From 03bdfc8d6a501db7faf43b8d7884f74df2f5edf6 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 11 Nov 2024 18:28:18 +0000 Subject: [PATCH 01/12] New endpoint rules --- docs/detections/add-exceptions.asciidoc | 17 ++++----- .../detection-engine-intro.asciidoc | 16 +------- .../prebuilt-rules-management.asciidoc | 2 +- docs/detections/rules-ui-create.asciidoc | 4 +- .../admin/endpoint-protection-rules.asciidoc | 37 +++++++++++++++++++ docs/management/manage-intro.asciidoc | 1 + docs/serverless/rules/add-exceptions.asciidoc | 17 ++++----- .../prebuilt-rules-management.asciidoc | 2 +- .../serverless/rules/rules-ui-create.asciidoc | 4 +- 9 files changed, 62 insertions(+), 38 deletions(-) create mode 100644 docs/management/admin/endpoint-protection-rules.asciidoc diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 80cc93875f..8e84978550 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,22 +129,21 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields: +Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. {elastic-endpoint} alerts have the following fields: -* `kibana.alert.original_event.module determined:endpoint` +* `kibana.alert.original_event.module:endpoint` * `kibana.alert.original_event.kind:alert` You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. -Endpoint exceptions are added to the Endpoint Security rule *and* the {elastic-endpoint} on your hosts. +Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts. [IMPORTANT] ============= -Exceptions added to the Endpoint Security rule affect all alerts sent -from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint -alerts. +Exceptions added to the endpoint protection rules affect all alerts sent +from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint alerts. -Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one Endpoint alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ============= [IMPORTANT] @@ -158,7 +157,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there * To add an Endpoint exception from the rule details page: .. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -.. In the Rules table, search for and select the Elastic *Endpoint Security* rule. +.. In the Rules table, search for and select one of the <>. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: @@ -170,7 +169,7 @@ alert, click the *More actions* menu (*...*), then select *Add Endpoint exceptio .. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + -NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. +NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <> option selected. -- + diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index b522d3f4bd..dc68775408 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -22,21 +22,9 @@ how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules. -There are two special prebuilt rules you need to know about: +There are several special prebuilt rules you need to know about: -* <>: -Automatically creates an alert from all incoming Elastic Endpoint alerts. To -receive Elastic Endpoint alerts, you must install the Endpoint agent on your -hosts (see <>). -+ -When this rule is enabled, the following Endpoint events are displayed as -detection alerts: -+ -** Malware Prevention Alert -** Malware Detection Alert -+ -NOTE: When you load the prebuilt rules, this is the only rule that is enabled -by default. +* <>: TBA * <>: Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts). diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 986738a055..1e65304b50 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -16,7 +16,7 @@ Follow these guidelines to start using the {security-app}'s <> and <>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 1638a6664c..6eba6134ea 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -563,12 +563,12 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. *Author* (optional): The rule's authors. .. *License* (optional): The rule's license. -.. *Elastic endpoint exceptions* (optional): Adds all Elastic Endpoint Security +.. *Elastic endpoint exceptions* (optional): Adds all {elastic-defend} rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). + NOTE: If you select this option, you can add <> on the Rule details page. -Additionally, all future exceptions added to the Endpoint Security rule +Additionally, all future exceptions added to the {elastic-defend} rule also affect this rule. + diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc new file mode 100644 index 0000000000..e059060d02 --- /dev/null +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -0,0 +1,37 @@ +[[endpoint-protection-rules]] += Endpoint protection rules + +Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-defend}. These include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. + +[discrete] +== {elastic-defend} rule + +The {elastic-defend} rule automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your hosts (see <>). + +When this rule is enabled, the following Endpoint events are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert + +NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. + +[discrete] +== Feature-specific protection rules + +The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. + +* Behavior - Detected - Elastic Defend +* Behavior - Prevented - Endpoint Defend +* Malicious File - Detected - Elastic Defend +* Malicious File - Prevented - Elastic Defend +* Memory Signature - Detected - Elastic Defend +* Memory Signature - Prevented - Elastic Defend +* Ransomware - Detected - Elastic Defend +* Ransomware - Prevented - Elastic Defend + +To use these rules, you need to manually enable them on the **Rules** page of the {security-app}. Follow the instructions for <>. + +[discrete] +== Exception handling + +All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing exceptions continue to apply. \ No newline at end of file diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 45e8abcb1c..e284a64348 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -12,6 +12,7 @@ include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.as include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-event-capture.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/endpoint-protection-rules.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-command-ref.asciidoc[leveloffset=+1] diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index b3431a9b14..d6834355e1 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -136,22 +136,21 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields: +Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. {elastic-endpoint} alerts have the following fields: -* `kibana.alert.original_event.module determined:endpoint` +* `kibana.alert.original_event.module:endpoint` * `kibana.alert.original_event.kind:alert` You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. -Endpoint exceptions are added to the Endpoint Security rule **and** the {elastic-endpoint} on your hosts. +Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts. [IMPORTANT] ==== -Exceptions added to the Endpoint Security rule affect all alerts sent -from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint -alerts. +Exceptions added to the endpoint protection rules affect all alerts sent +from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint alerts. -Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one Endpoint alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ==== [IMPORTANT] @@ -163,7 +162,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there + ** To add an Endpoint exception from the rule details page: + -... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select the Elastic **Endpoint Security** rule. +... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select one of the <>. ... Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**. ** To add an Endpoint exception from the Alerts table: + @@ -177,7 +176,7 @@ alert, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[A + [NOTE] ==== -The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. +The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <> option selected. ==== + The **Add Endpoint Exception** flyout opens. diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc index 1f7d3cd530..a7430d926c 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc @@ -20,7 +20,7 @@ Follow these guidelines to start using the {security-app}'s <> and <>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. ==== diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index c4ccc245ef..088c13b537 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -598,12 +598,12 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. **Author** (optional): The rule's authors. .. **License** (optional): The rule's license. -.. **Elastic endpoint exceptions** (optional): Adds all Elastic Endpoint Security +.. **Elastic endpoint exceptions** (optional): Adds all ((elastic-defend)) rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). + [NOTE] ==== -If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the Endpoint Security rule also affect this rule. +If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the ((elastic-defend)) rule also affect this rule. ==== .. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. .. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100. From 2063a1ef32608f107c2ce66dcc3fca25edd512ba Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 12 Nov 2024 11:44:01 +0000 Subject: [PATCH 02/12] Adds new page to serverless --- .../endpoint-protection-rules.asciidoc | 37 +++++++++++++++++++ docs/serverless/index.asciidoc | 1 + .../prebuilt-rules-management.asciidoc | 2 +- .../serverless/rules/rules-ui-create.asciidoc | 4 +- 4 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 docs/serverless/edr-manage/endpoint-protection-rules.asciidoc diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc new file mode 100644 index 0000000000..e059060d02 --- /dev/null +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -0,0 +1,37 @@ +[[endpoint-protection-rules]] += Endpoint protection rules + +Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-defend}. These include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. + +[discrete] +== {elastic-defend} rule + +The {elastic-defend} rule automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your hosts (see <>). + +When this rule is enabled, the following Endpoint events are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert + +NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. + +[discrete] +== Feature-specific protection rules + +The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. + +* Behavior - Detected - Elastic Defend +* Behavior - Prevented - Endpoint Defend +* Malicious File - Detected - Elastic Defend +* Malicious File - Prevented - Elastic Defend +* Memory Signature - Detected - Elastic Defend +* Memory Signature - Prevented - Elastic Defend +* Ransomware - Detected - Elastic Defend +* Ransomware - Prevented - Elastic Defend + +To use these rules, you need to manually enable them on the **Rules** page of the {security-app}. Follow the instructions for <>. + +[discrete] +== Exception handling + +All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing exceptions continue to apply. \ No newline at end of file diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc index 26b43198ab..db363424b1 100644 --- a/docs/serverless/index.asciidoc +++ b/docs/serverless/index.asciidoc @@ -69,6 +69,7 @@ include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3] include::./edr-manage/blocklist.asciidoc[leveloffset=+3] include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3] include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3] +include::./edr-manage/endpoint-protection-rules.asciidoc[leveloffset=+3] include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3] include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3] include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3] diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc index a7430d926c..8778e4deef 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc @@ -20,7 +20,7 @@ Follow these guidelines to start using the {security-app}'s <> and <>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. ==== diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index 088c13b537..7b91410d75 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -598,12 +598,12 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. **Author** (optional): The rule's authors. .. **License** (optional): The rule's license. -.. **Elastic endpoint exceptions** (optional): Adds all ((elastic-defend)) +.. **Elastic endpoint exceptions** (optional): Adds all {elastic-defend} rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). + [NOTE] ==== -If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the ((elastic-defend)) rule also affect this rule. +If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the {elastic-defend} rule also affect this rule. ==== .. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. .. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100. From bac7f220aacf30fcfb1ef51e634427ca706a7939 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 12 Nov 2024 11:49:02 +0000 Subject: [PATCH 03/12] updates references in serverless --- docs/serverless/edr-manage/endpoint-protection-rules.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc index e059060d02..a411241ed1 100644 --- a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -1,12 +1,12 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-defend}. These include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-defend}. These include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. [discrete] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your hosts (see <>). +The {elastic-defend} rule automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your hosts (see <>). When this rule is enabled, the following Endpoint events are displayed as detection alerts: From bc47e7abad95325a2c894ac0ffd2c26568989db6 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 12 Nov 2024 12:11:38 +0000 Subject: [PATCH 04/12] links to new page --- .../rules/detection-engine-overview.asciidoc | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/docs/serverless/rules/detection-engine-overview.asciidoc b/docs/serverless/rules/detection-engine-overview.asciidoc index f5dcb2c385..c8ed14b334 100644 --- a/docs/serverless/rules/detection-engine-overview.asciidoc +++ b/docs/serverless/rules/detection-engine-overview.asciidoc @@ -24,26 +24,11 @@ how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules. -There are two special prebuilt rules you need to know about: +There are several special prebuilt rules you need to know about: // Links to prebuilt rule pages temporarily removed for initial serverless docs. -* **Endpoint Security**: -Automatically creates an alert from all incoming Elastic Endpoint alerts. To -receive Elastic Endpoint alerts, you must install the Endpoint agent on your -hosts (see <>). -+ -When this rule is enabled, the following Endpoint events are displayed as -detection alerts: -+ -** Malware Prevention Alert -** Malware Detection Alert -+ -[NOTE] -==== -When you load the prebuilt rules, this is the only rule that is enabled -by default. -==== +* <>: TBA // Links to prebuilt rule pages temporarily removed for initial serverless docs. From 1155e671023d84654ba1f01e7e267c5398543118 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 12 Nov 2024 13:04:08 +0000 Subject: [PATCH 05/12] more updates --- docs/detections/add-exceptions.asciidoc | 2 +- docs/detections/detection-engine-intro.asciidoc | 2 +- .../admin/endpoint-protection-rules.asciidoc | 10 +++++----- .../edr-manage/endpoint-protection-rules.asciidoc | 8 +++++--- docs/serverless/rules/add-exceptions.asciidoc | 2 +- .../rules/detection-engine-overview.asciidoc | 2 +- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 8e84978550..dac93b26be 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,7 +129,7 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. {elastic-endpoint} alerts have the following fields: +Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: * `kibana.alert.original_event.module:endpoint` * `kibana.alert.original_event.kind:alert` diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index dc68775408..50afd05dca 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -24,7 +24,7 @@ modifying your own rules. There are several special prebuilt rules you need to know about: -* <>: TBA +* <>: Automatically create alerts for incoming {elastic-endpoint} alerts. * <>: Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts). diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc index e059060d02..9c7993ed09 100644 --- a/docs/management/admin/endpoint-protection-rules.asciidoc +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -1,14 +1,14 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-defend}. These include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. + +NOTE: To receive {elastic-endpoint} alerts, you must install the Endpoint agent on your hosts (see <>). [discrete] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your hosts (see <>). - -When this rule is enabled, the following Endpoint events are displayed as detection alerts: +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: ** Malware Prevention Alert ** Malware Detection Alert @@ -34,4 +34,4 @@ To use these rules, you need to manually enable them on the **Rules** page of th [discrete] == Exception handling -All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing exceptions continue to apply. \ No newline at end of file +All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc index a411241ed1..7560aa6645 100644 --- a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -1,12 +1,14 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-defend}. These include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. + +NOTE: To receive {elastic-endpoint} alerts, you must install the Endpoint agent on your hosts (see <>). [discrete] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming Elastic Endpoint alerts. To receive Elastic Endpoint alerts, you must install the Endpoint agent on your hosts (see <>). +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: @@ -34,4 +36,4 @@ To use these rules, you need to manually enable them on the **Rules** page of th [discrete] == Exception handling -All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing exceptions continue to apply. \ No newline at end of file +All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index d6834355e1..83baae4fea 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -136,7 +136,7 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. {elastic-endpoint} alerts have the following fields: +Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: * `kibana.alert.original_event.module:endpoint` * `kibana.alert.original_event.kind:alert` diff --git a/docs/serverless/rules/detection-engine-overview.asciidoc b/docs/serverless/rules/detection-engine-overview.asciidoc index c8ed14b334..e0482fa60f 100644 --- a/docs/serverless/rules/detection-engine-overview.asciidoc +++ b/docs/serverless/rules/detection-engine-overview.asciidoc @@ -28,7 +28,7 @@ There are several special prebuilt rules you need to know about: // Links to prebuilt rule pages temporarily removed for initial serverless docs. -* <>: TBA +* <>: Automatically create alerts for incoming {elastic-endpoint} alerts. // Links to prebuilt rule pages temporarily removed for initial serverless docs. From ba4373ade5959cc6fe4df10f484ed18c91add028 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 13 Nov 2024 09:47:26 +0000 Subject: [PATCH 06/12] Address feedback --- docs/detections/add-exceptions.asciidoc | 6 +++--- docs/detections/detection-engine-intro.asciidoc | 2 +- .../admin/endpoint-protection-rules.asciidoc | 12 +++++++----- .../endpoint-protection-rules.asciidoc | 16 ++++++++-------- docs/serverless/rules/add-exceptions.asciidoc | 6 +++--- .../rules/detection-engine-overview.asciidoc | 2 +- 6 files changed, 23 insertions(+), 21 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index dac93b26be..9b6836afd4 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,7 +129,7 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: +Like detection rule exceptions, you can add {elastic-endpoint} exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: * `kibana.alert.original_event.module:endpoint` * `kibana.alert.original_event.kind:alert` @@ -141,9 +141,9 @@ Endpoint exceptions are added to the endpoint protection rules *and* the {elasti [IMPORTANT] ============= Exceptions added to the endpoint protection rules affect all alerts sent -from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint alerts. +from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts. -Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one Endpoint alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ============= [IMPORTANT] diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index 50afd05dca..34e1914975 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -24,7 +24,7 @@ modifying your own rules. There are several special prebuilt rules you need to know about: -* <>: Automatically create alerts for incoming {elastic-endpoint} alerts. +* <>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention. * <>: Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts). diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc index 9c7993ed09..e6fd4c783a 100644 --- a/docs/management/admin/endpoint-protection-rules.asciidoc +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -1,11 +1,12 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. -NOTE: To receive {elastic-endpoint} alerts, you must install the Endpoint agent on your hosts (see <>). +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (see <>). [discrete] +[[defend-rule]] == {elastic-defend} rule The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: @@ -16,6 +17,7 @@ The {elastic-defend} rule automatically creates an alert from all incoming {elas NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. [discrete] +[[feature-protection-rules]] == Feature-specific protection rules The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. @@ -29,9 +31,9 @@ The following endpoint protection rules give you more granular control over how * Ransomware - Detected - Elastic Defend * Ransomware - Prevented - Elastic Defend -To use these rules, you need to manually enable them on the **Rules** page of the {security-app}. Follow the instructions for <>. +To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <>. [discrete] -== Exception handling +== Endpoint security exception handling -All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file +All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc index 7560aa6645..16ae976683 100644 --- a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -1,16 +1,15 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. -NOTE: To receive {elastic-endpoint} alerts, you must install the Endpoint agent on your hosts (see <>). +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (see <>). [discrete] +[[defend-rule]] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. - -When this rule is enabled, the following Endpoint events are displayed as detection alerts: +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: ** Malware Prevention Alert ** Malware Detection Alert @@ -18,6 +17,7 @@ When this rule is enabled, the following Endpoint events are displayed as detect NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. [discrete] +[[feature-protection-rules]] == Feature-specific protection rules The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. @@ -31,9 +31,9 @@ The following endpoint protection rules give you more granular control over how * Ransomware - Detected - Elastic Defend * Ransomware - Prevented - Elastic Defend -To use these rules, you need to manually enable them on the **Rules** page of the {security-app}. Follow the instructions for <>. +To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <>. [discrete] -== Exception handling +== Endpoint security exception handling -All endpoint protection rules share a common exception list called Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file +All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index 83baae4fea..c631c347c3 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -136,7 +136,7 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: +Like detection rule exceptions, you can add {elastic-endpoint} exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: * `kibana.alert.original_event.module:endpoint` * `kibana.alert.original_event.kind:alert` @@ -148,9 +148,9 @@ Endpoint exceptions are added to the endpoint protection rules **and** the {elas [IMPORTANT] ==== Exceptions added to the endpoint protection rules affect all alerts sent -from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint alerts. +from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts. -Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one Endpoint alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ==== [IMPORTANT] diff --git a/docs/serverless/rules/detection-engine-overview.asciidoc b/docs/serverless/rules/detection-engine-overview.asciidoc index e0482fa60f..6058afcba7 100644 --- a/docs/serverless/rules/detection-engine-overview.asciidoc +++ b/docs/serverless/rules/detection-engine-overview.asciidoc @@ -28,7 +28,7 @@ There are several special prebuilt rules you need to know about: // Links to prebuilt rule pages temporarily removed for initial serverless docs. -* <>: Automatically create alerts for incoming {elastic-endpoint} alerts. +* <>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention. // Links to prebuilt rule pages temporarily removed for initial serverless docs. From 067e4f26f54466c65df0bbe95699b6b453ec6447 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 13 Nov 2024 10:30:39 +0000 Subject: [PATCH 07/12] Address feedback --- docs/detections/rules-ui-create.asciidoc | 8 +++----- docs/serverless/rules/rules-ui-create.asciidoc | 5 ++--- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 6eba6134ea..fd3904979b 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -563,13 +563,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. *Author* (optional): The rule's authors. .. *License* (optional): The rule's license. -.. *Elastic endpoint exceptions* (optional): Adds all {elastic-defend} -rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). +.. *Elastic endpoint exceptions* (optional): Adds all <> to this rule. + NOTE: If you select this option, you can add -<> on the Rule details page. -Additionally, all future exceptions added to the {elastic-defend} rule -also affect this rule. +{elastic-endpoint} exceptions on the Rule details page. +Additionally, all future exceptions added to endpoint protection rules will also affect this rule. + .. *Building block* (optional): Select to create a building-block rule. By diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index 7b91410d75..29be82de61 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -598,12 +598,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. **Author** (optional): The rule's authors. .. **License** (optional): The rule's license. -.. **Elastic endpoint exceptions** (optional): Adds all {elastic-defend} -rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). +.. **Elastic endpoint exceptions** (optional): Adds all <> to this rule. + [NOTE] ==== -If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the {elastic-defend} rule also affect this rule. +If you select this option, you can add {elastic-endpoint} exceptions on the Rule details page. Additionally, all future exceptions added to endpoint protection rules will also affect this rule. ==== .. