [ "enSecurityAlertSuppression" ] - }, - { - "slug": "/serverless/security/reduce-notifications-alerts", - "classic-sources": [ "enSecurityReduceNotificationsAlerts" ] - }, - { - "slug": "/serverless/security/visual-event-analyzer", - "classic-sources": [ "enSecurityVisualEventAnalyzer" ] - }, - { - "slug": "/serverless/security/query-alert-indices", - "classic-sources": [ "enSecurityQueryAlertIndices" ] - }, - { - "slug": "/serverless/security/alert-schema", - "classic-sources": [ "enSecurityAlertSchema" ] - } - ] - }, - { - "label": "Advanced Entity Analytics", - "slug": "/serverless/security/advanced-entity-analytics", - "items": [ - { - "label": "Entity risk scoring", - "slug": "/serverless/security/entity-risk-scoring", - "items": [ - { - "label": "Asset criticality", - "slug": "/serverless/security/asset-criticality" - }, - { - "label": "Turn on risk scoring", - "slug": "/serverless/security/turn-on-risk-engine" - }, - { - "label": "View risk score data", - "slug": "/serverless/security/analyze-risk-score-data" - } - ] - }, - { - "label": "Advanced behavioral detections", - "slug": "/serverless/security/advanced-behavioral-detections", - "items": [ - { - "slug": "/serverless/security/machine-learning", - "classic-sources": [ "enSecurityMachineLearning" ] - }, - { - "slug": "/serverless/security/tuning-anomaly-results", - "classic-sources": [ "enSecurityTuningAnomalyResults" ] - }, - { - "slug": "/serverless/security/behavioral-detection-use-cases" - }, - { - "slug": "/serverless/security/prebuilt-ml-jobs", - "classic-sources": [ "enSecurityPrebuiltMlJobs" ] - } - ] - } - ] - }, - { - "slug": "/serverless/security/investigate-events", - "classic-sources": [ "enSecurityInvestigateEvents" ], - "items": [ - { - "slug": "/serverless/security/timelines-ui", - "classic-sources": [ "enSecurityTimelinesUi" ], - "items": [ - { - "slug": "/serverless/security/timeline-templates-ui", - "classic-sources": [ "enSecurityTimelineTemplatesUi" ] - }, - { - "slug": "/serverless/security/timeline-object-schema", - "classic-sources": [ "enSecurityTimelineObjectSchema" ] - } - ] - }, - { - "slug": "/serverless/security/cases-overview", - "classic-sources": [ "enSecurityCasesOverview" ], - "items": [ - { - "slug": "/serverless/security/cases-open-manage", - "classic-sources": [ "enSecurityCasesOpenManage" ] - }, - { - "slug": "/serverless/security/cases-settings" - } - ] - }, - { - "slug": "/serverless/security/indicators-of-compromise", - "classic-sources": [ "enSecurityIndicatorsOfCompromise" ] - } - ] - }, - { - "slug": "/serverless/security/query-operating-systems", - "classic-sources": [ "enSecurityUseOsquery" ], - "items": [ - { - "slug": "/serverless/security/osquery-response-action", - "classic-sources": [ "enSecurityOsqueryResponseAction" ] - }, - { - "slug": "/serverless/security/invest-guide-run-osquery", - "classic-sources": [ "enSecurityInvestGuideRunOsquery" ] - }, - { - "slug": "/serverless/security/alerts-run-osquery", - "classic-sources": [ "enSecurityAlertsRunOsquery" ] - }, - { - "slug": "/serverless/security/examine-osquery-results", - "classic-sources": [ "enSecurityViewOsqueryResults" ] - }, - { - "slug": "/serverless/security/osquery-placeholder-fields", - "classic-sources": [ "enSecurityOsqueryPlaceholderFields" ] - } - ] - }, - { - "slug": "/serverless/security/response-actions", - "classic-sources": [ "enSecurityResponseActions" ], - "items": [ - { - "slug": "/serverless/security/automated-response-actions" - }, - { - "slug": "/serverless/security/isolate-host", - "classic-sources": [ "enSecurityHostIsolationOv" ] - }, - { - "slug": "/serverless/security/response-actions-history", - "classic-sources": [ "enSecurityResponseActionsHistory" ] - }, - { - "slug": "/serverless/security/third-party-actions" - }, - { - "slug": "/serverless/security/response-actions-config" - } - ] - }, - { - "slug": "/serverless/security/manage-endpoint-protection", - "classic-sources": [ "enSecuritySecManageIntro" ], - "items": [ - { - "slug": "/serverless/security/endpoints-page", - "classic-sources": [ "enSecurityAdminPageOv" ] - }, - { - "slug": "/serverless/security/policies-page", - "classic-sources": [ "enSecurityPoliciesPageOv" ] - }, - { - "slug": "/serverless/security/trusted-applications", - "classic-sources": [ "enSecurityTrustedAppsOv" ] - }, - { - "slug": "/serverless/security/event-filters", - "classic-sources": [ "enSecurityEventFilters" ] - }, - { - "slug": "/serverless/security/host-isolation-exceptions", - "classic-sources": [ "enSecurityHostIsolationExceptions" ] - }, - { - "slug": "/serverless/security/blocklist", - "classic-sources": [ "enSecurityBlocklist" ] - }, - { - "slug": "/serverless/security/endpoint-event-capture" - }, - { - "slug": "/serverless/security/optimize-edr", - "classic-sources": [ "enSecurityEndpointArtifacts" ] - }, - { - "slug": "/serverless/security/allowlist-endpoint" - }, - { - "slug": "/serverless/security/troubleshoot-endpoints", - "classic-sources": [ "enSecurityTsManagement" ] - } - ] - }, - { - "slug": "/serverless/security/asset-management" - }, - { - "slug": "/serverless/security/manage-settings", - "items": [ - { - "slug": "/serverless/security/project-settings" - }, - { - "slug": "/serverless/security/advanced-settings", - "classic-sources": [ "enSecurityAdvancedSettings" ] - }, - { - "slug": "/serverless/security/requirements-overview", - "classic-sources": [ "enSecuritySecRequirements" ], - "items": [ - { - "slug": "/serverless/security/detections-requirements", - "classic-sources": [ "enSecurityDetectionsPermissionsSection" ] - }, - { - "slug": "/serverless/security/cases-requirements", - "classic-sources": [ "enSecurityCasePermissions" ] - }, - { - "slug": "/serverless/security/ers-requirements" - }, - { - "slug": "/serverless/security/ml-requirements", - "classic-sources": [ "enSecurityMlRequirements" ] - }, - { - "slug": "/serverless/security/conf-map-ui", - "classic-sources": [ "enSecurityConfMapUi" ] - } - ] - } - ] - }, - { - "slug": "/serverless/security/security-technical-preview-limitations" - } - ] -} From 87d399d71d0684d92480cde9d9769e8a54d42262 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Fri, 2 Aug 2024 15:03:43 +0100 Subject: [PATCH 3/4] Resolves conflict --- docs/management/admin/trusted-apps.asciidoc | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index a663b82418..5a1b17bad6 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -2,13 +2,9 @@ [chapter, role="xpack"] = Trusted applications -<<<<<<< HEAD -You can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use {elastic-sec} without compatibility or performance issues with other installed applications on your system. Trusted applications are applied only to hosts running {endpoint-sec}. -======= NOTE: If you use {elastic-defend} along with other antivirus (AV) software, you might need to configure the other system to trust {elastic-endpoint}. Refer to <> for more information. -You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration. ->>>>>>> f8e7ca6e (Adds Allowlist Elastic Endpoint in third-party antivirus apps page to serverless docs (#5639)) +You can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use {elastic-sec} without compatibility or performance issues with other installed applications on your system. Trusted applications are applied only to hosts running {endpoint-sec}. NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. From 610acc80e819c68b6ed38bd4059d8e43c87b40a3 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 2 Aug 2024 16:05:20 +0100 Subject: [PATCH 4/4] Renames integration --- docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc | 2 +- docs/management/admin/trusted-apps.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index 2dc920c781..c0bef411da 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -1,7 +1,7 @@ [[allowlist-endpoint-3rd-party-av-apps]] = Allowlist Elastic Endpoint in third-party antivirus apps -NOTE: If you use other antivirus (AV) software along with {elastic-defend}, you may need to add the other system as a trusted application in the {security-app}. Refer to <> for more information. +NOTE: If you use other antivirus (AV) software along with {endpoint-sec}, you may need to add the other system as a trusted application in the {security-app}. Refer to <> for more information. Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index 5a1b17bad6..c09bb9d047 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -2,7 +2,7 @@ [chapter, role="xpack"] = Trusted applications -NOTE: If you use {elastic-defend} along with other antivirus (AV) software, you might need to configure the other system to trust {elastic-endpoint}. Refer to <> for more information. +NOTE: If you use {endpoint-sec} along with other antivirus (AV) software, you might need to configure the other system to trust {elastic-endpoint}. Refer to <> for more information. You can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use {elastic-sec} without compatibility or performance issues with other installed applications on your system. Trusted applications are applied only to hosts running {endpoint-sec}.