From ef32b762ef29b691c7fefa4b952e921826fc9b0c Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Fri, 8 Mar 2024 12:45:29 -0500 Subject: [PATCH] First (incomplete) draft Create new page for automated response actions --- .../admin/automated-response-actions.asciidoc | 42 +++++++++++++++++++ docs/management/manage-intro.asciidoc | 1 + 2 files changed, 43 insertions(+) create mode 100644 docs/management/admin/automated-response-actions.asciidoc diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc new file mode 100644 index 0000000000..dad567d2c7 --- /dev/null +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -0,0 +1,42 @@ +[[automated-response-actions]] += Automated response actions + +:frontmatter-description: Automatically respond to events with endpoint response actions triggered by detection rules. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [manage] + +Add {elastic-defend}'s <> to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. + +.Requirements +[sidebar] +-- +* Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. +* Hosts must have {agent} installed with the {elastic-defend} integration. +* Your user role must have the ability to create detection rules and the <> to perform specific response actions (for example, the **Host Isolation** privilege to isolate hosts). +* You can only add automated response actions to custom query rules. +-- + +You can add automated response actions to a new or existing custom query rule. + +. Do one of the following: +* *New rule*: On the last step of <> creation, go to the **Response Actions** section and select **{elastic-defend}**. +* *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. + +. Select an option in the **Response action** field: ++ +-- +* **Isolate**: <>, blocking communication with other hosts on the network. +* **Kill process**: Terminate a process on the host. +* **Suspend process**: Temporarily suspend a process on the host. +-- ++ +IMPORTANT: Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. + +. For process actions, specify how to identify the process you want to terminate or suspend: +* Turn on the toggle to use the alert's **process.pid** value as the identifier. +* To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. + +. Enter a comment describing why you’re performing the action on the host (optional). + +. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 724352fd44..fb2527fe42 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -6,6 +6,7 @@ The following section provides an overview of the management tools admins can us include::{security-docs-root}/docs/management/admin/admin-pg-ov.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/response-actions.asciidoc[leveloffset=+2] +include::{security-docs-root}/docs/management/admin/automated-response-actions.asciidoc[leveloffset=+2] include::{security-docs-root}/docs/management/admin/response-actions-history.asciidoc[leveloffset=+2] include::{security-docs-root}/docs/management/admin/host-isolation-ov.asciidoc[leveloffset=+2] include::{security-docs-root}/docs/management/admin/response-actions-config.asciidoc[leveloffset=+2]