Skip to content

Commit

Permalink
[BUG] Endpoint Trusted Applications docs need to mention that process…
Browse files Browse the repository at this point in the history
… events will always be generated (Classic docs) (#4640) (#4672)

* Add explanation to TA page, expand Optimize page

* Apply suggestions from code review

Co-authored-by: Gabriel Landau <[email protected]>

* Apply suggestions from code review

Co-authored-by: Gabriel Landau <[email protected]>

---------

Co-authored-by: Gabriel Landau <[email protected]>
(cherry picked from commit 00e913d)

Co-authored-by: Joe Peeples <[email protected]>
  • Loading branch information
mergify[bot] and joepeeples authored Jan 24, 2024
1 parent efdbe73 commit fdc25a1
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
2 changes: 1 addition & 1 deletion docs/management/admin/endpoint-artifacts.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ a| *_Prevents {elastic-endpoint} from monitoring a process._* Use to avoid confl

* Creates intentional blind spots in your security environment — use sparingly!
* Doesn't monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.
* Doesn't generate events for the application except process events for visualizations.
* Doesn't generate events for the application except process events for visualizations and other internal use by the {stack}.
* Might improve performance, since {elastic-endpoint} monitors fewer processes.
* Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create <<endpoint-rule-exceptions,Endpoint alert exceptions>>.

Expand Down
2 changes: 2 additions & 0 deletions docs/management/admin/trusted-apps.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ Trusted applications create blindspots for {elastic-defend}, because the applica

Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an <<endpoint-rule-exceptions,Endpoint alert exception>>, which prevents {elastic-defend} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to <<endpoint-artifacts>>.

Additionally, trusted applications still generate process events for visualizations and other internal use by the {stack}. To prevent process events from being written to {es}, use an <<event-filters,event filter>> to filter out the specific events that you don't want stored in {es}, but be aware that features that depend on these process events may not function correctly.

By default, a trusted application is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a trusted application to a specific {elastic-defend} integration policy, enabling the application to be trusted by only the hosts assigned to that policy.

To add a trusted application:
Expand Down

0 comments on commit fdc25a1

Please sign in to comment.