Skip to content

Commit

Permalink
Protection artifact update control (#4261) (#4302)
Browse files Browse the repository at this point in the history
* Update general policy instructions, add link

* First draft of main page content

* Correction

* Revise expiration info

* Smol edit: arrow special character

(cherry picked from commit 0b02fbb)

Co-authored-by: Joe Peeples <[email protected]>
  • Loading branch information
mergify[bot] and joepeeples authored Nov 20, 2023
1 parent 8aaa3f7 commit 394214d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 7 deletions.
20 changes: 15 additions & 5 deletions docs/getting-started/artifact-control.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,18 @@
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [secure, manage]

[sidebar]
--
[.text-center]
This page is a placeholder for future documentation.
--
On the **Protection updates** tab of the {elastic-defend} integration policy, you can configure how {elastic-defend} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections.

You can disable automatic updates and freeze your protection artifacts to a specific date, allowing you to control when to receive and install the updates. For example, you might want to temporarily disable updates to ensure resource availability during a high-volume period, test updates in a controlled staging environment before rolling out to production, or roll back to a previous version of protections.

Protection artifacts will expire after 18 months, and you'll no longer be able to select them as a deployed version. If you're already using a specific version when it expires, you'll keep using it until you either select a later non-expired version or re-enable automatic updates.

CAUTION: It is strongly advised to keep automatic updates enabled to ensure the highest level of security for your environment. Proceed with caution if you decide to disable automatic updates.

To configure the protection artifacts version deployed in your environment:

. Go to **Manage** → **Policies**, select an {elastic-defend} integration policy, then select the **Protection updates** tab.
. Turn off the **Enable automatic updates** toggle.
. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment.
. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts.
. Select **Save**.
9 changes: 7 additions & 2 deletions docs/getting-started/configure-integration-policy.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ To configure an integration policy:

1. In the {security-app}, go to **Manage** -> **Policies** to view the **Policies** page.
2. Select the integration policy you want to configure. The integration policy configuration page appears.
3. Review the following settings on the **Policy settings** tab and configure them as appropriate:
3. On the **Policy settings** tab, review and configure the following settings as appropriate:
* <<malware-protection>>
* <<ransomware-protection>>
* <<memory-protection>>
Expand All @@ -35,17 +35,22 @@ To configure an integration policy:
4. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**,
and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy
(for more information, refer to <<trusted-apps-ov>>, <<event-filters>>, <<host-isolation-exceptions>>, and <<blocklist>>). On these tabs, you can:
+
--
* Expand and view an artifact — Click the arrow next to its name.
* View an artifact's details — Click the actions menu (**...**), then select **View full details**.
* Unassign an artifact (Platinum or Enterprise subscription) — Click the actions menu (**...**),
then select **Remove from policy**. This does not delete the artifact; this just unassigns it from the current policy.
* Assign an existing artifact (Platinum or Enterprise subscription) — Click **Assign _x_ to policy**,
then select an item from the flyout. This view lists any existing artifacts that aren't already assigned to the current policy.

--
+
NOTE: You can't create a new endpoint policy artifact while configuring an integration policy.
To create a new artifact, go to its main page in the {security-app} (for example,
to create a new trusted application, go to **Manage** -> **Trusted applications**).

5. Click the *Protection updates* tab to configure how {elastic-defend} receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to <<artifact-control>> for more information.

[discrete]
[[malware-protection]]
== Malware protection
Expand Down

0 comments on commit 394214d

Please sign in to comment.