[DOCS] Endpoint artifact docs clarification #2516
Conversation
- Create new page - Add new page to the "Endpoint management" TOC
joepeeples
added
Team: Docs
Team: EDR Workflows
|
Documentation previews: |
…security-docs into 2111-endpoint-artifacts
This comment was marked as resolved.
This comment was marked as resolved.
joepeeples
requested review from
kevinlog,
roxana-gheorghe,
caitlinbetz and
ferullo
Co-authored-by: Benjamin Ironside Goldstein <[email protected]>
| The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. This is especially useful for ensuring that known malicious processes aren't accidentally executed by end users. | ||
| The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users. | ||
|
|
||
| The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>. |
There was a problem hiding this comment.
What if you approached this from a different angle, for ex:
| The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>. | |
| The blocklist fulfills the specific goal of blocking potentially harmful applications. Do not use it to broadly block non-permitted applications. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>. |
This is a lil wordy, but maybe that's needed to fully explain how users should and should not be using the blocklist.
| NOT intended to generically block applications assumed to be benign. | ||
|
|
||
| | <<endpoint-rule-exceptions,Endpoint alert exception>> | ||
| a| *_Prevents {elastic-endpoint} from generating alerts or stopping processes._* Use to reduce false positive alerts or preventions. |
There was a problem hiding this comment.
Ignorant question here: what do you mean by "preventions"? If this is a common security term, ignore me. I've just never seen/heard the word used as a noun in this way. I've mainly seen it used a verb -- e.g., this feature prevents attacks.
There was a problem hiding this comment.
@nastasha-solomon Here it's being used to refer to specific features of Elastic Defend, when the admin selects the "Prevent" option to have Elastic Defend/Endpoint stop certain processes. But I can see how that's not super clear; I'll tinker with this to be more specific.
There was a problem hiding this comment.
Ah ok, I didn't know we were referring to this feature as "preventions". Thanks for the clarification!
| * Does not monitor the application for threats, and does not create alerts for the application, even if it behaves like malware, ransomware, etc. | ||
| * Does not generate events for the application except process events for visualizations. | ||
| * May improve performance, since {elastic-endpoint} monitors fewer processes. | ||
| * May still generate malicious behavior alerts, if the application's process events indicate malicious behavior. |
There was a problem hiding this comment.
Do you think explaining what generates malicious behavior alerts and then contrasting that with what triggers other Elastic defend protection features (malware, ransomware, or memory threat protections, etc.) would help? Maybe something like:
| * May still generate malicious behavior alerts, if the application's process events indicate malicious behavior. | |
| * May still generate malicious behavior alerts, which are produced certain data patterns are noticed. The conditions the produce these alerts are different from those that other Elastic defend protection features (malware, ransomware, or memory threat protections, etc.) follow. <Brief explanation> |
Co-authored-by: Janeen Mikell-Straughn <[email protected]>
|
Hi @joepeeples, We have tested this PR for the reference docs attached in comparison to the latest 8.5.0 BC build received and below our observations for the same: Issue reported: We will test this PR once again after the related bug is closed. Thank you!! |
Excellent point, thanks! I think I often naturally go with "may" too, but I like the preciseness of this distinction. Just revised the "mays" to "mights" here |
|
@muskangulati-qasource: Screenshot fixed in 452c187, thank you! |
* First draft - Create new page - Add new page to the "Endpoint management" TOC * Rename file/URL * Enhance individual artifact descriptions * Add xrefs from individual pages * Revise tip about endpoint network events * Initial suggestions from Ben's review Co-authored-by: Benjamin Ironside Goldstein <[email protected]> * Singular/plural agreement Co-authored-by: Benjamin Ironside Goldstein <[email protected]> * Apply suggestions from code review * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <[email protected]> * Additional edits, fixes * Explain preventions * may --> might * Update trusted apps screenshot Co-authored-by: Benjamin Ironside Goldstein <[email protected]> Co-authored-by: Janeen Mikell-Straughn <[email protected]> (cherry picked from commit 59c53a0)
* First draft - Create new page - Add new page to the "Endpoint management" TOC * Rename file/URL * Enhance individual artifact descriptions * Add xrefs from individual pages * Revise tip about endpoint network events * Initial suggestions from Ben's review Co-authored-by: Benjamin Ironside Goldstein <[email protected]> * Singular/plural agreement Co-authored-by: Benjamin Ironside Goldstein <[email protected]> * Apply suggestions from code review * Apply suggestions from Janeen's review Co-authored-by: Janeen Mikell-Straughn <[email protected]> * Additional edits, fixes * Explain preventions * may --> might * Update trusted apps screenshot Co-authored-by: Benjamin Ironside Goldstein <[email protected]> Co-authored-by: Janeen Mikell-Straughn <[email protected]> (cherry picked from commit 59c53a0) Co-authored-by: Joe Peeples <[email protected]>
Resolves #2111: "Expand the existing Trusted Apps/Exceptions/Blocklist etc pages to add more specifics on their use cases and how they differ."
Note that the new page "Optimize Elastic Defend" also serves as the landing page for docs links in the UI, such as elastic/kibana#142467.
Previews: