Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New endpoint rules #6100

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
20 changes: 7 additions & 13 deletions docs/detections/add-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -129,22 +129,16 @@ Closes all alerts that match the exception's conditions and were generated only
[[endpoint-rule-exceptions]]
=== Add {elastic-endpoint} exceptions

Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields:
You can add {elastic-endpoint} exceptions to <<endpoint-protection-rules, endpoint protection rules>> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.

* `kibana.alert.original_event.module determined:endpoint`
* `kibana.alert.original_event.kind:alert`

You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.

Endpoint exceptions are added to the Endpoint Security rule *and* the {elastic-endpoint} on your hosts.
Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts.

[IMPORTANT]
=============
Exceptions added to the Endpoint Security rule affect all alerts sent
from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint
alerts.
Exceptions added to the endpoint protection rules affect all alerts sent
from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts.

Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
=============

[IMPORTANT]
Expand All @@ -158,7 +152,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there

* To add an Endpoint exception from the rule details page:
.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
.. In the Rules table, search for and select the Elastic *Endpoint Security* rule.
.. In the Rules table, search for and select one of the <<endpoint-protection-rules, endpoint protection rules>>.
.. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*.

* To add an Endpoint exception from the Alerts table:
Expand All @@ -170,7 +164,7 @@ alert, click the *More actions* menu (*...*), then select *Add Endpoint exceptio
.. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
.. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*.
+
NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.
NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.

--
+
Expand Down
16 changes: 2 additions & 14 deletions docs/detections/detection-engine-intro.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,9 @@ how to modify the rules to reduce false positives and get a better set of
actionable alerts. You can also use exceptions and value lists when creating or
modifying your own rules.

There are two special prebuilt rules you need to know about:
There are several special prebuilt rules you need to know about:

* <<endpoint-security, *Endpoint Security*>>:
Automatically creates an alert from all incoming Elastic Endpoint alerts. To
receive Elastic Endpoint alerts, you must install the Endpoint agent on your
hosts (see <<install-endpoint>>).
+
When this rule is enabled, the following Endpoint events are displayed as
detection alerts:
+
** Malware Prevention Alert
** Malware Detection Alert
+
NOTE: When you load the prebuilt rules, this is the only rule that is enabled
by default.
* <<endpoint-protection-rules, *Endpoint protection rules*>>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention.

* <<external-alerts, *External Alerts*>>: Automatically creates an alert for
all incoming third-party system alerts (for example, Suricata alerts).
Expand Down
8 changes: 3 additions & 5 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -563,13 +563,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo
alerts created by the rule. You can also add action buttons to <<invest-guide-run-osquery, run Osquery>> or <<interactive-investigation-guides, launch Timeline investigations>> using alert data.
.. *Author* (optional): The rule's authors.
.. *License* (optional): The rule's license.
.. *Elastic endpoint exceptions* (optional): Adds all Elastic Endpoint Security
rule exceptions to this rule (refer to <<endpoint-rule-exceptions>> to learn more about adding endpoint exceptions).
.. *Elastic endpoint exceptions* (optional): Adds all <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> to this rule.
+
NOTE: If you select this option, you can add
<<endpoint-rule-exceptions, Endpoint exceptions>> on the Rule details page.
Additionally, all future exceptions added to the Endpoint Security rule
also affect this rule.
{elastic-endpoint} exceptions on the Rule details page.
Additionally, all future exceptions added to <<endpoint-protection-rules, endpoint protection rules>> will also affect this rule.
+

.. *Building block* (optional): Select to create a building-block rule. By
Expand Down
43 changes: 43 additions & 0 deletions docs/management/admin/endpoint-protection-rules.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
[[endpoint-protection-rules]]
= Endpoint protection rules

Endpoint protection rules are <<prebuilt-rules-management, prebuilt rules>> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <<endpoint-security>> rule as well as additional detection and prevention rules for different {elastic-defend} protection features.

IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <<install-endpoint>>).

When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts:

** Malware Prevention Alert
** Malware Detection Alert
natasha-moore-elastic marked this conversation as resolved.
Show resolved Hide resolved

[discrete]
[[endpoint-sec-rule]]
== Endpoint Security rule

The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts.

NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default.

[discrete]
[[feature-protection-rules]]
== Feature-specific protection rules

The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the following rules need to reference prebuilt rule docs, similar to how to provide a link to the Elastic Defend rule docs? (Same question for this section in the Serverless docs.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the following rules need to reference prebuilt rule docs?

Probably eventually, though we might be able to publish an MVP of this page without linking to prebuilt rule docs for now. Getting those prebuilt rule docs might be out of scope for this, and something that TRADE team handles?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add the links after the rules are published. The docs creation for prebuilt rules is managed by TRADE and those will be added automatically during the rules release process. I think linking them would be helpful.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Created an enhancement request to add those links once the prebuilt rule docs are published.

* Behavior - Detected - Elastic Defend
* Behavior - Prevented - Endpoint Defend
* Malicious File - Detected - Elastic Defend
* Malicious File - Prevented - Elastic Defend
* Memory Signature - Detected - Elastic Defend
* Memory Signature - Prevented - Elastic Defend
* Ransomware - Detected - Elastic Defend
* Ransomware - Prevented - Elastic Defend

NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.

To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <<load-prebuilt-rules,installing and enabling Elastic prebuilt rules>>.

