-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[DOCS] Endpoint artifact docs clarification (#2516)
* First draft - Create new page - Add new page to the "Endpoint management" TOC * Rename file/URL * Enhance individual artifact descriptions * Add xrefs from individual pages * Revise tip about endpoint network events * Initial suggestions from Ben's review Co-authored-by: Benjamin Ironside Goldstein <[email protected]> * Singular/plural agreement Co-authored-by: Benjamin Ironside Goldstein <[email protected]> * Apply suggestions from code review * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <[email protected]> * Additional edits, fixes * Explain preventions * may --> might * Update trusted apps screenshot Co-authored-by: Benjamin Ironside Goldstein <[email protected]> Co-authored-by: Janeen Mikell-Straughn <[email protected]> (cherry picked from commit 59c53a0)
- Loading branch information
1 parent
a599118
commit a2c872d
Showing
5 changed files
with
46 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,38 @@ | ||
[[endpoint-artifacts]] | ||
[chapter] | ||
= Optimize {elastic-defend} | ||
|
||
This page is a placeholder for future documentation. | ||
If you encounter problems like incompatibilities with other antivirus software, too many false positive alerts, or excessive storage or CPU usage, you can optimize {elastic-defend} to mitigate these issues. | ||
|
||
Endpoint artifacts — such as trusted applications and event filters — and Endpoint exceptions let you modify the behavior and performance of _{elastic-endpoint}_, the component installed on each host that performs {elastic-defend}'s threat monitoring, prevention, and response actions. | ||
|
||
The following table explains the differences between several Endpoint artifacts and exceptions, and how to use them: | ||
|
||
[cols="2"] | ||
|=== | ||
|
||
| <<trusted-apps-ov,Trusted application>> | ||
a| *_Prevents {elastic-endpoint} from monitoring a process._* Use to avoid conflicts with other software, usually other antivirus or endpoint security applications. | ||
|
||
* Creates intentional blind spots in your security environment — use sparingly! | ||
* Doesn't monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc. | ||
* Doesn't generate events for the application except process events for visualizations. | ||
* Might improve performance, since {elastic-endpoint} monitors fewer processes. | ||
* Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create <<endpoint-rule-exceptions,Endpoint alert exceptions>>. | ||
|
||
| <<event-filters,Event filter>> | ||
a| *_Prevents event documents from being written to {es}._* Use to reduce storage usage in {es}. | ||
|
||
Does NOT lower CPU usage for {elastic-endpoint}. It still monitors event data for possible threats, but without writing event data to {es}. | ||
|
||
| <<blocklist,Blocklist>> | ||
a| *_Prevents known malware from running._* Use to extend {elastic-defend}'s protection against malicious processes. | ||
|
||
NOT intended to broadly block benign applications for non-security reasons. | ||
|
||
| <<endpoint-rule-exceptions,Endpoint alert exception>> | ||
a| *_Prevents {elastic-endpoint} from generating alerts or stopping processes._* Use to reduce false positive alerts, and to keep {elastic-endpoint} from preventing processes you want to allow. | ||
|
||
Might also improve performance: {elastic-endpoint} checks for exceptions _before_ most other processing, and stops monitoring a process if an exception allows it. | ||
|
||
|=== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters