Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Endpoint artifact docs clarification #2516
[DOCS] Endpoint artifact docs clarification #2516
Changes from 10 commits
e0d93dd
cf85d76
2301afe
6ebfdaa
23be388
5490a74
128bf8a
f65eb1c
3c0a7b1
94eae31
38f4a7a
d64b7fc
07aa8f4
0059a2e
cdf31e4
731b90f
9b22c41
f7939ea
10d338f
ed8d661
e8c774b
452c187
46ff3e7
c87a9a5
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm confused by the first sentence here. It seems like, of course a block list shouldn't block applications known to be benign — why would someone add a known benign application to the block list? So I'm not sure what info this is adding. Am I missing something here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is responding specifically to some misconfigurations where admins might have tried to use the blocklist to block an app that isn't a security threat per se, but just something that admins didn't want end users to run. But other readers may have the same confusion you had; maybe there's a clearer way to say this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if you approached this from a different angle, for ex:
This is a lil wordy, but maybe that's needed to fully explain how users should and should not be using the blocklist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nastasha-solomon I'm trying out a twist on your suggestion. I'd like this paragraph to start with "the blocklist does NOT do this" as a contrast to the previous para, which is "the blocklist DOES do this," but otherwise I agree with y'all, a little more explanation is needed here.
(Is "broadly block benign" too much of a tongue twister? 🤪)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can agree with this approach.
Sidenote: If this were a Letterkenny episode, I'd applaud your admirable application of alliteration. 🥇
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you said "process" in the first part of this description, maybe it makes sense to continue with "process" instead of "application"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, it's more that Trusted application artifacts prevent event collection for the specified apps, not that they don't generate events. They prevent endpoint from collecting, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Someone on the dev side might answer this better (@kevinlog @ferullo ?), but I think a trusted app is about preventing event generation, not event collection. That's why it's such a blindspot: the event data just doesn't exist, because it's not getting created.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joepeeples your comment is also my understanding, so I think we should leave it as is, unless @ferullo thinks otherwise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is confusing to me since you said above "* Does not generate events for the application except process events for visualizations." Is this in reference to those process events for visualizations? I guess I thought that "for visualizations" would mean not for generating alerts. Also under what circumstances would that "May" come into play? If it only "May" generate alerts, I think we need to be specific about that "May", or else, if possible just remove this bullet entirely .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the minimal process events that still get created could possibly trigger the malicious behavior protection feature, probably because it's looking more at behavior patterns in the data, regardless of the application/process doing the behavior. Malicious behavior protection is separate from other Elastic Defend features that presumably would NOT trigger for a trusted application (such as malware, ransomware, or memory threat protections, etc.), since they wouldn't be looking at process events in the same way.
The "for visualizations" detail might be unnecessary and distracting here; maybe we could just say "for internal use" or similar.
@caitlinbetz @kevinlog @ferullo Any additional details on what might trigger these malicious behavior alerts? I get the sense that we're mentioning this because it's happened to customers when they weren't expecting alerts, but any other info that would help?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think explaining what generates malicious behavior alerts and then contrasting that with what triggers other Elastic defend protection features (malware, ransomware, or memory threat protections, etc.) would help? Maybe something like:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joepeeples
It is true that we can still trigger alerts, although a particular process has been made into a trusted app. Think the important thing to add here is that if they want to suppress the alerts that still come through, they should create Endpoint Alert Exceptions.
Maybe something like the below works.
I know you already mention Endpoint Alert Exceptions earlier in this section, but maybe it's a good place to reiterate?
If we still want anything more specific, I would need @ferullo or someone else on Endpoint to chime in
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kevinlog Thanks for the extra context! I'll add a cross-reference to Endpoint alert exceptions as you suggest.
@nastasha-solomon I think this will resolve the point of confusion that customers may be having; it sounds like they might not need the additional explanation of how the alerts are still being created, just how they can stop them (create an exception).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still confused by this. Why would someone think the blocklist was intended for blocking benign applications? I think maybe the word "generically" is doing some heavy lifting here that is going over my head?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My response above: https://github.com/elastic/security-docs/pull/2516/files#r992703486
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignorant question here: what do you mean by "preventions"? If this is a common security term, ignore me. I've just never seen/heard the word used as a noun in this way. I've mainly seen it used a verb -- e.g., this feature prevents attacks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nastasha-solomon Here it's being used to refer to specific features of Elastic Defend, when the admin selects the "Prevent" option to have Elastic Defend/Endpoint stop certain processes. But I can see how that's not super clear; I'll tinker with this to be more specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, I didn't know we were referring to this feature as "preventions". Thanks for the clarification!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.