[discrete]
== Endpoint security exception handling

All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> continue to apply.
1 change: 1 addition & 0 deletions docs/management/manage-intro.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.as
include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/endpoint-event-capture.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/endpoint-protection-rules.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/endpoint-command-ref.asciidoc[leveloffset=+1]
43 changes: 43 additions & 0 deletions docs/serverless/edr-manage/endpoint-protection-rules.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
[[endpoint-protection-rules]]
= Endpoint protection rules

Endpoint protection rules are <<security-prebuilt-rules-management, prebuilt rules>> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {elastic-defend} protection features.

IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <<security-install-edr>>).

When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts:

** Malware Prevention Alert
** Malware Detection Alert

[discrete]
[[endpoint-sec-rule]]
== Endpoint Security rule

The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts.

NOTE: When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default.

[discrete]
[[feature-protection-rules]]
== Feature-specific protection rules

The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.

* Behavior - Detected - Elastic Defend
* Behavior - Prevented - Endpoint Defend
* Malicious File - Detected - Elastic Defend
* Malicious File - Prevented - Elastic Defend
* Memory Signature - Detected - Elastic Defend
* Memory Signature - Prevented - Elastic Defend
* Ransomware - Detected - Elastic Defend
* Ransomware - Prevented - Elastic Defend

NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.

To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <<load-prebuilt-rules,installing and enabling Elastic prebuilt rules>>.

[discrete]
== Endpoint security exception handling

All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> continue to apply.
1 change: 1 addition & 0 deletions docs/serverless/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3]
include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
include::./edr-manage/endpoint-protection-rules.asciidoc[leveloffset=+3]
include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]
Expand Down
20 changes: 7 additions & 13 deletions docs/serverless/rules/add-exceptions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -136,22 +136,16 @@ is only available when adding exceptions from the Alerts table.
[[endpoint-rule-exceptions]]
== Add {elastic-endpoint} exceptions

Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields:
You can add {elastic-endpoint} exceptions to <<endpoint-protection-rules, endpoint protection rules>> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option.

* `kibana.alert.original_event.module determined:endpoint`
* `kibana.alert.original_event.kind:alert`

You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option.

Endpoint exceptions are added to the Endpoint Security rule **and** the {elastic-endpoint} on your hosts.
Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts.

[IMPORTANT]
====
Exceptions added to the Endpoint Security rule affect all alerts sent
from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint
alerts.
Exceptions added to the endpoint protection rules affect all alerts sent
from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts.

Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
====

[IMPORTANT]
Expand All @@ -163,7 +157,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there
+
** To add an Endpoint exception from the rule details page:
+
... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select the Elastic **Endpoint Security** rule.
... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select one of the <<endpoint-protection-rules, endpoint protection rules>>.
... Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**.
** To add an Endpoint exception from the Alerts table:
+
Expand All @@ -177,7 +171,7 @@ alert, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[A
+
[NOTE]
====
The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option selected.
The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option selected.
====
+
The **Add Endpoint Exception** flyout opens.
Expand Down
19 changes: 2 additions & 17 deletions docs/serverless/rules/detection-engine-overview.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -24,26 +24,11 @@ how to modify the rules to reduce false positives and get a better set of
actionable alerts. You can also use exceptions and value lists when creating or
modifying your own rules.

There are two special prebuilt rules you need to know about:
There are several special prebuilt rules you need to know about:

// Links to prebuilt rule pages temporarily removed for initial serverless docs.

* **Endpoint Security**:
Automatically creates an alert from all incoming Elastic Endpoint alerts. To
receive Elastic Endpoint alerts, you must install the Endpoint agent on your
hosts (see <<security-install-edr,Install and configure the {elastic-defend} integration>>).
+
When this rule is enabled, the following Endpoint events are displayed as
detection alerts:
+
** Malware Prevention Alert
** Malware Detection Alert
+
[NOTE]
====
When you load the prebuilt rules, this is the only rule that is enabled
by default.
====
* <<endpoint-protection-rules, *Endpoint protection rules*>>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention.

// Links to prebuilt rule pages temporarily removed for initial serverless docs.

Expand Down
5 changes: 2 additions & 3 deletions docs/serverless/rules/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -598,12 +598,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo
alerts created by the rule. You can also add action buttons to <<security-invest-guide-run-osquery,run Osquery>> or <<security-interactive-investigation-guides,launch Timeline investigations>> using alert data.
.. **Author** (optional): The rule's authors.
.. **License** (optional): The rule's license.
.. **Elastic endpoint exceptions** (optional): Adds all Elastic Endpoint Security
rule exceptions to this rule (refer to <<endpoint-rule-exceptions,Add {elastic-endpoint} exceptions>> to learn more about adding endpoint exceptions).
.. **Elastic endpoint exceptions** (optional): Adds all <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> to this rule.
+
[NOTE]
====
If you select this option, you can add <<endpoint-rule-exceptions,Endpoint exceptions>> on the Rule details page. Additionally, all future exceptions added to the Endpoint Security rule also affect this rule.
If you select this option, you can add {elastic-endpoint} exceptions on the Rule details page. Additionally, all future exceptions added to <<endpoint-protection-rules, endpoint protection rules>> will also affect this rule.
====
.. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <<security-building-block-rules,Use building block rules>> for more information.
.. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100.
Expand Down
Loading