From fdc25a1cc5e8da567a09f1b0e8df2834e25cd487 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 24 Jan 2024 17:26:37 -0500 Subject: [PATCH] [BUG] Endpoint Trusted Applications docs need to mention that process events will always be generated (Classic docs) (#4640) (#4672) * Add explanation to TA page, expand Optimize page * Apply suggestions from code review Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --------- Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> (cherry picked from commit 00e913d727a4e08654f2fd461992260291bbf5b0) Co-authored-by: Joe Peeples --- docs/management/admin/endpoint-artifacts.asciidoc | 2 +- docs/management/admin/trusted-apps.asciidoc | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/management/admin/endpoint-artifacts.asciidoc b/docs/management/admin/endpoint-artifacts.asciidoc index efc95e47e7..0ae8432e01 100644 --- a/docs/management/admin/endpoint-artifacts.asciidoc +++ b/docs/management/admin/endpoint-artifacts.asciidoc @@ -16,7 +16,7 @@ a| *_Prevents {elastic-endpoint} from monitoring a process._* Use to avoid confl * Creates intentional blind spots in your security environment — use sparingly! * Doesn't monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc. -* Doesn't generate events for the application except process events for visualizations. +* Doesn't generate events for the application except process events for visualizations and other internal use by the {stack}. * Might improve performance, since {elastic-endpoint} monitors fewer processes. * Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create <>. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index 3a738a8dee..7f179921da 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -14,6 +14,8 @@ Trusted applications create blindspots for {elastic-defend}, because the applica Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an <>, which prevents {elastic-defend} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to <>. +Additionally, trusted applications still generate process events for visualizations and other internal use by the {stack}. To prevent process events from being written to {es}, use an <> to filter out the specific events that you don't want stored in {es}, but be aware that features that depend on these process events may not function correctly. + By default, a trusted application is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a trusted application to a specific {elastic-defend} integration policy, enabling the application to be trusted by only the hosts assigned to that policy. To add a trusted application: