diff --git a/docs/management/admin/endpoint-artifacts.asciidoc b/docs/management/admin/endpoint-artifacts.asciidoc
index efc95e47e7..0ae8432e01 100644
--- a/docs/management/admin/endpoint-artifacts.asciidoc
+++ b/docs/management/admin/endpoint-artifacts.asciidoc
@@ -16,7 +16,7 @@ a| *_Prevents {elastic-endpoint} from monitoring a process._* Use to avoid confl
 
 * Creates intentional blind spots in your security environment — use sparingly!
 * Doesn't monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.
-* Doesn't generate events for the application except process events for visualizations.
+* Doesn't generate events for the application except process events for visualizations and other internal use by the {stack}.
 * Might improve performance, since {elastic-endpoint} monitors fewer processes.
 * Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create <<endpoint-rule-exceptions,Endpoint alert exceptions>>.
 
diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc
index 3a738a8dee..7f179921da 100644
--- a/docs/management/admin/trusted-apps.asciidoc
+++ b/docs/management/admin/trusted-apps.asciidoc
@@ -14,6 +14,8 @@ Trusted applications create blindspots for {elastic-defend}, because the applica
 
 Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an <<endpoint-rule-exceptions,Endpoint alert exception>>, which prevents {elastic-defend} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to <<endpoint-artifacts>>.
 
+Additionally, trusted applications still generate process events for visualizations and other internal use by the {stack}. To prevent process events from being written to {es}, use an <<event-filters,event filter>> to filter out the specific events that you don't want stored in {es}, but be aware that features that depend on these process events may not function correctly.
+
 By default, a trusted application is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a trusted application to a specific {elastic-defend} integration policy, enabling the application to be trusted by only the hosts assigned to that policy.
 
 To add a trusted application: