From 9459aa9cb3c4546c0baab94965c84ea45c462d8a Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 19 Nov 2024 13:44:12 +0000 Subject: [PATCH] Address feedback --- docs/detections/add-exceptions.asciidoc | 7 +------ .../admin/endpoint-protection-rules.asciidoc | 14 ++++++++------ .../edr-manage/endpoint-protection-rules.asciidoc | 14 ++++++++------ docs/serverless/rules/add-exceptions.asciidoc | 7 +------ 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 9b6836afd4..6ff4f58e95 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,12 +129,7 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add {elastic-endpoint} exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: - -* `kibana.alert.original_event.module:endpoint` -* `kibana.alert.original_event.kind:alert` - -You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. +Like detection rule exceptions, you can add {elastic-endpoint} exceptions by adding exceptions to <>. You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts. diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc index e6fd4c783a..f2a0d53985 100644 --- a/docs/management/admin/endpoint-protection-rules.asciidoc +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -3,18 +3,20 @@ Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. -IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (see <>). +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). + +When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert [discrete] [[defend-rule]] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: - -** Malware Prevention Alert -** Malware Detection Alert +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. -NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. +NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default. [discrete] [[feature-protection-rules]] diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc index 16ae976683..747d98da96 100644 --- a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -3,18 +3,20 @@ Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. -IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (see <>). +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). + +When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert [discrete] [[defend-rule]] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: - -** Malware Prevention Alert -** Malware Detection Alert +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. -NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. +NOTE: When you install Elastic prebuilt rules, the {elastic-defend} rule that is enabled by default. [discrete] [[feature-protection-rules]] diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index c631c347c3..a90fff4dc2 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -136,12 +136,7 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add {elastic-endpoint} exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: - -* `kibana.alert.original_event.module:endpoint` -* `kibana.alert.original_event.kind:alert` - -You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. +Like detection rule exceptions, you can add {elastic-endpoint} exceptions by adding exceptions to <>. You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts.