[DOCS] Guided Onboarding for Elastic Defend

[qcorporation]

For the 8.5 Release, we will release Guided onboarding for Elastic Defend
https://github.com/elastic/security-team/issues/3981
[after reading the ticket]

Description

This new feature will differentiate guided onboarding for Elastic Security for the EDR and Cloud Security use case. It will also apply different default settings for the use cases to enable security visibility between the different personas.

What's needed

Document the new expected onboarding workflow for the EDR and Cloud Security use case.
Outlined the default configurations for the two workflows

Workflows:

• Integrations -> Elastic Defend -> Add -> Endpoint - NGAV (process events)
• Integrations -> Elastic Defend -> Add -> Endpoint - EDR Essential (file, network, process events)
• Integrations -> Elastic Defend -> Add -> Endpoint - EDR Complete (all events, no session data)
• Integrations -> Elastic Defend -> Add -> Cloud Security - Interactive Only (all events + session data + Event Filter for process.entry_leader.interactive:false attached to policy, memory threat and ransomware disabled)
  Integrations -> Elastic Defend -> Add -> Cloud Security - All Events (all events + session data, no event filter, memory threat and ransomware disabled)
• Integrations -> Elastic Defend -> Add -> Cloud Security - Prevent Malware (enable malware)
• Integrations -> Elastic Defend -> Add -> Cloud Security - Prevent Malicious Behavior (enable Malicious Behavior, only shows when the license is platinum or enterprise)

Refer to elastic/kibana#139230 for details on which settings are enabled by each option for endpoints.

[qcorporation]

cc.ing Working Group:
@bradenlpreston @learhy @gavinwye @dimadavid @codearos @kevinlog @snehsach19 @opauloh @animehart @crowens

[joepeeples]

Per our discussion today, @benironside will revise the instructions and update screenshots on https://www.elastic.co/guide/en/security/current/install-endpoint.html, and I'll review the first draft.

Stuff to consider:

• For final screenshots, might need to wait until BC3 (Oct 6) or get a recent deployment from dev, since UI text is still being revised.
• We talked about renaming files and anchors (such as install-endpoint.asciidoc and [[install-endpoint]]), which would be a good thing to do. We'd also need to request redirects from Marketing for any renamed URLs.

[opauloh]

• For final screenshots, might need to wait until BC3 (Oct 6) or get a recent deployment from dev, since UI text is still being revised.

That's true, we have 2 PRs addressing some changes, so the final version will be in BC 3. If that helps I can provide a recent deployment with the latest/final version.