New endpoint rules #6100
New endpoint rules #6100
Conversation
natasha-moore-elastic
added
Team: EDR Workflows
|
A documentation preview will be available soon. Request a new doc build by commenting
If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here. |
|
run docs-build |
natasha-moore-elastic
requested review from
caitlinbetz,
approksiu,
nastasha-solomon and
joepeeples
There was a problem hiding this comment.
Left some edits that apply to ESS and Serverless docs, and a few questions. Thanks for putting these docs together, @natasha-moore-elastic!
There was a problem hiding this comment.
Excellent content, both new and updated! Added some comments in dialogue with @nastasha-solomon's review to tighten up language.
| == Feature-specific protection rules | ||
|
|
||
| The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. | ||
|
|
There was a problem hiding this comment.
Do the following rules need to reference prebuilt rule docs?
Probably eventually, though we might be able to publish an MVP of this page without linking to prebuilt rule docs for now. Getting those prebuilt rule docs might be out of scope for this, and something that TRADE team handles?
| == Feature-specific protection rules | ||
|
|
||
| The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. | ||
|
|
There was a problem hiding this comment.
Let's add the links after the rules are published. The docs creation for prebuilt rules is managed by TRADE and those will be added automatically during the rules release process. I think linking them would be helpful.
acorretti
force-pushed
the
issue-5993-endpoint-rules
branch
from
22760ce to
79fcc7a
Compare
|
This pull request is now in conflicts. Could you fix it @natasha-moore-elastic? 🙏 |
|
Thanks @natasha-moore-elastic! I think the new endpoint rules page will be helpful to have. One bit of feedback - I think it could be helpful to indicate/clarify somewhere (at the beginning of the "Feature-specific protection rules" section, maybe?) that they can choose to use the "Endpoint Security rule" OR the feature-specific protection rules instead. Using both will result in duplicate alerts. So perhaps emphasis that Endpoint Security rule is automatically enabled out of the box with the installation of Elastic Defend and that no other action is required. However, they can opt-in to using the 8 granular rules if they desire. If they do this, we recommend using those instead of the Endpoint Security rule (disabling "Endpoint Security") Also I believe we held off on the changing the name of the main rule from "Endpoint Security" to "Elastic Defend" (So for now it is still "Endpoint Security", cc @approksiu ) |
benironside
force-pushed
the
issue-5993-endpoint-rules
branch
from
79fcc7a to
9459aa9
Compare
Thanks @approksiu! Please do keep us in the loop on the timeline for merging these docs. |
|
This pull request is now in conflicts. Could you fix it @natasha-moore-elastic? 🙏 |
Resolves #5993.
Previews
ESS:
Serverless: