From 614d4d8807c3f72a3d37577a12f2b1368e07c15c Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 23:20:27 +0000 Subject: [PATCH] [8.16] Nav changes for "Manage Elastic Defend" and "Endpoint response actions" sections (backport #6073) (#6118) * Nav changes for "Manage Elastic Defend" and "Endpoint response actions" sections (#6073) * Update "Trusted applications" * Update "Event filters" * Update "Host isolation exceptions" * Update "Blocklist" * Update "Isolate a host" * Update "Response actions history" * Update "Configure third-party response actions" * Fix "Configure third-party response actions" * Apply suggestions from Nastasha's review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Revise to "navigation menu" --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 5f71cc157e32632ce49a9fc63e23c5dfa3b78734) # Conflicts: # docs/serverless/edr-manage/blocklist.asciidoc # docs/serverless/edr-manage/event-filters.asciidoc # docs/serverless/edr-manage/host-isolation-exceptions.asciidoc # docs/serverless/edr-manage/trusted-apps-ov.asciidoc # docs/serverless/endpoint-response-actions/host-isolation-ov.asciidoc # docs/serverless/endpoint-response-actions/response-actions-config.asciidoc # docs/serverless/endpoint-response-actions/response-actions-history.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: Joe Peeples Co-authored-by: github-actions[bot] --- docs/management/admin/blocklist.asciidoc | 4 ++-- docs/management/admin/event-filters.asciidoc | 4 +--- docs/management/admin/host-isolation-exceptions.asciidoc | 2 +- docs/management/admin/host-isolation-ov.asciidoc | 6 +++--- docs/management/admin/response-actions-config.asciidoc | 8 ++++---- docs/management/admin/response-actions-history.asciidoc | 2 +- docs/management/admin/trusted-apps.asciidoc | 2 +- 7 files changed, 13 insertions(+), 15 deletions(-) diff --git a/docs/management/admin/blocklist.asciidoc b/docs/management/admin/blocklist.asciidoc index be409bbab0..d619e712c2 100644 --- a/docs/management/admin/blocklist.asciidoc +++ b/docs/management/admin/blocklist.asciidoc @@ -16,7 +16,7 @@ The blocklist is not intended to broadly block benign applications for non-secur By default, a blocklist entry is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {elastic-defend} integration policies, which blocks the process only on hosts assigned to that policy. -. Go to **Manage** -> **Blocklist**. +. Find **Blocklist** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Add blocklist entry**. The **Add blocklist** flyout appears. @@ -49,7 +49,7 @@ NOTE: You can also select the `Per Policy` option without immediately assigning . Click **Add blocklist**. The new entry is added to the **Blocklist** page. . When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the {elastic-defend} integration policies that you just assigned: -.. Go to **Manage** -> **Policies**, then click on an integration policy. +.. Go to the **Policies** page, then click on an integration policy. .. On the **Policy settings** tab, ensure that the **Malware protections** and **Blocklist** toggles are switched on. Both settings are enabled by default. [discrete] diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index f14cf9d388..94a64c0e43 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -22,7 +22,6 @@ Create event filters from the Hosts page or the Event filters page. + -- * To create an event filter from the Hosts page: -.. Go to *Explore* -> *Hosts*. .. Select the *Events* tab to view the Events table. + .. Find the event to filter, click the *More actions* menu (*...*), then select *Add Endpoint event filter*. @@ -31,8 +30,7 @@ TIP: Since you can only create filters for endpoint events, be sure to filter th For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. * To create an event filter from the Event filters page: -.. Go to *Manage* -> *Event filters*. -.. Click *Add event filter*. The *Add event filter* flyout opens. +.. Cick *Add event filter*, which opens a flyout. -- + [role="screenshot"] diff --git a/docs/management/admin/host-isolation-exceptions.asciidoc b/docs/management/admin/host-isolation-exceptions.asciidoc index 273581e35c..eca44717ac 100644 --- a/docs/management/admin/host-isolation-exceptions.asciidoc +++ b/docs/management/admin/host-isolation-exceptions.asciidoc @@ -21,7 +21,7 @@ You must have the *Host Isolation Exceptions* < **Host isolation exceptions**. +. Find **Host isolation exceptions** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click **Add Host isolation exception**. . Fill in these fields in the **Add Host isolation exception** flyout: .. `Name your host isolation exceptions`: Enter a name to identify the host isolation exception. diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index 7240328094..f199ee7e33 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -55,7 +55,7 @@ All actions executed on a host are tracked in the host’s response actions hist .Isolate a host from an endpoint [%collapsible] ==== -. Go to *Manage -> Endpoints*, then either: +. Find **Endpoints** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then either: * Select the appropriate endpoint in the *Endpoint* column, and click *Take action -> Isolate host* in the endpoint details flyout. * Click the *Actions* menu (*...*) on the appropriate endpoint, then select *Isolate host*. . Enter a comment describing why you’re isolating the host (optional). @@ -112,7 +112,7 @@ image::images/host-isolated-notif.png[Host isolated notification message,350] .Release a host from an endpoint [%collapsible] ==== -. Go to *Manage -> Endpoints*, then either: +. Find **Endpoints** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then either: * Select the appropriate endpoint in the *Endpoint* column, and click *Take action -> Release host* in the endpoint details flyout. * Click the *Actions* menu (*...*) on the appropriate endpoint, then select *Release host*. . Enter a comment describing why you're releasing the host (optional). @@ -142,7 +142,7 @@ image::images/host-released-notif.png[Host released notification message,350] To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host. -Go to *Manage* -> *Endpoints*, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <> for more details. +Go to the *Endpoints* page, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <> for more details. [role="screenshot"] image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%] \ No newline at end of file diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index 52a556fb51..3f4f9295f3 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -51,7 +51,7 @@ Expand a section below for your endpoint security system: . **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] collects and ingests logs into {elastic-sec}. + -.. Go to **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**. +.. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **CrowdStrike**, then select **Add CrowdStrike**. .. Configure the integration with an **Integration name** and optional **Description**. .. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**: - **Client ID**: Client ID for the API client used to read CrowdStrike data. @@ -66,7 +66,7 @@ Expand a section below for your endpoint security system: + IMPORTANT: Do not create more than one CrowdStrike connector. + -.. Go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Find **Connectors** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Create connector**. .. Select the CrowdStrike connector. .. Enter the configuration information: - **Connector name**: A name to identify the connector. @@ -100,7 +100,7 @@ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or S . **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}. + -.. Go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. +.. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **SentinelOne**, then select **Add SentinelOne**. .. Configure the integration with an **Integration name** and optional **Description**. .. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: - **URL**: The SentinelOne console URL. @@ -113,7 +113,7 @@ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or S + IMPORTANT: Do not create more than one SentinelOne connector. -.. Go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Find **Connectors** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Create connector**. .. Select the **SentinelOne** connector. .. Enter the configuration information: - **Connector name**: A name to identify the connector. diff --git a/docs/management/admin/response-actions-history.asciidoc b/docs/management/admin/response-actions-history.asciidoc index cd71633a28..8b9b4e0b29 100644 --- a/docs/management/admin/response-actions-history.asciidoc +++ b/docs/management/admin/response-actions-history.asciidoc @@ -14,7 +14,7 @@ You must have the *Response Actions History* <> to access this feature. -- -To access the response actions history for all endpoints, go to *Manage* -> *Response actions history*. You can also access the response actions history for an individual endpoint from these areas: +To access the response actions history for all endpoints, find **Response actions history** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. You can also access the response actions history for an individual endpoint from these areas: * *Endpoints* page: Click an endpoint's name to open the details flyout, then click the *Response actions history* tab. * *Response console* page: Click the *Response actions history* button. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index 57dc0869fc..9a15767810 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -22,7 +22,7 @@ By default, a trusted application is recognized globally across all hosts runnin To add a trusted application: -. Go to *Manage* -> *Trusted applications*. +. Find **Trusted applications** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. . Click *Add trusted application*.