elastic · joepeeples · Oct 18, 2022 · Sep 28, 2022 · Sep 28, 2022 · Sep 29, 2022
@@ -2,7 +2,9 @@
 [chapter]
 = Blocklist
 
-The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. This is especially useful for ensuring that known malicious processes aren't accidentally executed by end users. 
+The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users. 
+
+The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
-The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
+The blocklist fulfills the specific goal of blocking potentially harmful applications. Do not use it to broadly block non-permitted applications. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
-The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
+The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
-The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
+The blocklist fulfills the specific goal of blocking potentially harmful applications. Do not use it to broadly block non-permitted applications. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
-The blocklist is not intended to generically block applications assumed to be benign. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
+The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to <<endpoint-artifacts>>.
 
 [NOTE] 
 =====

@@ -1,4 +1,38 @@
 [[endpoint-artifacts]]
+[chapter]
 = Optimize {elastic-defend}
 
-This page is a placeholder for future documentation.
+If you encounter problems like incompatibilities with other antivirus software, too many false positive alerts, or excessive storage or CPU usage, you can optimize {elastic-defend} to mitigate these issues.
+
+Endpoint artifacts — such as trusted applications and event filters — and Endpoint exceptions let you modify the behavior and performance of _{elastic-endpoint}_, the component installed on each host that performs {elastic-defend}'s threat monitoring, prevention, and response actions.
+
+The following table explains the differences between several Endpoint artifacts and exceptions, and how to use them for specific purposes:
+
+[cols="2"]
+|===
+
+| <<trusted-apps-ov,Trusted applications>>
+a| *_Prevents {elastic-endpoint} from monitoring a process._* Use to avoid conflicts with other software, usually other antivirus or endpoint security applications.
+
+* Creates intentional blind spots in your security environment — use sparingly!
+* Does not monitor the application for threats, and does not create alerts for the application, even if it behaves like malware, ransomware, etc.
+* Does not generate events for the application except process events for visualizations.
-* Does not generate events for the application except process events for visualizations.
+* Prevents the collection of events from the application, except process events for visualizations.
-* Does not generate events for the application except process events for visualizations.
+* Prevents the collection of events from the application, except process events for visualizations.
+* May improve performance, since {elastic-endpoint} monitors fewer processes.
+* May still generate malicious behavior alerts, if the application's process events indicate malicious behavior.
-* May still generate malicious behavior alerts, if the application's process events indicate malicious behavior.
+* May not prevent malicious behavior alerts for applications whose process events indicate malicious behavior.
-* May still generate malicious behavior alerts, if the application's process events indicate malicious behavior.
+* May still generate malicious behavior alerts, which are produced certain data patterns are noticed. The conditions the produce these alerts are different from those that other Elastic defend protection features (malware, ransomware, or memory threat protections, etc.) follow. <Brief explanation>
-* May still generate malicious behavior alerts, if the application's process events indicate malicious behavior.
+* May not prevent malicious behavior alerts for applications whose process events indicate malicious behavior.
-* May still generate malicious behavior alerts, if the application's process events indicate malicious behavior.
+* May still generate malicious behavior alerts, which are produced certain data patterns are noticed. The conditions the produce these alerts are different from those that other Elastic defend protection features (malware, ransomware, or memory threat protections, etc.) follow. <Brief explanation>
+
+| <<event-filters,Event filters>>
+a| *_Prevents event documents from being written to {es}._* Use to reduce storage usage in {es}.
+
+Does NOT lower CPU usage for {elastic-endpoint}. It still monitors event data for possible threats, but the event data just isn't being written to {es}.
+
+| <<blocklist,Blocklist>>
+a| *_Prevents known malware from running._* Use to extend {elastic-defend}'s protection against malicious processes.
+
+NOT intended to generically block applications assumed to be benign.
+
+| <<endpoint-rule-exceptions,Endpoint alert exceptions>>
+a| *_Prevents {elastic-endpoint} from generating alerts or stopping processes._* Use to reduce false positive alerts or preventions.
+
+May also improve performance: {elastic-endpoint} checks for exceptions _before_ most other processing, and stops monitoring a process if an exception allows it.
+
+|===
@@ -4,6 +4,8 @@
 
 Event filters allow you to filter endpoint events that you do not need or want stored in {es} -- for example, high-volume events. By creating event filters, you can optimize your storage in {es}. All endpoint events have the `endpoint.events.network` field.
 
+Event filters do not lower CPU usage on hosts; {elastic-endpoint} still monitors event data to detect and prevent possible threats, but the event data just isn't being written to {es}. To compare event filters with other endpoint artifacts, refer to <<endpoint-artifacts>>.
+
 NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users].
 
 IMPORTANT: Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters.
-IMPORTANT: Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters.
+IMPORTANT: Since an event filter blocks events from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and therefore not trigger the corresponding alert for that rule. This is the expected behavior of event filters.
-IMPORTANT: Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters.
+IMPORTANT: Since an event filter blocks events from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and therefore not trigger the corresponding alert for that rule. This is the expected behavior of event filters.

@@ -2,11 +2,13 @@
 [chapter, role="xpack"]
 = Trusted applications
 
-You can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use {elastic-sec} without compatibility or performance issues with other installed applications on your system. Trusted applications apply only to hosts running {elastic-defend}.
+You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration.
 
 NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users].
 
-Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software. However, they create blindspots for {elastic-sec}. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors -- such as antivirus software -- to execute their malicious DLLs. Such activity appears to originate from the trusted vendor's process.
+Trusted applications create blindspots for {elastic-defend}, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors -- such as antivirus software -- to execute their malicious DLLs. Such activity appears to originate from the trusted vendor's process.
+
+Trusted applications may still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an <<endpoint-rule-exceptions,Endpoint alert exception>>, which prevents {elastic-defend} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to <<endpoint-artifacts>>.
 
 By default, a trusted application is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a trusted application to a specific {elastic-defend} integration policy, enabling the application to be trusted by only the hosts assigned to that policy.