From 394214da489774f554370722b4e1d7bb3c4e5911 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 15:49:20 -0500 Subject: [PATCH] Protection artifact update control (#4261) (#4302) * Update general policy instructions, add link * First draft of main page content * Correction * Revise expiration info * Smol edit: arrow special character (cherry picked from commit 0b02fbb6dc101d4a20f58deb6204598c9d3210f1) Co-authored-by: Joe Peeples --- .../getting-started/artifact-control.asciidoc | 20 ++++++++++++++----- .../configure-integration-policy.asciidoc | 9 +++++++-- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/docs/getting-started/artifact-control.asciidoc b/docs/getting-started/artifact-control.asciidoc index cfb220b8e1..406d850bc2 100644 --- a/docs/getting-started/artifact-control.asciidoc +++ b/docs/getting-started/artifact-control.asciidoc @@ -6,8 +6,18 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [secure, manage] -[sidebar] --- -[.text-center] -This page is a placeholder for future documentation. --- +On the **Protection updates** tab of the {elastic-defend} integration policy, you can configure how {elastic-defend} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections. + +You can disable automatic updates and freeze your protection artifacts to a specific date, allowing you to control when to receive and install the updates. For example, you might want to temporarily disable updates to ensure resource availability during a high-volume period, test updates in a controlled staging environment before rolling out to production, or roll back to a previous version of protections. + +Protection artifacts will expire after 18 months, and you'll no longer be able to select them as a deployed version. If you're already using a specific version when it expires, you'll keep using it until you either select a later non-expired version or re-enable automatic updates. + +CAUTION: It is strongly advised to keep automatic updates enabled to ensure the highest level of security for your environment. Proceed with caution if you decide to disable automatic updates. + +To configure the protection artifacts version deployed in your environment: + +. Go to **Manage** → **Policies**, select an {elastic-defend} integration policy, then select the **Protection updates** tab. +. Turn off the **Enable automatic updates** toggle. +. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment. +. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts. +. Select **Save**. diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc index 369dad5492..b68f7489a0 100644 --- a/docs/getting-started/configure-integration-policy.asciidoc +++ b/docs/getting-started/configure-integration-policy.asciidoc @@ -21,7 +21,7 @@ To configure an integration policy: 1. In the {security-app}, go to **Manage** -> **Policies** to view the **Policies** page. 2. Select the integration policy you want to configure. The integration policy configuration page appears. -3. Review the following settings on the **Policy settings** tab and configure them as appropriate: +3. On the **Policy settings** tab, review and configure the following settings as appropriate: * <> * <> * <> @@ -35,17 +35,22 @@ To configure an integration policy: 4. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to <>, <>, <>, and <>). On these tabs, you can: ++ +-- * Expand and view an artifact — Click the arrow next to its name. * View an artifact's details — Click the actions menu (**...**), then select **View full details**. * Unassign an artifact (Platinum or Enterprise subscription) — Click the actions menu (**...**), then select **Remove from policy**. This does not delete the artifact; this just unassigns it from the current policy. * Assign an existing artifact (Platinum or Enterprise subscription) — Click **Assign _x_ to policy**, then select an item from the flyout. This view lists any existing artifacts that aren't already assigned to the current policy. - +-- ++ NOTE: You can't create a new endpoint policy artifact while configuring an integration policy. To create a new artifact, go to its main page in the {security-app} (for example, to create a new trusted application, go to **Manage** -> **Trusted applications**). +5. Click the *Protection updates* tab to configure how {elastic-defend} receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to <> for more information. + [discrete] [[malware-protection]] == Malware protection