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. .. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100. From 55483ea3c6270defea904d29c6e940c5c6ad09ed Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 13 Nov 2024 10:33:09 +0000 Subject: [PATCH 08/12] Adds links --- docs/detections/rules-ui-create.asciidoc | 2 +- docs/serverless/rules/rules-ui-create.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index fd3904979b..cf20dd03be 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -567,7 +567,7 @@ alerts created by the rule. You can also add action buttons to <> will also affect this rule. + .. *Building block* (optional): Select to create a building-block rule. By diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index 29be82de61..626764e7cf 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -602,7 +602,7 @@ alerts created by the rule. You can also add action buttons to <> will also affect this rule. ==== .. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. .. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100. From 537e0606341e49d8e027b1170ede1bc1119baa96 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 14 Nov 2024 09:09:44 +0000 Subject: [PATCH 09/12] Uncomment endpoint rules in release highlights --- docs/whats-new.asciidoc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 0b6a37ccb4..30f9811e84 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -142,9 +142,6 @@ Additional third-party response actions are available using Elastic's {security- You can now configure any detection rule type to perform {elastic-defend}'s {security-guide}/automated-response-actions.html[automated response actions]. -//// -Commenting out until docs are ready - [float] === New rules for {elastic-defend}'s endpoint protection features @@ -152,7 +149,6 @@ New prebuilt rules tailored for each of {elastic-defend}'s endpoint protection f [role="screenshot"] image::whats-new/images/8.16/endpoint-protection-rules.png[Endpoint protection rules] -//// [float] == Cloud Security enhancements From 9459aa9cb3c4546c0baab94965c84ea45c462d8a Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 19 Nov 2024 13:44:12 +0000 Subject: [PATCH 10/12] Address feedback --- docs/detections/add-exceptions.asciidoc | 7 +------ .../admin/endpoint-protection-rules.asciidoc | 14 ++++++++------ .../edr-manage/endpoint-protection-rules.asciidoc | 14 ++++++++------ docs/serverless/rules/add-exceptions.asciidoc | 7 +------ 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 9b6836afd4..6ff4f58e95 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,12 +129,7 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add {elastic-endpoint} exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: - -* `kibana.alert.original_event.module:endpoint` -* `kibana.alert.original_event.kind:alert` - -You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. +Like detection rule exceptions, you can add {elastic-endpoint} exceptions by adding exceptions to <>. You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts. diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc index e6fd4c783a..f2a0d53985 100644 --- a/docs/management/admin/endpoint-protection-rules.asciidoc +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -3,18 +3,20 @@ Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. -IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (see <>). +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). + +When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert [discrete] [[defend-rule]] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: - -** Malware Prevention Alert -** Malware Detection Alert +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. -NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. +NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default. [discrete] [[feature-protection-rules]] diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc index 16ae976683..747d98da96 100644 --- a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -3,18 +3,20 @@ Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. -IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (see <>). +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). + +When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert [discrete] [[defend-rule]] == {elastic-defend} rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. When this rule is enabled, the following Endpoint events are displayed as detection alerts: - -** Malware Prevention Alert -** Malware Detection Alert +The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. -NOTE: When you load the prebuilt rules, this is the only rule that is enabled by default. +NOTE: When you install Elastic prebuilt rules, the {elastic-defend} rule that is enabled by default. [discrete] [[feature-protection-rules]] diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index c631c347c3..a90fff4dc2 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -136,12 +136,7 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add {elastic-endpoint} exceptions either by editing the <> or by adding exceptions as actions on alerts generated by endpoint protection rules. These alerts, known as {elastic-endpoint} alerts, have the following fields: - -* `kibana.alert.original_event.module:endpoint` -* `kibana.alert.original_event.kind:alert` - -You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. +Like detection rule exceptions, you can add {elastic-endpoint} exceptions by adding exceptions to <>. You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts. From 29e9b3d2bbb25297b2d14911a1ef964338d9667d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 20 Nov 2024 10:30:09 +0000 Subject: [PATCH 11/12] Address feedback --- docs/detections/prebuilt-rules-management.asciidoc | 2 +- .../admin/endpoint-protection-rules.asciidoc | 14 ++++++++------ .../edr-manage/endpoint-protection-rules.asciidoc | 14 ++++++++------ .../prebuilt-rules-management.asciidoc | 2 +- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/docs/detections/prebuilt-rules-management.asciidoc b/docs/detections/prebuilt-rules-management.asciidoc index 1e65304b50..986738a055 100644 --- a/docs/detections/prebuilt-rules-management.asciidoc +++ b/docs/detections/prebuilt-rules-management.asciidoc @@ -16,7 +16,7 @@ Follow these guidelines to start using the {security-app}'s <> and <>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc index f2a0d53985..c79c57e663 100644 --- a/docs/management/admin/endpoint-protection-rules.asciidoc +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -1,7 +1,7 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). @@ -11,12 +11,12 @@ When endpoint protection rules are triggered, {elastic-endpoint} alerts are disp ** Malware Detection Alert [discrete] -[[defend-rule]] -== {elastic-defend} rule +[[endpoint-sec-rule]] +== Endpoint Security rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. +The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts. -NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default. +NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default. [discrete] [[feature-protection-rules]] @@ -33,9 +33,11 @@ The following endpoint protection rules give you more granular control over how * Ransomware - Detected - Elastic Defend * Ransomware - Prevented - Elastic Defend +NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts. + To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <>. [discrete] == Endpoint security exception handling -All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file +All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc index 747d98da96..f71d61c72f 100644 --- a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -1,7 +1,7 @@ [[endpoint-protection-rules]] = Endpoint protection rules -Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the {elastic-defend} rule as well as additional detection and prevention rules for different {elastic-defend} protection features. +Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {elastic-defend} protection features. IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). @@ -11,12 +11,12 @@ When endpoint protection rules are triggered, {elastic-endpoint} alerts are disp ** Malware Detection Alert [discrete] -[[defend-rule]] -== {elastic-defend} rule +[[endpoint-sec-rule]] +== Endpoint Security rule -The {elastic-defend} rule automatically creates an alert from all incoming {elastic-endpoint} alerts. +The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts. -NOTE: When you install Elastic prebuilt rules, the {elastic-defend} rule that is enabled by default. +NOTE: When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default. [discrete] [[feature-protection-rules]] @@ -33,9 +33,11 @@ The following endpoint protection rules give you more granular control over how * Ransomware - Detected - Elastic Defend * Ransomware - Prevented - Elastic Defend +NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts. + To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <>. [discrete] == Endpoint security exception handling -All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the {elastic-defend} rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file +All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc index 8778e4deef..1f7d3cd530 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc @@ -20,7 +20,7 @@ Follow these guidelines to start using the {security-app}'s <> and <>. If you want to modify other settings on a prebuilt rule, you must first duplicate it, then make your changes to the duplicated rule. However, your customized rule is entirely separate from the original prebuilt rule, and will not get updates from Elastic if the prebuilt rule is updated. ==== From 82fe2372293918726f2c7ad8afe8a29d192f2de9 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 21 Nov 2024 14:51:11 +0000 Subject: [PATCH 12/12] Address feedback --- docs/detections/add-exceptions.asciidoc | 2 +- docs/serverless/rules/add-exceptions.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 6ff4f58e95..55d1eece63 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,7 +129,7 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add {elastic-endpoint} exceptions by adding exceptions to <>. You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. +You can add {elastic-endpoint} exceptions to <> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts. diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index a90fff4dc2..7bee5592c1 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -136,7 +136,7 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add {elastic-endpoint} exceptions by adding exceptions to <>. You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. +You can add {elastic-endpoint} exceptions to <> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts.