diff --git a/redirects.yml b/redirects.yml index db8d5f5b4c..0148559007 100644 --- a/redirects.yml +++ b/redirects.yml @@ -6,4 +6,21 @@ redirects: anchors: 'anonymous-authentication': 'basic-authentication': - 'http-authentication': \ No newline at end of file + 'http-authentication': + 'reference/security/elastic-defend/index.md': 'solutions/security/configure-elastic-defend.md' + 'reference/security/elastic-defend/elastic-endpoint-deploy-reqs.md': 'solutions/security/configure-elastic-defend/elastic-defend-requirements.md' + 'reference/security/elastic-defend/install-endpoint.md': 'solutions/security/configure-elastic-defend/install-elastic-defend.md' + 'reference/security/elastic-defend/deploy-elastic-endpoint.md': 'solutions/security/configure-elastic-defend/enable-access-for-macos-monterey.md' + 'reference/security/elastic-defend/deploy-elastic-endpoint-ven.md': 'solutions/security/configure-elastic-defend/enable-access-for-macos-ventura-higher.md' + 'reference/security/elastic-defend/deploy-with-mdm.md': 'solutions/security/configure-elastic-defend/deploy-on-macos-with-mdm.md' + 'reference/security/elastic-defend/agent-tamper-protection.md': 'solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md' + 'reference/security/elastic-defend/endpoint-management-req.md': 'solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md' + 'reference/security/elastic-defend/configure-endpoint-integration-policy.md': 'solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md' + 'reference/security/elastic-defend/artifact-control.md': 'solutions/security/configure-elastic-defend/configure-updates-for-protection-artifacts.md' + 'reference/security/elastic-defend/endpoint-diagnostic-data.md': 'solutions/security/configure-elastic-defend/turn-off-diagnostic-data-for-elastic-defend.md' + 'reference/security/elastic-defend/self-healing-rollback.md': 'solutions/security/configure-elastic-defend/configure-self-healing-rollback-for-windows-endpoints.md' + 'reference/security/elastic-defend/linux-file-monitoring.md': 'solutions/security/configure-elastic-defend/configure-linux-file-system-monitoring.md' + 'reference/security/elastic-defend/endpoint-data-volume.md': 'solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint.md' + 'reference/security/elastic-defend/create-defend-policy-api.md': 'solutions/security/configure-elastic-defend/create-an-elastic-defend-policy-using-api.md' + 'reference/security/elastic-defend/offline-endpoint.md': 'solutions/security/configure-elastic-defend/configure-offline-endpoints-air-gapped-environments.md' + 'reference/security/elastic-defend/uninstall-agent.md': 'solutions/security/configure-elastic-defend/uninstall-elastic-agent.md' \ No newline at end of file diff --git a/reference/ingestion-tools/fleet/agent-command-reference.md b/reference/ingestion-tools/fleet/agent-command-reference.md index d6cd2ed315..1f4f124cec 100644 --- a/reference/ingestion-tools/fleet/agent-command-reference.md +++ b/reference/ingestion-tools/fleet/agent-command-reference.md @@ -575,7 +575,7 @@ For more information about custom certificates, refer to [Configure SSL/TLS for `--base-path ` : Install {{agent}} in a location other than the [default](/reference/ingestion-tools/fleet/installation-layout.md). Specify the custom base path for the install. - The `--base-path` option is not currently supported with [{{elastic-defend}}](/reference/security/elastic-defend/install-endpoint.md). + The `--base-path` option is not currently supported with [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md). `--ca-sha256 ` diff --git a/reference/ingestion-tools/fleet/air-gapped.md b/reference/ingestion-tools/fleet/air-gapped.md index 06c10eb98a..521928c133 100644 --- a/reference/ingestion-tools/fleet/air-gapped.md +++ b/reference/ingestion-tools/fleet/air-gapped.md @@ -15,7 +15,7 @@ The {{package-registry}} must therefore be accessible from {{kib}} via an HTTP P The {{artifact-registry}} must therefore be accessible from {{kib}} via an HTTP Proxy and/or self-hosted. ::::{tip} -See the {{elastic-sec}} Solution documentation for air-gapped [offline endpoints](/reference/security/elastic-defend/offline-endpoint.md). +See the {{elastic-sec}} Solution documentation for air-gapped [offline endpoints](/solutions/security/configure-elastic-defend/configure-offline-endpoints-air-gapped-environments.md). :::: diff --git a/reference/ingestion-tools/fleet/fleet-api-docs.md b/reference/ingestion-tools/fleet/fleet-api-docs.md index 373efcb1e1..4c94b6cc69 100644 --- a/reference/ingestion-tools/fleet/fleet-api-docs.md +++ b/reference/ingestion-tools/fleet/fleet-api-docs.md @@ -99,7 +99,7 @@ Example response: To create an integration policy (also known as a package policy) and add it to an existing agent policy, call `POST /api/fleet/package_policies`. ::::{tip} -You can use the {{fleet}} API to [Create and customize an {{elastic-defend}} policy](/reference/security/elastic-defend/create-defend-policy-api.md). +You can use the {{fleet}} API to [Create and customize an {{elastic-defend}} policy](/solutions/security/configure-elastic-defend/create-an-elastic-defend-policy-using-api.md). :::: diff --git a/reference/ingestion-tools/fleet/manage-elastic-agents-in-fleet.md b/reference/ingestion-tools/fleet/manage-elastic-agents-in-fleet.md index 9cae9976be..1a1fcb0b92 100644 --- a/reference/ingestion-tools/fleet/manage-elastic-agents-in-fleet.md +++ b/reference/ingestion-tools/fleet/manage-elastic-agents-in-fleet.md @@ -34,7 +34,7 @@ To use {{fleet}} go to **Management > {{fleet}}** in {{kib}}. The following tabl | [{{agent}}s](/reference/ingestion-tools/fleet/manage-agents.md) | Enroll, unenroll, upgrade, add tags, and view {{agent}} status and logs. | | [Policies](/reference/ingestion-tools/fleet/agent-policy.md) | Create and edit agent policies and add integrations to them. | | [{{fleet}} enrollment tokens](/reference/ingestion-tools/fleet/fleet-enrollment-tokens.md) | Create and revoke enrollment tokens. | -| [Uninstall tokens](/reference/security/elastic-defend/agent-tamper-protection.md) | ({{elastic-defend}} integration only) Access tokens to allow uninstalling {{agent}} from endpoints with Agent tamper protection enabled. | +| [Uninstall tokens](/solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md) | ({{elastic-defend}} integration only) Access tokens to allow uninstalling {{agent}} from endpoints with Agent tamper protection enabled. | | [Data streams](/reference/ingestion-tools/fleet/data-streams.md) | View data streams and navigate to dashboards to analyze your data. | diff --git a/reference/ingestion-tools/fleet/migrate-auditbeat-to-agent.md b/reference/ingestion-tools/fleet/migrate-auditbeat-to-agent.md index f5d16f9ff1..f1d0af92ca 100644 --- a/reference/ingestion-tools/fleet/migrate-auditbeat-to-agent.md +++ b/reference/ingestion-tools/fleet/migrate-auditbeat-to-agent.md @@ -23,18 +23,18 @@ The following table describes the integrations you can use instead of {{auditbea | --- | --- | --- | | [Auditd](asciidocalypse://docs/reference/auditbeat/auditbeat-module-auditd.md) module | [Auditd Manager](asciidocalypse://docs/reference/auditd_manager.md) integration | This integration is a direct replacement of the module. You can port rules andconfiguration to this integration. Starting in {{stack}} 8.4, you can also set the`immutable` flag in the audit configuration. | | [Auditd Logs](asciidocalypse://docs/reference/auditd.md) integration | Use this integration if you don’t need to manage rules. It only parses logs fromthe audit daemon `auditd`. Please note that the events created by this integrationare different than the ones created by[Auditd Manager](asciidocalypse://docs/reference/auditd_manager.md), since the latter merges allrelated messages in a single event while [Auditd Logs](asciidocalypse://docs/reference/auditd.md)creates one event per message. | -| [File Integrity](asciidocalypse://docs/reference/auditbeat/auditbeat-module-file_integrity.md) module | [File Integrity Monitoring](asciidocalypse://docs/reference/fim.md) integration | This integration is a direct replacement of the module. It reports real-timeevents, but cannot report who made the changes. If you need to track thisinformation, use [{{elastic-defend}}](/reference/security/elastic-defend/install-endpoint.md)instead. | +| [File Integrity](asciidocalypse://docs/reference/auditbeat/auditbeat-module-file_integrity.md) module | [File Integrity Monitoring](asciidocalypse://docs/reference/fim.md) integration | This integration is a direct replacement of the module. It reports real-timeevents, but cannot report who made the changes. If you need to track thisinformation, use [{{elastic-defend}}](/solutions/security/configure-elastic-defend/install-elastic-defend.md) instead. | | [System](asciidocalypse://docs/reference/auditbeat/auditbeat-module-system.md) module | It depends…​ | There is not a single integration that collects all this information. | | [System.host](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-host.md) dataset | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Schedule collection of information like:

* [system_info](https://www.osquery.io/schema/5.1.0/#system_info) for hostname, unique ID, and architecture
* [os_version](https://www.osquery.io/schema/5.1.0/#os_version)
* [interface_addresses](https://www.osquery.io/schema/5.1.0/#interface_addresses) for IPs and MACs
| -| [System.login](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-login.md) dataset | [Endpoint](/reference/security/elastic-defend/install-endpoint.md) | Report login events. | +| [System.login](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-login.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Report login events. | | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Use the [last](https://www.osquery.io/schema/5.1.0/#last) table for Linux and macOS. | | {{fleet}} [system](asciidocalypse://docs/reference/system.md) integration | Collect login events for Windows through the [Security event log](asciidocalypse://docs/reference/system.md#system-security). | | [System.package](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-package.md) dataset | [System Audit](asciidocalypse://docs/reference/system_audit.md) integration | This integration is a direct replacement of the System Package dataset. Starting in {{stack}} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as:

* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)
* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)
* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)
| | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Schedule collection of information like:

* [rpm_packages](https://www.osquery.io/schema/5.1.0/#rpm_packages)
* [deb_packages](https://www.osquery.io/schema/5.1.0/#deb_packages)
* [homebrew_packages](https://www.osquery.io/schema/5.1.0/#homebrew_packages)
* [apps](https://www.osquery.io/schema/5.1.0/#apps) (MacOS)
* [programs](https://www.osquery.io/schema/5.1.0/#programs) (Windows)
* [npm_packages](https://www.osquery.io/schema/5.1.0/#npm_packages)
* [atom_packages](https://www.osquery.io/schema/5.1.0/#atom_packages)
* [chocolatey_packages](https://www.osquery.io/schema/5.1.0/#chocolatey_packages)
* [portage_packages](https://www.osquery.io/schema/5.1.0/#portage_packages)
* [python_packages](https://www.osquery.io/schema/5.1.0/#python_packages)
| -| [System.process](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/reference/security/elastic-defend/install-endpoint.md) | Best replacement because out of the box it reports events forevery process in [ECS](asciidocalypse://docs/reference/index.md) format and has excellentintegration in [Kibana](/get-started/the-stack.md). | +| [System.process](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-process.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because out of the box it reports events forevery process in [ECS](asciidocalypse://docs/reference/index.md) format and has excellentintegration in [Kibana](/get-started/the-stack.md). | | [Custom Windows event log](asciidocalypse://docs/reference/winlog.md) and{{integrations-docs}}/windows#sysmonoperational[Sysmon] integrations | Provide process data. | | [Osquery](asciidocalypse://docs/reference/osquery.md) or[Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Collect data from the [process](https://www.osquery.io/schema/5.1.0/#process) table on some OSeswithout polling. | -| [System.socket](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/reference/security/elastic-defend/install-endpoint.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). | +| [System.socket](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-socket.md) dataset | [Endpoint](/solutions/security/configure-elastic-defend/install-elastic-defend.md) | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). | | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Monitor socket events via the [socket_events](https://www.osquery.io/schema/5.1.0/#socket_events) tablefor Linux and MacOS. | | [System.user](asciidocalypse://docs/reference/auditbeat/auditbeat-dataset-system-user.md) dataset | [Osquery](asciidocalypse://docs/reference/osquery.md) or [Osquery Manager](asciidocalypse://docs/reference/osquery_manager.md) integration | Monitor local users via the [user](https://www.osquery.io/schema/5.1.0/#user) table for Linux, Windows, and MacOS. | diff --git a/reference/ingestion-tools/fleet/uninstall-elastic-agent.md b/reference/ingestion-tools/fleet/uninstall-elastic-agent.md index f147cb2411..4752f19a7a 100644 --- a/reference/ingestion-tools/fleet/uninstall-elastic-agent.md +++ b/reference/ingestion-tools/fleet/uninstall-elastic-agent.md @@ -64,7 +64,7 @@ If you run into problems, refer to [Troubleshoot common problems](/troubleshoot/ If you are using DEB or RPM, you can use the package manager to remove the installed package. ::::{note} -For hosts enrolled in the {{elastic-defend}} integration with Agent tamper protection enabled, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. Refer to the [Agent tamper protection docs](/reference/security/elastic-defend/agent-tamper-protection.md) for more information. +For hosts enrolled in the {{elastic-defend}} integration with Agent tamper protection enabled, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. For more information, refer to [](/solutions/security/configure-elastic-defend/prevent-elastic-agent-uninstallation.md). :::: diff --git a/reference/security/elastic-defend/agent-tamper-protection.md b/reference/security/elastic-defend/agent-tamper-protection.md deleted file mode 100644 index 3d669607df..0000000000 --- a/reference/security/elastic-defend/agent-tamper-protection.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/agent-tamper-protection.html ---- - -# Prevent Elastic Agent uninstallation [agent-tamper-protection] - -For hosts enrolled in {{elastic-defend}}, you can prevent unauthorized attempts to uninstall {{agent}} and {{elastic-endpoint}} by enabling **Agent tamper protection** on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling {{elastic-defend}}'s endpoint protections. - -When enabled, {{agent}} and {{elastic-endpoint}} can only be uninstalled on the host by including an uninstall token in the uninstall CLI command. One unique uninstall token is generated per Agent policy, and you can retrieve uninstall tokens in an Agent policy’s settings or in the {{fleet}} UI. - -::::{admonition} Requirements -* Agent tamper protection requires a [Platinum or higher subscription](https://www.elastic.co/pricing). -* Hosts must be enrolled in the {{elastic-defend}} integration. -* {{agent}}s must be version 8.11.0 or later. -* This feature is supported for all operating systems. - -:::: - - -:::{image} ../../../images/security-agent-tamper-protection.png -:alt: Agent tamper protection setting highlighted on Agent policy settings page -:class: screenshot -::: - - -## Enable Agent tamper protection [enable-agent-tamper-protection] - -You can enable Agent tamper protection by configuring the {{agent}} policy. - -1. Find **{{fleet}}** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). -2. Select **Agent policies**, then select the Agent policy you want to configure. -3. Select the **Settings** tab on the policy details page. -4. In the **Agent tamper protection** section, turn on the **Prevent agent tampering** setting. - - This makes the **Get uninstall command** link available, which you can follow to get the uninstall token and CLI command if you need to [uninstall an Agent](/reference/security/elastic-defend/uninstall-agent.md) on this policy. - - ::::{tip} - You can also access an Agent policy’s uninstall tokens on the **Uninstall tokens** tab on the **{{fleet}}** page. Refer to [Access uninstall tokens](#fleet-uninstall-tokens) for more information. - :::: - -5. Select **Save changes**. - - -## Access uninstall tokens [fleet-uninstall-tokens] - -If you need the uninstall token to remove {{agent}} from an endpoint, you can find it in several ways: - -* **On the Agent policy** — Go to the Agent policy’s **Settings** tab, then click the **Get uninstall command** link. The **Uninstall agent** flyout opens, containing the full uninstall command with the token. -* **On the {{fleet}} page** — Select **Uninstall tokens** for a list of the uninstall tokens generated for your Agent policies. You can: - - * Click the **Show token** icon in the **Token** column to reveal a specific token. - * Click the **View uninstall command** icon in the **Actions** column to open the **Uninstall agent** flyout, containing the full uninstall command with the token. - - -::::{tip} -If you have many tamper-protected {{agent}} policies, you may want to [Provide multiple uninstall tokens](/reference/security/elastic-defend/uninstall-agent.md#multiple-uninstall-tokens) in a single command. -:::: - - diff --git a/reference/security/elastic-defend/artifact-control.md b/reference/security/elastic-defend/artifact-control.md deleted file mode 100644 index e1ea775116..0000000000 --- a/reference/security/elastic-defend/artifact-control.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/artifact-control.html ---- - -# Configure updates for protection artifacts [artifact-control] - -On the **Protection updates** tab of the {{elastic-defend}} integration policy, you can configure how {{elastic-defend}} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections. - -You can disable automatic updates and freeze your protection artifacts to a specific date, allowing you to control when to receive and install the updates. For example, you might want to temporarily disable updates to ensure resource availability during a high-volume period, test updates in a controlled staging environment before rolling out to production, or roll back to a previous version of protections. - -Protection artifacts will expire after 18 months, and you’ll no longer be able to select them as a deployed version. If you’re already using a specific version when it expires, you’ll keep using it until you either select a later non-expired version or re-enable automatic updates. - -::::{warning} -It is strongly advised to keep automatic updates enabled to ensure the highest level of security for your environment. Proceed with caution if you decide to disable automatic updates. -:::: - - -To configure the protection artifacts version deployed in your environment: - -1. Find **Policies** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). -2. Select an {{elastic-defend}} integration policy, then select the **Protection updates** tab. -3. Turn off the **Enable automatic updates** toggle. -4. Use the **Version to deploy** date picker to select the date of the protection artifacts you want to use in your environment. -5. (Optional) Enter a **Note** to explain the reason for selecting a particular version of protection artifacts. -6. Select **Save**. diff --git a/reference/security/elastic-defend/configure-endpoint-integration-policy.md b/reference/security/elastic-defend/configure-endpoint-integration-policy.md deleted file mode 100644 index 2abfab8376..0000000000 --- a/reference/security/elastic-defend/configure-endpoint-integration-policy.md +++ /dev/null @@ -1,244 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html ---- - -# Configure an integration policy for Elastic Defend [configure-endpoint-integration-policy] - -After the {{agent}} is installed with the {{elastic-defend}} integration, several protections features — including preventions against malware, ransomware, memory threats, and malicious behavior — are automatically enabled on protected hosts (some features require a Platinum or Enterprise license). If needed, you can update the integration policy to configure protection settings, event collection, antivirus settings, trusted applications, event filters, host isolation exceptions, and blocked applications to meet your organization’s security needs. - -You can also create multiple {{elastic-defend}} integration policies to maintain unique configuration profiles. To create an additional {{elastic-defend}} integration policy, find **Integrations** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), then follow the steps for [adding the {{elastic-defend}} integration](/reference/security/elastic-defend/install-endpoint.md#add-security-integration). - -::::{admonition} Requirements -You must have the **{{elastic-defend}} Policy Management : All** [privilege](/reference/security/elastic-defend/endpoint-management-req.md) to configure an integration policy. - -:::: - - -::::{tip} -In addition to configuring an {{elastic-defend}} policy through the {{elastic-sec}} UI, you can create and customize an {{elastic-defend}} policy [through the API](/reference/security/elastic-defend/create-defend-policy-api.md). -:::: - - -To configure an integration policy: - -1. Find **Policies** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). -2. Select the integration policy you want to configure. The integration policy configuration page appears. -3. On the **Policy settings** tab, review and configure the following settings as appropriate: - - * [Malware protection](#malware-protection) - * [Ransomware protection](#ransomware-protection) - * [Memory threat protection](#memory-protection) - * [Malicious behavior protection](#behavior-protection) - * [Attack surface reduction](#attack-surface-reduction) - * [Event collection](#event-collection) - * [Register {{elastic-sec}} as antivirus (optional)](#register-as-antivirus) - * [Advanced policy settings (optional)](#adv-policy-settings) - * [Save the general policy settings](#save-policy) - -4. Click the **Trusted applications**, **Event filters***, ***Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to [*Trusted applications*](/solutions/security/manage-elastic-defend/trusted-applications.md), [*Event filters*](/solutions/security/manage-elastic-defend/event-filters.md), [*Host isolation exceptions*](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md), and [*Blocklist*](/solutions/security/manage-elastic-defend/blocklist.md)). On these tabs, you can: - - * Expand and view an artifact — Click the arrow next to its name. - * View an artifact’s details — Click the actions menu (**…​**), then select **View full details**. - * Unassign an artifact (Platinum or Enterprise subscription) — Click the actions menu (**…​**), then select **Remove from policy**. This does not delete the artifact; this just unassigns it from the current policy. - * Assign an existing artifact (Platinum or Enterprise subscription) — Click **Assign *x* to policy**, then select an item from the flyout. This view lists any existing artifacts that aren’t already assigned to the current policy. - - ::::{note} - You can’t create a new endpoint policy artifact while configuring an integration policy. To create a new artifact, go to its main page in the {{security-app}} (for example, to create a new trusted application, find **Trusted applications** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search)). - :::: - -5. Click the **Protection updates** tab to configure how {{elastic-defend}} receives updates from Elastic with the latest threat detections, malware models, and other protection artifacts. Refer to [Configure updates for protection artifacts](/reference/security/elastic-defend/artifact-control.md) for more information. - - -## Malware protection [malware-protection] - -{{elastic-defend}} malware prevention detects and stops malicious attacks by using a [machine learning model](/solutions/security/detect-and-alert.md#machine-learning-model) that looks for static attributes to determine if a file is malicious or benign. - -By default, malware protection is enabled on Windows, macOS, and Linux hosts. To disable malware protection, turn off the **Malware protections** toggle. - -Malware protection levels are: - -* **Detect**: Detects malware on the host and generates an alert. The agent will **not** block malware. You must pay attention to and analyze any malware alerts that are generated. -* **Prevent** (Default): Detects malware on the host, blocks it from executing, and generates an alert. - -These additional options are available for malware protection: - -* **Blocklist**: Enable or disable the [blocklist](/solutions/security/manage-elastic-defend/blocklist.md) for all hosts associated with this {{elastic-defend}} policy. The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. -* **Scan files upon modification**: By default, {{elastic-defend}} scans files every time they’re modified, which can be resource-intensive on hosts where files are frequently modified, such as servers and developer machines. Turn off this option to only scan files when they’re executed. {{elastic-defend}} will continue to identify malware as it attempts to run, providing a robust level of protection while improving endpoint performance. - -Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the **Prevent** option. - -::::{tip} -Platinum and Enterprise customers can customize these notifications using the `Elastic Security {{action}} {{filename}}` syntax. -:::: - - -:::{image} ../../../images/security-malware-protection.png -:alt: Detail of malware protection section. -:class: screenshot -::: - - -### Manage quarantined files [manage-quarantined-files] - -When **Prevent** is enabled for malware protection, {{elastic-defend}} will quarantine any malicious file it finds (this includes files defined in the [*Blocklist*](/solutions/security/manage-elastic-defend/blocklist.md)). Specifically {{elastic-defend}} will remove the file from its current location, encrypt it with the encryption key `ELASTIC`, move it to a different folder, and rename it as a GUID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`. - -The quarantine folder location varies by operating system: - -* macOS: `/System/Volumes/Data/.equarantine` -* Linux: `.equarantine` at the root of the mount point of the file being quarantined -* Windows - {{elastic-defend}} versions 8.5 and later: `[DriveLetter:]\.equarantine`, unless the files are from the `C:` drive. These files are moved to `C:\Program Files\Elastic\Endpoint\state\.equarantine`. -* Windows - {{elastic-defend}} versions 8.4 and earlier: `[DriveLetter:]\.equarantine`, for any drive - -To restore a quarantined file to its original state and location, [add an exception](/solutions/security/detect-and-alert/add-manage-exceptions.md) to the rule that identified the file as malicious. If the exception would’ve stopped the rule from identifying the file as malicious, {{elastic-defend}} restores the file. - -You can access a quarantined file by using the `get-file` [response action command](/solutions/security/endpoint-response-actions.md#response-action-commands) in the response console. To do this, copy the path from the alert’s **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. This action doesn’t restore the file to its original location, so you will need to do this manually. - -::::{note} -Response actions and the response console UI are [Enterprise subscription](https://www.elastic.co/pricing) features. -:::: - - - -## Ransomware protection [ransomware-protection] - -Behavioral ransomware prevention detects and stops ransomware attacks on Windows systems by analyzing data from low-level system processes. It is effective across an array of widespread ransomware families — including those targeting the system’s master boot record. - -Ransomware protection is a paid feature and is enabled by default if you have a [Platinum or Enterprise license](https://www.elastic.co/pricing). If you upgrade to a Platinum or Enterprise license from Basic or Gold, ransomware protection will be disabled by default. - -Ransomware protection levels are: - -* **Detect**: Detects ransomware on the host and generates an alert. {{elastic-defend}} will **not** block ransomware. You must pay attention to and analyze any ransomware alerts that are generated. -* **Prevent** (Default): Detects ransomware on the host, blocks it from executing, and generates an alert. - -When ransomware protection is enabled, canary files placed in targeted locations on your hosts provide an early warning system for potential ransomware activity. When a canary file is modified, Elastic Defend immediately generates a ransomware alert. If **prevent** ransomware is active, {{elastic-defend}} terminates the process that modified the file. - -Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the **Prevent** option. - -::::{tip} -Platinum and Enterprise customers can customize these notifications using the `Elastic Security {{action}} {{filename}}` syntax. -:::: - - -:::{image} ../../../images/security-ransomware-protection.png -:alt: Detail of ransomware protection section. -:class: screenshot -::: - - -## Memory threat protection [memory-protection] - -Memory threat protection detects and stops in-memory threats, such as shellcode injection, which are used to evade traditional file-based detection techniques. - -Memory threat protection is a paid feature and is enabled by default if you have a [Platinum or Enterprise license](https://www.elastic.co/pricing). If you upgrade to a Platinum or Enterprise license from Basic or Gold, memory threat protection will be disabled by default. - -Memory threat protection levels are: - -* **Detect**: Detects memory threat activity on the host and generates an alert. {{elastic-defend}} will **not** block the in-memory activity. You must pay attention to and analyze any alerts that are generated. -* **Prevent** (Default): Detects memory threat activity on the host, forces the process or thread to stop, and generates an alert. - -Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the **Prevent** option. - -::::{tip} -Platinum and Enterprise customers can customize these notifications using the `Elastic Security {{action}} {{rule}}` syntax. -:::: - - -:::{image} ../../../images/security-memory-protection.png -:alt: Detail of memory protection section. -:class: screenshot -::: - - -## Malicious behavior protection [behavior-protection] - -Malicious behavior protection detects and stops threats by monitoring the behavior of system processes for suspicious activity. Behavioral signals are much more difficult for adversaries to evade than traditional file-based detection techniques. - -Malicious behavior protection is a paid feature and is enabled by default if you have a [Platinum or Enterprise license](https://www.elastic.co/pricing). If you upgrade to a Platinum or Enterprise license from Basic or Gold, malicious behavior protection will be disabled by default. - -Malicious behavior protection levels are: - -* **Detect**: Detects malicious behavior on the host and generates an alert. {{elastic-defend}} will **not** block the malicious behavior. You must pay attention to and analyze any alerts that are generated. -* **Prevent** (Default): Detects malicious behavior on the host, forces the process to stop, and generates an alert. - -Select whether you want to use **Reputation service** for additional protection. Elastic’s reputation service leverages our extensive threat intelligence knowledge to make high confidence real-time prevention decisions. For example, reputation service can detect suspicious downloads of binaries with low or malicious reputation. Endpoints communicate with the reputation service directly at [https://cloud.security.elastic.co](https://cloud.security.elastic.co). - -::::{note} -Reputation service requires an active [Platinum or Enterprise subscription](https://www.elastic.co/pricing) and is available on cloud deployments only. -:::: - - -Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the **Prevent** option. - -::::{tip} -Platinum and Enterprise customers can customize these notifications using the `Elastic Security {{action}} {{rule}}` syntax. -:::: - - -:::{image} ../../../images/security-behavior-protection.png -:alt: Detail of behavior protection section. -:class: screenshot -::: - - -## Attack surface reduction [attack-surface-reduction] - -This section helps you reduce vulnerabilities that attackers can target on Windows endpoints. - -* **Credential hardening**: Prevents attackers from stealing credentials stored in Windows system process memory. Turn on the toggle to remove any overly permissive access rights that aren’t required for standard interaction with the Local Security Authority Subsystem Service (LSASS). This feature enforces the principle of least privilege without interfering with benign system activity that is related to LSASS. - -:::{image} ../../../images/security-attack-surface-reduction.png -:alt: Detail of attack surface reduction section. -:class: screenshot -::: - - -## Event collection [event-collection] - -In the **Settings** section, select which categories of events to collect on each operating system. Most categories are collected by default, as seen below. - -:::{image} ../../../images/security-event-collection.png -:alt: Detail of event collection section. -:class: screenshot -::: - - -## Register {{elastic-sec}} as antivirus (optional) [register-as-antivirus] - -You can register {{elastic-sec}} as your hosts' antivirus software by enabling **Register as antivirus**. - -::::{note} -Windows Server versions are not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems. -:::: - - -By default, the **Sync with malware protection level** is selected to automatically set antivirus registration to match how you’ve configured {{elastic-defend}}'s [malware protection](#malware-protection). If malware protection is turned on *and* set to **Prevent**, antivirus registration will also be enabled; in any other case, antivirus registration will be disabled. - -If you don’t want to sync antivirus registration, you can set it manually with **Enabled** or **Disabled**. - -:::{image} ../../../images/security-register-as-antivirus.png -:alt: Detail of Register as antivirus option. -:class: screenshot -::: - - -## Advanced policy settings (optional) [adv-policy-settings] - -Users with unique configuration and security requirements can select **Show advanced settings** while configuring an {{elastic-defend}} integration policy to support advanced use cases. Hover over each setting to view its description. - -::::{note} -Advanced settings are not recommended for most users. -:::: - - -This section includes: - -* [Turn off diagnostic data for {{elastic-defend}}](/reference/security/elastic-defend/endpoint-diagnostic-data.md) -* [Configure self-healing rollback for Windows endpoints](/reference/security/elastic-defend/self-healing-rollback.md) -* [Configure Linux file system monitoring](/reference/security/elastic-defend/linux-file-monitoring.md) -* [Configure data volume](/reference/security/elastic-defend/endpoint-data-volume.md) - - -## Save the general policy settings [save-policy] - -After you have configured the general settings on the **Policy settings** tab, click **Save**. A confirmation message appears. diff --git a/reference/security/elastic-defend/create-defend-policy-api.md b/reference/security/elastic-defend/create-defend-policy-api.md deleted file mode 100644 index 0891e71e42..0000000000 --- a/reference/security/elastic-defend/create-defend-policy-api.md +++ /dev/null @@ -1,817 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/create-defend-policy-api.html ---- - -# Create an {{elastic-defend}} policy using API [create-defend-policy-api] - -In addition to [configuring an {{elastic-defend}} policy](configure-endpoint-integration-policy.md) through the {{elastic-sec}} UI, you can create and customize an {{elastic-defend}} policy through the API. This is a three-step process involving the [{{fleet}} API](/reference/ingestion-tools/fleet/fleet-api-docs.md). You can repeat steps 2 and 3 to make more modifications to the {{elastic-defend}} policy. - -::::{admonition} Requirements -You must have the **{{elastic-defend}} Policy Management: All** [privilege](endpoint-management-req.md) to configure an integration policy. - -:::: - - - -## Step 1: Create an agent policy [create-agent-policy] - -Make the following API call to create a new agent policy where you will add your {{elastic-defend}} integration. Replace `` with your version of {{kib}}. - -```console -curl --user : --request POST \ - --url 'https://:5601/api/fleet/agent_policies' \ - -H 'Accept: */*' \ - -H 'Accept-Language: en-US,en;q=0.9' \ - -H 'Connection: keep-alive' \ - -H 'Content-Type: application/json' \ - -H 'Sec-Fetch-Dest: empty' \ - -H 'Sec-Fetch-Mode: cors' \ - -H 'Sec-Fetch-Site: same-origin' \ - -H 'kbn-version: ' \ <1> - -d \ -' -{ - "name": "My Policy Name", - "description": "", - "namespace": "default", - "inactivity_timeout": 1209600 -}' -``` - -1. `` to be replaced - - -Make a note of the `` you receive in the response. You will use this in step 2 to add {{elastic-defend}}. - -::::{dropdown} Click to display example response -```json -{ - "item": { - "id": "", <1> - "name": "My Policy Name", - "description": "", - "namespace": "default", - "inactivity_timeout": 1209600, - "is_protected": false, - "status": "active", - "is_managed": false, - "revision": 1, - "updated_at": "2023-07-24T18:35:00.233Z", - "updated_by": "elastic", - "schema_version": "1.1.1" - } -} -``` - -1. `` needed in step 2 - - -:::: - - - -## Step 2: Add the {{elastic-defend}} integration [add-defend-integration] - -Next, make the following call to add the {{elastic-defend}} integration to the policy that you created in step 1. - -Replace these values: - -1. `` with your version of {{kib}}. -2. `` with the agent policy ID you received in step 1. -3. `` with the latest {{elastic-defend}} package version (for example, `8.9.1`). To find it, navigate to **Integrations** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), and select **{{elastic-defend}}**. - -This adds the {{elastic-defend}} integration to your agent policy with the default settings. - -```console -curl --user : --request POST \ - --url 'https://:5601/api/fleet/package_policies' \ - -H 'Accept: */*' \ - -H 'Accept-Language: en-US,en;q=0.9' \ - -H 'Connection: keep-alive' \ - -H 'Content-Type: application/json' \ - -H 'Sec-Fetch-Dest: empty' \ - -H 'Sec-Fetch-Mode: cors' \ - -H 'Sec-Fetch-Site: same-origin' \ - -H 'kbn-version: ' \ <1> - -d \ -' -{ - "name": "Protect", - "description": "", - "namespace": "default", - "policy_id": "", <2> - "enabled": true, - "inputs": [ - { - "enabled": true, - "streams": [], - "type": "ENDPOINT_INTEGRATION_CONFIG", - "config": { - "_config": { - "value": { - "type": "endpoint", - "endpointConfig": { - "preset": "EDRComplete" - } - } - } - } - } - ], - "package": { - "name": "endpoint", - "title": "Elastic Defend", - "version": "" <3> - } -}' -``` - -1. `` to be replaced -2. `` to be replaced -3. `` to be replaced - - -Make a note of the `` you receive in the response. This refers to the {{elastic-defend}} policy and you will use it in step 3. - -::::{dropdown} Click to display example response -```json -{ - "item": { - "id": "", <1> - "version": "WzMwOTcsMV0=", - "name": "Protect", - "namespace": "default", - "description": "", - "package": { - "name": "endpoint", - "title": "Elastic Defend", - "version": "8.5.0" - }, - "enabled": true, - "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a", - "inputs": [ - { - "type": "endpoint", - "enabled": true, - "streams": [], - "config": { - "integration_config": { - "value": { - "type": "endpoint", - "endpointConfig": { - "preset": "EDRComplete" - } - } - }, - "artifact_manifest": { - "value": { - "manifest_version": "1.0.2", - "schema_version": "v1", - "artifacts": { - "endpoint-exceptionlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-exceptionlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-exceptionlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-trustlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-trustlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-trustlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-eventfilterlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-eventfilterlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-eventfilterlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-hostisolationexceptionlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-hostisolationexceptionlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-hostisolationexceptionlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-blocklist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-blocklist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-blocklist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - } - } - } - }, - "policy": { - "value": { - "windows": { - "events": { - "dll_and_driver_load": true, - "dns": true, - "file": true, - "network": true, - "process": true, - "registry": true, - "security": true - }, - "malware": { - "mode": "prevent", - "blocklist": true - }, - "ransomware": { - "mode": "prevent", - "supported": true - }, - "memory_protection": { - "mode": "prevent", - "supported": true - }, - "behavior_protection": { - "mode": "prevent", - "supported": true - }, - "popup": { - "malware": { - "message": "", - "enabled": true - }, - "ransomware": { - "message": "", - "enabled": true - }, - "memory_protection": { - "message": "", - "enabled": true - }, - "behavior_protection": { - "message": "", - "enabled": true - } - }, - "logging": { - "file": "info" - }, - "antivirus_registration": { - "enabled": false - }, - "attack_surface_reduction": { - "credential_hardening": { - "enabled": true - } - } - }, - "mac": { - "events": { - "process": true, - "file": true, - "network": true - }, - "malware": { - "mode": "prevent", - "blocklist": true - }, - "behavior_protection": { - "mode": "prevent", - "supported": true - }, - "memory_protection": { - "mode": "prevent", - "supported": true - }, - "popup": { - "malware": { - "message": "", - "enabled": true - }, - "behavior_protection": { - "message": "", - "enabled": true - }, - "memory_protection": { - "message": "", - "enabled": true - } - }, - "logging": { - "file": "info" - } - }, - "linux": { - "events": { - "process": true, - "file": true, - "network": true, - "session_data": false, - "tty_io": false - }, - "malware": { - "mode": "prevent", - "blocklist": true - }, - "behavior_protection": { - "mode": "prevent", - "supported": true - }, - "memory_protection": { - "mode": "prevent", - "supported": true - }, - "popup": { - "malware": { - "message": "", - "enabled": true - }, - "behavior_protection": { - "message": "", - "enabled": true - }, - "memory_protection": { - "message": "", - "enabled": true - } - }, - "logging": { - "file": "info" - } - } - } - } - } - } - ], - "revision": 1, - "created_at": "2023-04-06T15:53:14.020Z", - "created_by": "elastic", - "updated_at": "2023-04-06T15:53:14.020Z", - "updated_by": "elastic" - } -} -``` - -1. `` needed in step 3 - - -:::: - - - -## Step 3: Customize and save the {{elastic-defend}} policy settings [customize-policy-settings] - -The response you received in step 2 represents the default configuration of your new {{elastic-defend}} integration. You’ll need to modify the default configuration, then make another API call to save your customized policy settings. - - -### Modify the configuration [modify-configuration] - -1. From the response you received in step 2, copy the content within the top level `item` object. -2. From that content, remove the following fields: - - ```json - "id": "", - "revision": 1, - "created_at": "2023-04-06T15:53:14.020Z", - "created_by": "elastic", - "updated_at": "2023-04-06T15:53:14.020Z", - "updated_by": "elastic" - ``` - -3. Make any changes to the `policy` object to customize the {{elastic-defend}} configuration. - - -### Save your customized policy settings [save-customized-policy] - -Include the resulting JSON object in the following call to save your customized {{elastic-defend}} policy. Replace these values: - -1. `` with the {{elastic-defend}} policy ID you received in step 2. -2. `` with your version of {{kib}}. -3. `` with the latest {{elastic-defend}} package version (for example, `8.9.1`). To find it, navigate to **Integrations** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), and select **{{elastic-defend}}**. - -```console -curl --user : --request PUT \ - --url 'https://:5601/api/fleet/package_policies/' \ <1> - -H 'Accept: */*' \ - -H 'Accept-Language: en-US,en;q=0.9' \ - -H 'Connection: keep-alive' \ - -H 'Content-Type: application/json' \ - -H 'Sec-Fetch-Dest: empty' \ - -H 'Sec-Fetch-Mode: cors' \ - -H 'Sec-Fetch-Site: same-origin' \ - -H 'kbn-version: ' \ <2> - -d \ -' -{ - "version": "WzMwOTcsMV0=", - "name": "Protect", - "namespace": "default", - "description": "", - "package": { - "name": "endpoint", - "title": "Elastic Defend", - "version": "" <3> - }, - "enabled": true, - "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a", - "inputs": [ - { - "type": "endpoint", - "enabled": true, - "streams": [], - "config": { - "integration_config": { - "value": { - "type": "endpoint", - "endpointConfig": { - "preset": "EDRComplete" - } - } - }, - "artifact_manifest": { - "value": { - "manifest_version": "1.0.2", - "schema_version": "v1", - "artifacts": { - "endpoint-exceptionlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-exceptionlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-exceptionlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-trustlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-trustlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-trustlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-eventfilterlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-eventfilterlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-eventfilterlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-hostisolationexceptionlist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-hostisolationexceptionlist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-hostisolationexceptionlist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-blocklist-macos-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-blocklist-windows-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - }, - "endpoint-blocklist-linux-v1": { - "encryption_algorithm": "none", - "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "decoded_size": 14, - "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", - "encoded_size": 22, - "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", - "compression_algorithm": "zlib" - } - } - } - }, - "policy": { - "value": { - "windows": { - "events": { - "dll_and_driver_load": true, - "dns": true, - "file": true, - "network": true, - "process": true, - "registry": true, - "security": true - }, - "malware": { - "mode": "prevent", - "blocklist": true - }, - "ransomware": { - "mode": "prevent", - "supported": true - }, - "memory_protection": { - "mode": "prevent", - "supported": true - }, - "behavior_protection": { - "mode": "prevent", - "supported": true - }, - "popup": { - "malware": { - "message": "", - "enabled": true - }, - "ransomware": { - "message": "", - "enabled": true - }, - "memory_protection": { - "message": "", - "enabled": true - }, - "behavior_protection": { - "message": "", - "enabled": true - } - }, - "logging": { - "file": "info" - }, - "antivirus_registration": { - "enabled": false - }, - "attack_surface_reduction": { - "credential_hardening": { - "enabled": true - } - } - }, - "mac": { - "events": { - "process": true, - "file": true, - "network": true - }, - "malware": { - "mode": "prevent", - "blocklist": true - }, - "behavior_protection": { - "mode": "prevent", - "supported": true - }, - "memory_protection": { - "mode": "prevent", - "supported": true - }, - "popup": { - "malware": { - "message": "", - "enabled": true - }, - "behavior_protection": { - "message": "", - "enabled": true - }, - "memory_protection": { - "message": "", - "enabled": true - } - }, - "logging": { - "file": "info" - } - }, - "linux": { - "events": { - "process": true, - "file": true, - "network": true, - "session_data": false, - "tty_io": false - }, - "malware": { - "mode": "prevent", - "blocklist": true - }, - "behavior_protection": { - "mode": "prevent", - "supported": true - }, - "memory_protection": { - "mode": "prevent", - "supported": true - }, - "popup": { - "malware": { - "message": "", - "enabled": true - }, - "behavior_protection": { - "message": "", - "enabled": true - }, - "memory_protection": { - "message": "", - "enabled": true - } - }, - "logging": { - "file": "info" - } - } - } - } - } - } - ] -}' -``` - -1. `` to be replaced -2. `` to be replaced -3. `` to be replaced diff --git a/reference/security/elastic-defend/deploy-elastic-endpoint-ven.md b/reference/security/elastic-defend/deploy-elastic-endpoint-ven.md deleted file mode 100644 index 5e0e9d340e..0000000000 --- a/reference/security/elastic-defend/deploy-elastic-endpoint-ven.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/deploy-elastic-endpoint-ven.html ---- - -# Enable access for macOS Ventura and higher [deploy-elastic-endpoint-ven] - -To properly install and configure {{elastic-defend}} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional: - -* [Approve the system extension](#system-extension-endpoint-ven) -* [Approve network content filtering](#allow-filter-content-ven) -* [Enable Full Disk Access](#enable-fda-endpoint-ven) - -::::{note} -The following permissions that need to be enabled are required after you [configure and install the {{elastic-defend}} integration](/reference/security/elastic-defend/install-endpoint.md), which includes [enrolling the {{agent}}](/reference/security/elastic-defend/install-endpoint.md#enroll-security-agent). -:::: - - - -## Approve the system extension for {{elastic-endpoint}} [system-extension-endpoint-ven] - -For macOS Ventura (13.0) and later, {{elastic-endpoint}} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. - -The following message appears during installation: - -:::{image} ../../../images/security-system_extension_blocked_warning_ven.png -:alt: system extension blocked warning ven -:class: screenshot -::: - -1. Click **Open System Settings**. -2. In the left pane, click **Privacy & Security**. - - :::{image} ../../../images/security-privacy_security_ven.png - :alt: privacy security ven - :class: screenshot - ::: - -3. On the right pane, scroll down to the Security section. Click **Allow** to allow the ElasticEndpoint system extension to load. - - :::{image} ../../../images/security-allow_system_extension_ven.png - :alt: allow system extension ven - :class: screenshot - ::: - -4. Enter your username and password and click **Modify Settings** to save your changes. - - :::{image} ../../../images/security-enter_login_details_to_confirm_ven.png - :alt: enter login details to confirm ven - :class: screenshot - ::: - - - -## Approve network content filtering for {{elastic-endpoint}} [allow-filter-content-ven] - -After successfully loading the ElasticEndpoint system extension, an additional message appears, asking to allow {{elastic-endpoint}} to filter network content. - -:::{image} ../../../images/security-allow_network_filter_ven.png -:alt: allow network filter ven -:class: screenshot -::: - -Click **Allow** to enable content filtering for the ElasticEndpoint system extension. Without this approval, {{elastic-endpoint}} cannot receive network events and, therefore, cannot enable network-related features such as [host isolation](/solutions/security/endpoint-response-actions/isolate-host.md). - - -## Enable Full Disk Access for {{elastic-endpoint}} [enable-fda-endpoint-ven] - -{{elastic-endpoint}} requires Full Disk Access to subscribe to system events via the {{elastic-defend}} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. - -If you have not granted Full Disk Access, the following notification prompt will appear. - -:::{image} ../../../images/security-allow_full_disk_access_notification_ven.png -:alt: allow full disk access notification ven -:class: screenshot -::: - -To enable Full Disk Access, you must manually approve {{elastic-endpoint}}. - -::::{note} -The following instructions apply only to {{elastic-endpoint}} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame’s documentation. -:::: - - -1. Open the **System Settings** application. -2. In the left pane, select **Privacy & Security**. - - :::{image} ../../../images/security-privacy_security_ven.png - :alt: privacy security ven - :class: screenshot - ::: - -3. From the right pane, select **Full Disk Access**. - - :::{image} ../../../images/security-select_fda_ven.png - :alt: Select Full Disk Access - :class: screenshot - ::: - -4. Enable `ElasticEndpoint` and `co.elastic` to properly enable Full Disk Access. - - :::{image} ../../../images/security-allow_fda_ven.png - :alt: allow fda ven - :class: screenshot - ::: - - -If the endpoint is running {{elastic-endpoint}} version 7.17.0 or earlier: - -1. Click the **+** button to view **Finder**. -2. The system may prompt you to enter your username and password if you haven’t already. - - :::{image} ../../../images/security-enter_login_details_to_confirm_ven.png - :alt: enter login details to confirm ven - :class: screenshot - ::: - -3. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. -4. Click **Open**. -5. In the **Privacy** tab, confirm that `ElasticEndpoint` and `co.elastic.systemextension` are selected to properly enable Full Disk Access. - - :::{image} ../../../images/security-verify_fed_granted_ven.png - :alt: Select Full Disk Access - :class: screenshot - ::: diff --git a/reference/security/elastic-defend/deploy-elastic-endpoint.md b/reference/security/elastic-defend/deploy-elastic-endpoint.md deleted file mode 100644 index b6e56ab36d..0000000000 --- a/reference/security/elastic-defend/deploy-elastic-endpoint.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/deploy-elastic-endpoint.html ---- - -# Enable access for macOS Monterey [deploy-elastic-endpoint] - -To properly install and configure {{elastic-defend}} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional: - -* [Approve the system extension](#system-extension-endpoint) -* [Approve network content filtering](#allow-filter-content) -* [Enable Full Disk Access](#enable-fda-endpoint) - -::::{note} -The following permissions that need to be enabled are required after you [configure and install the {{elastic-defend}} integration](/reference/security/elastic-defend/install-endpoint.md), which includes [enrolling the {{agent}}](/reference/security/elastic-defend/install-endpoint.md#enroll-security-agent). -:::: - - - -## Approve the system extension for {{elastic-endpoint}} [system-extension-endpoint] - -For macOS Monterey (12.x), {{elastic-endpoint}} will attempt to load a system extension during installation. This system extension must be loaded in order to provide insight into system events such as process events, file system events, and network events. - -The following message appears during installation: - -:::{image} ../../../images/security-system-ext-blocked.png -:alt: system ext blocked -::: - -1. Click **Open Security Preferences**. -2. In the lower-left corner of the **Security & Privacy** pane, click the **Lock button**, then enter your credentials to authenticate. - - :::{image} ../../../images/security-lock-button.png - :alt: lock button - ::: - -3. Click **Allow** to allow the {{elastic-endpoint}} system extension to load. - - :::{image} ../../../images/security-allow-system-ext.png - :alt: allow system ext - ::: - - - #### Approve network content filtering for {{elastic-endpoint}} [allow-filter-content] - - After successfully loading the {{elastic-endpoint}} system extension, an additional message appears, asking to allow {{elastic-endpoint}} to filter network content. - - :::{image} ../../../images/security-filter-network-content.png - :alt: filter network content - ::: - - -* Click **Allow** to enable content filtering for the {{elastic-endpoint}} system extension. Without this approval, {{elastic-endpoint}} cannot receive network events and, therefore, cannot enable network-related features such as [host isolation](/solutions/security/endpoint-response-actions/isolate-host.md). - - -## Enable Full Disk Access for {{elastic-endpoint}} [enable-fda-endpoint] - -{{elastic-endpoint}} requires Full Disk Access to subscribe to system events via the {{elastic-defend}} framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve {{elastic-endpoint}}. - -::::{note} -The following instructions apply only to {{elastic-endpoint}} running version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame’s documentation. -:::: - - -1. Open the **System Preferences** application. -2. Select **Security and Privacy**. - - :::{image} ../../../images/security-sec-privacy-pane.png - :alt: sec privacy pane - :class: screenshot - ::: - -3. On the **Security and Privacy** pane, select the **Privacy** tab. -4. From the left pane, select **Full Disk Access**. - - :::{image} ../../../images/security-select-fda.png - :alt: Select Full Disk Access - :class: screenshot - ::: - -5. In the lower-left corner of the pane, click the **Lock button**, then enter your credentials to authenticate. -6. In the **Privacy** tab, confirm that `ElasticEndpoint` AND `co.elastic.systemextension` are selected to properly enable Full Disk Access. - - :::{image} ../../../images/security-select-endpoint-ext.png - :alt: role+"screenshot" - ::: - - -If the endpoint is running {{elastic-endpoint}} version 7.17.0 or earlier: - -1. In the lower-left corner of the pane, click the **Lock button**, then enter your credentials to authenticate. -2. Click the **+** button to view **Finder**. -3. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. -4. Click **Open**. -5. In the **Privacy** tab, confirm that `elastic-endpoint` AND `co.elastic.systemextension` are selected to properly enable Full Disk Access. - -:::{image} ../../../images/security-fda-7-16.png -:alt: fda 7 16 -::: - diff --git a/reference/security/elastic-defend/deploy-with-mdm.md b/reference/security/elastic-defend/deploy-with-mdm.md deleted file mode 100644 index 0c423b2bf4..0000000000 --- a/reference/security/elastic-defend/deploy-with-mdm.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -navigation_title: "Deploy on macOS with MDM" -mapped_pages: - - https://www.elastic.co/guide/en/security/current/deploy-with-mdm.html ---- - -# Deploy {{elastic-defend}} on macOS with mobile device management [deploy-with-mdm] - - -To silently install and deploy {{elastic-defend}}, you need to configure a mobile device management (MDM) profile for {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention. This allows you to pre-approve the {{elastic-endpoint}} system extension and grant Full Disk Access to all the necessary components. - -This page explains how to deploy {{elastic-defend}} silently using Jamf. - - -## Configure a Jamf MDM profile [configure-jamf-profile] - -In Jamf, create a configuration profile for {{elastic-endpoint}}. Follow these steps to configure the profile: - -1. [Approve the system extension.](#system-extension-jamf) -2. [Approve network content filtering.](#content-filtering-jamf) -3. [Enable notifications.](#notifications-jamf) -4. [Enable Full Disk Access.](#fda-jamf) - - -### Approve the system extension [system-extension-jamf] - -1. Select the **System Extensions** option to configure the system extension policy for the {{elastic-endpoint}} configuration profile. -2. Make sure that **Allow users to approve system extensions** is selected. -3. In the **Allowed Team IDs and System Extensions** section, add the {{elastic-endpoint}} system extension: - - 1. (Optional) Enter a **Display Name** for the {{elastic-endpoint}} system extension. - 2. From the **System Extension Types** dropdown, select **Allowed System Extensions**. - 3. Under **Team Identifier**, enter `2BT3HPN62Z`. - 4. Under **Allowed System Extensions**, enter `co.elastic.systemextension`. - -4. Save the configuration. - -:::{image} ../../../images/security-system-extension-jamf.png -:alt: system extension jamf -:class: screenshot -::: - - -### Approve network content filtering [content-filtering-jamf] - -1. Select the **Content Filter** option to configure the Network Extension policy for the {{elastic-endpoint}} configuration profile. -2. Under **Filter Name**, enter `ElasticEndpoint`. -3. Under **Identifier**, enter `co.elastic.endpoint`. -4. In the **Socket Filter** section, fill in these fields: - - 1. **Socket Filter Bundle Identifier**: Enter `co.elastic.systemextension` - 2. **Socket Filter Designated Requirement**: Enter the following: - - ```shell - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - -5. In the **Network Filter** section, fill in these fields: - - 1. **Network Filter Bundle Identifier**: Enter `co.elastic.systemextension` - 2. **Network Filter Designated Requirement**: Enter the following: - - ```shell - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - -6. Save the configuration. - -:::{image} ../../../images/security-content-filtering-jamf.png -:alt: content filtering jamf -:class: screenshot -::: - - -### Enable notifications [notifications-jamf] - -1. Select the **Notifications** option to configure the Notification Center policy for the {{elastic-endpoint}} configuration profile. -2. Under **App Name**, enter `Elastic Security.app`. -3. Under **Bundle ID**, enter `co.elastic.alert`. -4. In the **Settings** section, include these options with the following settings: - - 1. **Critical Alerts**: Enable - 2. **Notifications**: Enable - 3. **Banner alert type**: Persistent - 4. **Notifications on Lock Screen**: Display - 5. **Notifications in Notification Center**: Display - 6. **Badge app icon**: Display - 7. **Play sound for notifications**: Enable - -5. Save the configuration. - -:::{image} ../../../images/security-notifications-jamf.png -:alt: notifications jamf -:class: screenshot -::: - - -### Enable Full Disk Access [fda-jamf] - -1. Select the **Privacy Preferences Policy Control** option to configure the Full Disk Access policy for the {{elastic-endpoint}} configuration profile. -2. Add a new entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.systemextension`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```shell - identifier "co.elastic.systemextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -3. Add a second entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.endpoint`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```shell - identifier "co.elastic.endpoint" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -4. Add a third entry with the following details: - - 1. Under **Identifier**, enter `co.elastic.elastic-agent`. - 2. From the **Identifier Type** dropdown, select **Bundle ID**. - 3. Under **Code Requirement**, enter the following: - - ```shell - identifier "co.elastic.elastic-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BT3HPN62Z" - ``` - - 4. Make sure that **Validate the Static Code Requirement** is selected. - -5. Save the configuration. - -:::{image} ../../../images/security-fda-jamf.png -:alt: fda jamf -:class: screenshot -::: - -After you complete these steps, generate the mobile configuration profile and install it onto the macOS machines. Once the profile is installed, {{elastic-defend}} can be deployed without the need for user interaction. diff --git a/reference/security/elastic-defend/elastic-endpoint-deploy-reqs.md b/reference/security/elastic-defend/elastic-endpoint-deploy-reqs.md deleted file mode 100644 index 6532969433..0000000000 --- a/reference/security/elastic-defend/elastic-endpoint-deploy-reqs.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/elastic-endpoint-deploy-reqs.html ---- - -# Elastic Defend requirements [elastic-endpoint-deploy-reqs] - -To properly deploy {{elastic-defend}} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the host before {{elastic-endpoint}}—the installed component that performs {{elastic-defend}}'s threat monitoring and prevention—is fully functional. For more information, refer to the instructions for your macOS version: - -* [Enable access for macOS Monterey](/reference/security/elastic-defend/deploy-elastic-endpoint.md) -* [Enable access for macOS Ventura and higher](/reference/security/elastic-defend/deploy-elastic-endpoint-ven.md) - - -## Minimum system requirements [_minimum_system_requirements] - -| Requirement | Value | -| --- | --- | -| **CPU** | Under 2% | -| **Disk space** | 1 GB | -| **Resident set size (RSS) memory** | 500 MB | diff --git a/reference/security/elastic-defend/endpoint-data-volume.md b/reference/security/elastic-defend/endpoint-data-volume.md deleted file mode 100644 index 5d11d52ea9..0000000000 --- a/reference/security/elastic-defend/endpoint-data-volume.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -navigation_title: "Configure data volume" -mapped_pages: - - https://www.elastic.co/guide/en/security/current/endpoint-data-volume.html ---- - -# Configure data volume for {{elastic-endpoint}} [endpoint-data-volume] - - -{{elastic-endpoint}}, the installed component that performs {{elastic-defend}}'s threat monitoring and prevention, is optimized to reduce data volume and CPU usage. You can disable or modify some of these optimizations by reconfiguring the following [advanced settings](/reference/security/elastic-defend/configure-endpoint-integration-policy.md#adv-policy-settings) in the {{elastic-defend}} integration policy. - -::::{important} -Modifying these advanced settings from their defaults will increase the volume of data that {{elastic-endpoint}} processes and ingests, and increase {{elastic-endpoint}}'s CPU usage. Make sure you’re aware of how these changes will affect your storage capabilities and performance. -:::: - - -Each setting has several OS-specific variants, represented by `[linux|mac|windows]` in the names listed below. Use the variant relevant to your hosts' operating system (for example, `windows.advanced.events.deduplicate_network_events` to configure network event deduplication for Windows hosts). - - -## Network event deduplication [network-event-deduplication] - -[8.15] When repeated network connections are detected from the same process, {{elastic-endpoint}} will not produce network events for subsequent connections. To disable or reduce deduplication of network events, use these advanced settings: - -`[linux|mac|windows].advanced.events.deduplicate_network_events` -: Enter `false` to completely disable network event deduplication. Default: `true` - -`[linux|mac|windows].advanced.events.deduplicate_network_events_below_bytes` -: Enter a transfer size threshold (in bytes) for events you want to deduplicate. Connections below the threshold are deduplicated, and connections above it are not deduplicated. This allows you to suppress repeated connections for smaller data transfers but always generate events for larger transfers. Default: `1048576` (1MB) - - -## Data in `host.*` fields [host-fields] - -[8.18] {{elastic-endpoint}} includes only a small subset of the data in the `host.*` fieldset in event documents. Full `host.*` information is still included in documents written to the `metrics-*` index pattern and in {{elastic-endpoint}} alerts. To override this behavior and include all `host.*` data for events, use this advanced setting: - -`[linux|mac|windows].advanced.set_extended_host_information` -: Enter `true` to include all `host.*` event data. Default: `false` - -::::{note} -Users should take note of how a lack of some `host.*` information may affect their [event filters](/solutions/security/manage-elastic-defend/event-filters.md) or [Endpoint alert exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions). -:::: - - - -## Merged process and network events [merged-process-network] - -[8.18] {{elastic-endpoint}} merges process `create`/`terminate` events (Windows) and `fork`/`exec`/`end` events (macOS/Linux) when possible. This means short-lived processes only generate a single event containing the details from when the process terminated. {{elastic-endpoint}} also merges network `connection/termination` events (Windows/macOS/Linux) when possible for short-lived connections. To disable this behavior, use these advanced settings: - -`[linux|mac|windows].advanced.events.aggregate_process` -: Enter `false` to disable merging of process events. Default: `true` - -`[linux|mac|windows].advanced.events.aggregate_network` -: Enter `false` to disable merging of network events. Default: `true` - -::::{note} -Merged events can affect the results of [event filters](/solutions/security/manage-elastic-defend/event-filters.md). Notably, for merged events, `event.action` is an array containing all actions merged into the single event, such as `event.action=[fork, exec, end]`. In that example, if your event filter omits all fork events (`event.action : fork`), it will also filter out all merged events that include a `fork` action. To prevent such issues, you’ll need to modify your event filters accordingly, or set the `[linux|mac|windows].advanced.events.aggregate_process` and `[linux|mac|windows].advanced.events.aggregate_network` advanced settings to `false` to prevent {{elastic-endpoint}} from merging events. -:::: - - - -## MD5 and SHA-1 hashes [md5-sha1-hashes] - -[8.18] {{elastic-endpoint}} does not report MD5 and SHA-1 hashes in event data by default. These will still be reported if any [trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md), [blocklist entries](/solutions/security/manage-elastic-defend/blocklist.md), [event filters](/solutions/security/manage-elastic-defend/event-filters.md), or [Endpoint exceptions](/solutions/security/detect-and-alert/add-manage-exceptions.md#endpoint-rule-exceptions) require them. To include these hashes in all event data, use these advanced settings: - -`[linux|mac|windows].advanced.events.hash.md5` -: Enter `true` to compute and include MD5 hashes for processes and libraries in events. Default: `false` - -`[linux|mac|windows].advanced.events.hash.sha1` -: Enter `true` to compute and include SHA-1 hashes for processes and libraries in events. Default: `false` - -`[linux|mac|windows].advanced.alerts.hash.md5` -: Enter `true` to compute and include MD5 hashes for processes and libraries in alerts. Default: `false` - -`[linux|mac|windows].advanced.alerts.hash.sha1` -: Enter `true` to compute and include SHA-1 hashes for processes and libraries in alerts. Default: `false` - diff --git a/reference/security/elastic-defend/endpoint-diagnostic-data.md b/reference/security/elastic-defend/endpoint-diagnostic-data.md deleted file mode 100644 index d6f96a8169..0000000000 --- a/reference/security/elastic-defend/endpoint-diagnostic-data.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/endpoint-diagnostic-data.html ---- - -# Turn off diagnostic data for Elastic Defend [endpoint-diagnostic-data] - -By default, {{elastic-defend}} streams diagnostic data to your cluster, which Elastic uses to tune protection features. You can stop producing this diagnostic data by configuring the advanced settings in the {{elastic-defend}} integration policy. - -::::{note} -{{kib}} also collects usage telemetry, which includes {{elastic-defend}} diagnostic data. You can modify telemetry preferences in [Advanced Settings](asciidocalypse://docs/reference/configuration-reference/telemetry-settings.md). -:::: - - -1. To view the Endpoints list, find **Endpoints** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). -2. Locate the endpoint for which you want to disable diagnostic data, then click the integration policy in the **Policy** column. -3. Scroll down to the bottom of the policy and click **Show advanced settings**. -4. Enter `false` for these settings: - - * `windows.advanced.diagnostic.enabled` - * `linux.advanced.diagnostic.enabled` - * `mac.advanced.diagnostic.enabled` - -5. Click **Save**. diff --git a/reference/security/elastic-defend/endpoint-management-req.md b/reference/security/elastic-defend/endpoint-management-req.md deleted file mode 100644 index a89736e1fe..0000000000 --- a/reference/security/elastic-defend/endpoint-management-req.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/endpoint-management-req.html ---- - -# Elastic Defend feature privileges [endpoint-management-req] - -You can create user roles and define privileges to manage feature access in {{elastic-sec}}. This allows you to use the principle of least privilege while managing access to {{elastic-defend}}'s features. - -To configure roles and privileges, find **Roles** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). For more details on using this UI, refer to [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#adding_kibana_privileges). - -::::{note} -{{elastic-defend}}'s feature privileges must be assigned to **All Spaces**. You can’t assign them to an individual space. -:::: - - -To grant access, select **All** for the **Security** feature in the **Assign role to space** configuration UI, then turn on the **Customize sub-feature privileges** switch. - -::::{important} -Selecting **All** for the overall **Security** feature does NOT enable any sub-features. You must also enable the **Customize sub-feature privileges** switch, and then enable each sub-feature privilege individually. -:::: - - -For each of the following sub-feature privileges, select the type of access you want to allow: - -* **All**: Users have full access to the feature, which includes performing all available actions and managing configuration. -* **Read**: Users can view the feature, but can’t perform any actions or manage configuration (some features don’t have this privilege). -* **None**: Users can’t access or view the feature. - -| | | -| --- | --- | -| **Endpoint List** | Access the [Endpoints](/solutions/security/manage-elastic-defend/endpoints.md) page, which lists all hosts running {{elastic-defend}}, and associated integration details. | -| **Trusted Applications** | Access the [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md) page to remediate conflicts with other software, such as antivirus or endpoint security applications. | -| **Host Isolation Exceptions** | Access the [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md) page to add specific IP addresses that isolated hosts can still communicate with. | -| **Blocklist** | Access the [Blocklist](/solutions/security/manage-elastic-defend/blocklist.md) page to prevent specified applications from running on hosts, extending the list of processes that {{elastic-defend}} considers malicious. | -| **Event Filters** | Access the [Event Filters](/solutions/security/manage-elastic-defend/event-filters.md) page to filter out endpoint events that you don’t want stored in {{es}}. | -| **{{elastic-defend}} Policy Management** | Access the [Policies](/solutions/security/manage-elastic-defend/policies.md) page and {{elastic-defend}} integration policies to configure protections, event collection, and advanced policy features. | -| **Response Actions History** | Access the [response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md) for endpoints. | -| **Host Isolation** | Allow users to [isolate and release hosts](/solutions/security/endpoint-response-actions/isolate-host.md). | -| **Process Operations** | Perform host process-related [response actions](/solutions/security/endpoint-response-actions.md), including `processes`, `kill-process`, and `suspend-process`. | -| **File Operations** | Perform file-related [response actions](/solutions/security/endpoint-response-actions.md) in the response console. | -| **Execute Operations** | Perform shell commands and script-related [response actions](/solutions/security/endpoint-response-actions.md) in the response console.

::::{warning}
The commands are run on the host using the same user account running the {{elastic-defend}} integration, which normally has full control over the system. Only grant this feature privilege to {{elastic-sec}} users who require this level of access.
::::

| -| **Scan Operations** | Perform folder scan [response actions](/solutions/security/endpoint-response-actions.md) in the response console. | - - -## Upgrade considerations [_upgrade_considerations] - -After upgrading from {{elastic-sec}} 8.6 or earlier, existing user roles will be assigned **None** by default for any new endpoint management feature privileges, and you’ll need to explicitly assign them. However, many features previously required the built-in `superuser` role, and users who previously had this role will still have it after upgrading. - -You’ll probably want to replace the broadly permissive `superuser` role with more focused feature-based privileges to ensure that users have access to only the specific features that they need. Refer to [{{kib}} role management](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md) for more details on assigning roles and privileges. diff --git a/reference/security/elastic-defend/index.md b/reference/security/elastic-defend/index.md deleted file mode 100644 index f317bcbebc..0000000000 --- a/reference/security/elastic-defend/index.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/endpoint-protection-intro.html ---- - -# Elastic Defend [endpoint-protection-intro] - -This section contains information on installing and configuring {{elastic-defend}} for endpoint protection. diff --git a/reference/security/elastic-defend/install-endpoint.md b/reference/security/elastic-defend/install-endpoint.md deleted file mode 100644 index e80af36890..0000000000 --- a/reference/security/elastic-defend/install-endpoint.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -navigation_title: "Install {{elastic-defend}}" -mapped_pages: - - https://www.elastic.co/guide/en/security/current/install-endpoint.html ---- - -# Install the {{elastic-defend}} integration [install-endpoint] - - -Like other Elastic integrations, {{elastic-defend}} is integrated into the {{agent}} using [{{fleet}}](/reference/ingestion-tools/fleet/index.md). Upon configuration, the integration allows the {{agent}} to monitor events on your host and send data to the {{security-app}}. - -::::{admonition} Requirements -* {{fleet}} is required for {{elastic-defend}}. -* To configure the {{elastic-defend}} integration on the {{agent}}, you must have permission to use {{fleet}} in {{kib}}. -* You must have the **{{elastic-defend}} Policy Management : All** [privilege](/reference/security/elastic-defend/endpoint-management-req.md) to configure an integration policy, and the **Endpoint List** [privilege](/reference/security/elastic-defend/endpoint-management-req.md) to access the **Endpoints** page. - -:::: - - - -## Before you begin [security-before-you-begin] - -If you’re using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to [*{{elastic-defend}} requirements*](/reference/security/elastic-defend/elastic-endpoint-deploy-reqs.md) for more information. - -::::{note} -{{elastic-defend}} does not support deployment within an {{agent}} DaemonSet in Kubernetes. -:::: - - - -## Add the {{elastic-defend}} integration [add-security-integration] - -1. Find **Integrations** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). - - :::{image} ../../../images/security-endpoint-cloud-sec-integrations-page.png - :alt: Search result for "{{elastic-defend}}" on the Integrations page. - :class: screenshot - ::: - -2. Search for and select **{{elastic-defend}}**, then select **Add {{elastic-defend}}**. The integration configuration page appears. - - ::::{note} - If this is the first integration you’ve installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can [install {{agent}}](#enroll-agent) after setting up the {{elastic-defend}} integration. - :::: - - - :::{image} ../../../images/security-endpoint-cloud-security-configuration.png - :alt: Add {{elastic-defend}} integration page - :class: screenshot - ::: - -3. Configure the {{elastic-defend}} integration with an **Integration name** and optional **Description**. -4. Select the type of environment you want to protect, either **Traditional Endpoints** or **Cloud Workloads**. -5. Select a configuration preset. Each preset comes with different default settings for {{agent}} — you can further customize these later by [configuring the {{elastic-defend}} integration policy](/reference/security/elastic-defend/configure-endpoint-integration-policy.md). - - | | | - | --- | --- | - | **Traditional Endpoint presets** | All traditional endpoint presets *except **Data Collection*** have these preventions enabled by default: malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events:

* **Data Collection:** All events; no preventions
* **Next-Generation Antivirus (NGAV):** Process events; all preventions
* **Essential EDR (Endpoint Detection & Response):** Process, Network, File events; all preventions
* **Complete EDR (Endpoint Detection & Response):** All events; all preventions
| - | **Cloud Workloads presets** | Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, [session data](/solutions/security/investigate/session-view.md) collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events.

* **All events:** Includes data from automated sessions.
* **Interactive only:** Filters out data from non-interactive sessions by creating an [event filter](/solutions/security/manage-elastic-defend/event-filters.md).
| - -6. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {{agent}} configuration settings, refer to [{{agent}} policies](/reference/ingestion-tools/fleet/agent-policy.md). -7. When you’re ready, click **Save and continue**. -8. To complete the integration, select **Add {{agent}} to your hosts** and continue to the next section to install the {{agent}} on your hosts. - - -## Configure and enroll the {{agent}} [enroll-security-agent] - -To enable the {{elastic-defend}} integration, you must enroll agents in the relevant policy using {{fleet}}. - -::::{important} -Before you add an {{agent}}, a {{fleet-server}} must be running. Refer to [Add a {{fleet-server}}](/reference/ingestion-tools/fleet/deployment-models.md). - -{{elastic-defend}} cannot be integrated with an {{agent}} in standalone mode. - -:::: - - - -### Important information about {{fleet-server}} [fleet-server-upgrade] - -::::{note} -If you are running an {{stack}} version earlier than 7.13.0, you can skip this section. -:::: - - -If you have upgraded to an {{stack}} version that includes {{fleet-server}} 7.13.0 or newer, you will need to redeploy your agents. Review the following scenarios to ensure you take the appropriate steps. - -* If you redeploy the {{agent}} to the same machine through the {{fleet}} application after you upgrade, a new agent will appear. -* If you want to remove the {{agent}} entirely without transitioning to the {{fleet-server}}, then you will need to manually uninstall the {{agent}} on the machine. This will also uninstall the endpoint. Refer to [Uninstall Elastic Agent](/reference/ingestion-tools/fleet/uninstall-elastic-agent.md). -* In the rare event that the {{agent}} fails to uninstall, you might need to manually uninstall the endpoint. Refer to [Uninstall an endpoint](/reference/security/elastic-defend/uninstall-agent.md#uninstall-endpoint) at the end of this topic. - - -### Add the {{agent}} [enroll-agent] - -1. If you’re in the process of installing an {{agent}} integration (such as {{elastic-defend}}), the **Add agent** UI opens automatically. Otherwise, find **{{fleet}}*** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), and select ***Agents** → **Add agent**. - - :::{image} ../../../images/security-endpoint-cloud-sec-add-agent.png - :alt: Add agent flyout on the Fleet page. - :class: screenshot - ::: - -2. Select an agent policy for the {{agent}}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {{agent}} configuration settings, refer to [{{agent}} policies](/reference/ingestion-tools/fleet/agent-policy.md). - - The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {{elastic-defend}}). - - :::{image} ../../../images/security-endpoint-cloud-sec-add-agent-detail.png - :alt: Add agent flyout with {{elastic-defend}} integration highlighted. - :class: screenshot - ::: - -3. Ensure that the **Enroll in {{fleet}}** option is selected. {{elastic-defend}} cannot be integrated with {{agent}} in standalone mode. -4. Select the appropriate platform or operating system for the host, then copy the provided commands. -5. On the host, open a command-line interface and navigate to the directory where you want to install {{agent}}. Paste and run the commands from {{fleet}} to download, extract, enroll, and start {{agent}}. -6. (Optional) Return to the **Add agent** flyout in {{fleet}}, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {{es}}. -7. After you have enrolled the {{agent}} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {{fleet}}. Otherwise, select **Close**. - - The host will now appear on the **Endpoints** page in the {{security-app}}. It may take another minute or two for endpoint data to appear in {{elastic-sec}}. - -8. For macOS, continue with [these instructions](/reference/security/elastic-defend/deploy-elastic-endpoint.md) to grant {{elastic-endpoint}} the required permissions. diff --git a/reference/security/elastic-defend/linux-file-monitoring.md b/reference/security/elastic-defend/linux-file-monitoring.md deleted file mode 100644 index 9c259825c7..0000000000 --- a/reference/security/elastic-defend/linux-file-monitoring.md +++ /dev/null @@ -1,98 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/linux-file-monitoring.html ---- - -# Configure Linux file system monitoring [linux-file-monitoring] - -By default, {{elastic-defend}} monitors specific Linux file system types that Elastic has tested for compatibility. If your network includes nonstandard, proprietary, or otherwise unrecognized Linux file systems, you can configure the integration policy to extend monitoring and protections to those additional file systems. You can also have {{elastic-defend}} ignore unrecognized file system types if they don’t require monitoring or cause unexpected problems. - -::::{warning} -Ignoring file systems can create gaps in your security coverage. Use additional security layers for any file systems ignored by {{elastic-defend}}. -:::: - - -To monitor or ignore additional file systems, configure the following advanced settings related to **fanotify**, a Linux feature that monitors file system events. Find **Policies** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), click a policy’s name, then scroll down and select **Show advanced settings**. - -::::{note} -Even when configured to monitor all file systems (`ignore_unknown_filesystems` is `false`), {{elastic-defend}} will still ignore specific file systems that Elastic has internally identified as incompatible. The following settings apply to any *other* file systems. -:::: - - -$$$ignore-unknown-filesystems$$$ - -`linux.advanced.fanotify.ignore_unknown_filesystems` -: Determines whether to ignore unrecognized file systems. Enter one of the following: - - * `true`: (Default) Monitor only Elastic-tested file systems, and ignore all others. You can still monitor or ignore specific file systems with `monitored_filesystems` and `ignored_filesystems`, respectively. - * `false`: Monitor all file systems. You can still ignore specific file systems with `ignored_filesystems`. - - ::::{note} - If you’ve upgraded from 8.3 or earlier, this value will be `false` for backwards compatibility. If you don’t need to monitor additional file systems, it’s recommended to change `ignore_unknown_filesystems` to `true` after upgrading. - :::: - - -$$$monitored-filesystems$$$ - -`linux.advanced.fanotify.monitored_filesystems` -: Specifies additional file systems to monitor. Enter a comma-separated list of [file system names](#find-file-system-names) as they appear in `/proc/filesystems` (for example: `jfs,ufs,ramfs`). - - ::::{note} - It’s recommended to avoid monitoring network-backed file systems. - :::: - - - This setting isn’t recognized if `ignore_unknown_filesystems` is `false`, since that would mean you’re already monitoring *all* file systems. - - Entries in this setting are overridden by entries in `ignored_filesystems`. - - -$$$ignored-filesystems$$$ - -`linux.advanced.fanotify.ignored_filesystems` -: Specifies additional file systems to ignore. Enter a comma-separated list of [file system names](#find-file-system-names) as they appear in `/proc/filesystems` (for example: `ext4,tmpfs`). - - Entries in this setting override entries in `monitored_filesystems`. - - -## Find file system names [find-file-system-names] - -This section provides a few ways to determine the file system names needed for `linux.advanced.fanotify.monitored_filesystems` and `linux.advanced.fanotify.ignored_filesystems`. - -In a typical setup, when you install {{agent}}, {{filebeat}} is installed alongside {{elastic-endpoint}} and will automatically ship {{elastic-endpoint}} logs to {{es}}. {{elastic-endpoint}} will generate a log message about the file that was scanned when an event occurs. - -To find the system file name: - -1. Find **Hosts** in the navigation menu, or search for `Security/Explore/Hosts` by using the [global search field](/get-started/the-stack.md#kibana-navigation-search). -2. From the Hosts page, search for `message: "Current sync path"` to reveal the file path. -3. If you have access to the endpoint, run `findmnt -o FSTYPE -T ` to return the file system. For example: - - ```shell - > findmnt -o FSTYPE -T /etc/passwd - FSTYPE - ext4 - ``` - - This returns the file system name as `ext4`. - - -Alternatively, you can also find the file system name by correlating data from two other log messages: - -1. Search the logs for `message: "Current fdinfo"` to reveal the `mnt_id` value of the file path. In this example, the `mnt_id` value is `29`: - - ```shell - pos: 12288 - flags: 02500002 - mnt_id: 29 - ino: 2367737 - ``` - -2. Search the logs for `message: "Current mountinfo"` to reveal the file system that corresponds to the `mnt_id` value you found in the previous step: - - ```shell - - 29 1 8:2 / / rw,relatime shared:1 - ext4 /dev/sda2 rw,errors=remount-ro - - ``` - - The first number, `29`, is the `mnt_id`, and the first field after the hyphen (`-`) is the file system name, `ext4`. diff --git a/reference/security/elastic-defend/offline-endpoint.md b/reference/security/elastic-defend/offline-endpoint.md deleted file mode 100644 index 430885f057..0000000000 --- a/reference/security/elastic-defend/offline-endpoint.md +++ /dev/null @@ -1,211 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/offline-endpoint.html ---- - -# Configure offline endpoints and air-gapped environments [offline-endpoint] - -By default, {{elastic-endpoint}} continuously defends against the latest threats by automatically downloading global artifact updates from [https://artifacts.security.elastic.co](https://artifacts.security.elastic.co). When running {{elastic-endpoint}} in a restricted network, you can set up a local mirror server to proxy updates to endpoints that cannot access `elastic.co` URLs directly. - -* If your endpoints cannot access the internet directly, set up a local HTTP mirror server. Refer to [Host an {{elastic-endpoint}} artifact mirror](offline-endpoint.md#artifact-mirror). -* If your endpoints are running in an air-gapped environment, set up a local HTTP server and manually copy global artifact updates. Refer to [Host an air-gapped {{elastic-endpoint}} artifact server](offline-endpoint.md#air-gapped-artifact-server). - - -## Host an {{elastic-endpoint}} artifact mirror [artifact-mirror] - -You can deploy your own {{elastic-endpoint}} global artifact mirror to enable endpoints to update their global artifacts automatically through another server acting as a proxy. This allows endpoints to get updates even when they can’t directly access the internet. - -Complete these steps: - -1. Deploy an HTTP reverse proxy server. -2. Configure {{elastic-endpoint}} to read from the proxy server. - - -### Step 1: Deploy an HTTP reverse proxy server [_step_1_deploy_an_http_reverse_proxy_server] - -Set up and configure an HTTP reverse proxy to forward requests to [https://artifacts.security.elastic.co](https://artifacts.security.elastic.co) and include response headers from the elastic.co server when proxying. - -::::{important} -The entity tag (`Etag`) header is a mandatory HTTP response header that you *must* set in your server configuration file. {{elastic-endpoint}} uses the `Etag` header to determine whether your global artifacts have been updated since they were last downloaded. If your server configuration file does not contain an `ETag` header, {{elastic-endpoint}} won’t download new artifacts when they’re available. -:::: - - -:::::{dropdown} *Example: Nginx* -This example script starts an Nginx Docker image and configures it to proxy artifacts: - -```sh -cat > nginx.conf << EOF -server { - location / { - proxy_pass https://artifacts.security.elastic.co; - } -} -EOF -docker run -v "$PWD"/nginx.conf:/etc/nginx/conf.d/default.conf:ro -p 80:80 nginx -``` - -::::{important} -This example script is not appropriate for production environments. We recommend configuring the Nginx server to use [TLS](http://nginx.org/en/docs/http/configuring_https_servers.md) according to your IT policies. Refer to [Nginx documentation](https://docs.nginx.com/nginx/admin-guide/installing-nginx/) for more information on downloading and configuring Nginx. -:::: - - -::::: - - -:::::{dropdown} *Example: Apache HTTPD* -This example script starts an Apache httpd Docker image and configures it to proxy artifacts: - -```sh -docker run --rm httpd cat /usr/local/apache2/conf/httpd.conf > httpd.conf -cat >> httpd.conf << EOF -LoadModule proxy_module modules/mod_proxy.so -LoadModule proxy_http_module modules/mod_proxy_http.so -LoadModule ssl_module modules/mod_ssl.so - -SSLProxyEngine on -ServerName localhost -ProxyPass / https://artifacts.security.elastic.co/ -ProxyPassReverse / https://artifacts.security.elastic.co/ -EOF -docker run -p 80:80 -v "$PWD"/httpd.conf:/usr/local/apache2/conf/httpd.conf httpd -``` - -::::{important} -This example script is not appropriate for production environments. We recommend configuring httpd to use [TLS](https://httpd.apache.org/docs/trunk/ssl/ssl_howto.md) according to your IT policies. Refer to [Apache documentation](https://httpd.apache.org) for more information on downloading and configuring Apache httpd. -:::: - - -::::: - - - -### Step 2: Configure {{elastic-endpoint}} [_step_2_configure_elastic_endpoint] - -Set the `advanced.artifacts.global.base_url` advanced setting for each [{{elastic-defend}} integration policy](configure-endpoint-integration-policy.md) that needs to use the mirror. Note that there’s a separate setting for each operating system: - -* `linux.advanced.artifacts.global.base_url` -* `mac.advanced.artifacts.global.base_url` -* `windows.advanced.artifacts.global.base_url` - -:::{image} ../../../images/security-offline-adv-settings.png -:alt: Integration policy advanced settings -:class: screenshot -::: - - -## Host an air-gapped {{elastic-endpoint}} artifact server [air-gapped-artifact-server] - -If {{elastic-endpoint}} needs to operate completely offline in a closed network, you can set up a mirror server and manually update it with new artifact updates regularly. - -Complete these steps: - -1. Deploy an HTTP file server. -2. Configure {{elastic-endpoint}} to read from the file server. -3. Manually copy artifact updates to the file server. - - -### Step 1: Deploy an HTTP file server [_step_1_deploy_an_http_file_server] - -Deploy an HTTP file server to serve files from a local directory, which will be filled with artifact update files in a later step. - -::::{important} -The entity tag (`Etag`) header is a mandatory HTTP response header that you *must* set in your server configuration file. {{elastic-endpoint}} uses the `Etag` header to determine whether your global artifacts have been updated since they were last downloaded. If your server configuration file does not contain an `ETag` header, {{elastic-endpoint}} won’t download new artifacts when they’re available. -:::: - - -:::::{dropdown} *Example: Nginx* -This example script starts an Nginx Docker image and configures it as a file server: - -```sh -cat > nginx.conf << 'EOF' -# set compatible etag format -map $sent_http_etag $elastic_etag { - "~(.*)-(.*)" "$1$2"; -} -server { - root /app/static; - location / { - add_header ETag "$elastic_etag"; - } -} -EOF -docker run -v "$PWD"/nginx.conf:/etc/nginx/conf.d/default.conf:ro -v "$PWD"/static:/app/static:ro -p 80:80 nginx -``` - -::::{important} -This example script is not appropriate for production environments. We recommend configuring the Nginx server to use [TLS](http://nginx.org/en/docs/http/configuring_https_servers.md) according to your IT policies. Refer to [Nginx documentation](https://docs.nginx.com/nginx/admin-guide/installing-nginx/) for more information on downloading and configuring Nginx. -:::: - - -::::: - - -:::::{dropdown} *Example: Apache HTTPD* -This example script starts an Apache httpd Docker image and configures it as a file server: - -```sh -docker run --rm httpd cat /usr/local/apache2/conf/httpd.conf > my-httpd.conf -cat >> my-httpd.conf << 'EOF' -# set compatible etag format -FileETag MTime -EOF -docker run -p 80:80 -v "$PWD/static":/usr/local/apache2/htdocs/ -v "$PWD"/my-httpd.conf:/usr/local/apache2/conf/httpd.conf:ro httpd -``` - -::::{important} -This example script is not appropriate for production environments. We recommend configuring httpd to use [TLS](https://httpd.apache.org/docs/trunk/ssl/ssl_howto.md) according to your IT policies. Refer to [Apache documentation](https://httpd.apache.org) for more information on downloading and configuring Apache httpd. -:::: - - -::::: - - - -### Step 2: Configure {{elastic-endpoint}} [_step_2_configure_elastic_endpoint_2] - -Set the `advanced.artifacts.global.base_url` advanced setting for each [{{elastic-defend}} integration policy](configure-endpoint-integration-policy.md) that needs to use the mirror. Note that there’s a separate setting for each operating system: - -* `linux.advanced.artifacts.global.base_url` -* `mac.advanced.artifacts.global.base_url` -* `windows.advanced.artifacts.global.base_url` - -:::{image} ../../../images/security-offline-adv-settings.png -:alt: Integration policy advanced settings -:class: screenshot -::: - - -### Step 3: Manually copy artifact updates [_step_3_manually_copy_artifact_updates] - -Download the most recent artifact files from the Elastic global artifact server, then copy those files to the server instance you created in step 1. - -Below is an example script that downloads all the global artifact updates. There are different artifact files for each version of {{elastic-endpoint}}. Change the value of the `ENDPOINT_VERSION` variable in the example script to match the deployed version of {{elastic-endpoint}}. - -```sh -export ENDPOINT_VERSION=9.0.0-beta1 && wget -P downloads/endpoint/manifest https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-$ENDPOINT_VERSION.zip && zcat -q downloads/endpoint/manifest/artifacts-$ENDPOINT_VERSION.zip | jq -r '.artifacts | to_entries[] | .value.relative_url' | xargs -I@ curl "https://artifacts.security.elastic.co@" --create-dirs -o ".@" -``` - -This command will download files and directory structure that should be directly copied to the file server. - -Elastic releases updates continuously as detection engines are improved. Therefore, we recommend updating air-gapped environments at least monthly to stay current with artifact updates. - - -## Validate your self-hosted artifact server [validate-artifact-server] - -Each new global artifact update release increments a version identifier that you can check to ensure that {{elastic-endpoint}} has received and installed the latest version. - -To confirm the latest version of the artifacts for a given {{elastic-endpoint}} version, check the published version. This example script checks the version: - -```sh -curl -s https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-9.0.0-beta1.zip | zcat -q | jq -r .manifest_version -``` - -Replace `https://artifacts.security.elastic.co` in the command above with your local mirror server to validate that the artifacts are served correctly. - -After updating the {{elastic-endpoint}} configuration to read from the mirror server, use {{kib}}'s [Discover view](/explore-analyze/discover.md) to search the `metrics-*` data view for `endpoint.policy` response documents, then check the installed version (`Endpoint.policy.applied.artifacts.global.version`) and compare with the output from the command above: - -:::{image} ../../../images/security-offline-endpoint-version-discover.png -:alt: Searching for `endpoint.policy` in Discover -:class: screenshot -::: - diff --git a/reference/security/elastic-defend/self-healing-rollback.md b/reference/security/elastic-defend/self-healing-rollback.md deleted file mode 100644 index aa5fa9289c..0000000000 --- a/reference/security/elastic-defend/self-healing-rollback.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/self-healing-rollback.html ---- - -# Configure self-healing rollback for Windows endpoints [self-healing-rollback] - -{{elastic-defend}}'s self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert). - -This can help contain the impact of malicious activity, as {{elastic-defend}} not only stops the activity but also erases any attack artifacts deployed prior to detection. - -Self-healing rollback is a [Platinum or Enterprise subscription](https://www.elastic.co/pricing) feature and is only supported for Windows endpoints. - -::::{warning} -This feature can cause permanent data loss since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but may also include incidental actions that aren’t directly related to the threat. - -Also, rollback is triggered by *every* {{elastic-defend}} prevention alert, so you should tune your system to eliminate false positives before enabling this feature. - -:::: - - -1. Find **Policies** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), then select the integration policy you want to configure. -2. Scroll down to the bottom of the policy and click **Show advanced settings**. -3. Enter `true` for the setting `windows.advanced.alerts.rollback.self_healing.enabled`. -4. Click **Save**. diff --git a/reference/security/elastic-defend/uninstall-agent.md b/reference/security/elastic-defend/uninstall-agent.md deleted file mode 100644 index 0b6f318206..0000000000 --- a/reference/security/elastic-defend/uninstall-agent.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/security/current/uninstall-agent.html ---- - -# Uninstall Elastic Agent [uninstall-agent] - -To uninstall {{agent}} from a host, run the `uninstall` command from the directory where it’s running. Refer to the [{{fleet}} and {{agent}} documentation](/reference/ingestion-tools/fleet/uninstall-elastic-agent.md) for more information. - -If [Agent tamper protection](/reference/security/elastic-defend/agent-tamper-protection.md) is enabled on the Agent policy for the host, you’ll need to include the uninstall token in the command, using the `--uninstall-token` flag. You can [find the uninstall token](/reference/security/elastic-defend/agent-tamper-protection.md#fleet-uninstall-tokens) on the Agent policy. Alternatively, find **{{fleet}}** in the navigation menu or by using the [global search field](/get-started/the-stack.md#kibana-navigation-search), and select **Uninstall tokens**. - -For example, to uninstall {{agent}} on a macOS or Linux host: - -```shell -sudo elastic-agent uninstall --uninstall-token 12345678901234567890123456789012 -``` - - -## Provide multiple uninstall tokens [multiple-uninstall-tokens] - -If you have multiple tamper-protected {{agent}} policies, you may want to provide multiple uninstall tokens in a single command. There are two ways to do this: - -* The `--uninstall-token` command can receive multiple uninstall tokens separated by a comma, without spaces. - - ```shell - sudo elastic-agent uninstall -f --uninstall-token 7b3d364db8e0deb1cda696ae85e42644,a7336b71e243e7c92d9504b04a774266 - ``` - -* `--uninstall-token`'s argument can also be a path to a text file with one uninstall token per line. - - ::::{note} - You must use the full file path, otherwise the file may not be found. - :::: - - - ```shell - sudo elastic-agent uninstall -f --uninstall-token /tmp/tokens.txt - ``` - - In this example, `tokens.txt` would contain: - - ```txt - 7b3d364db8e0deb1cda696ae85e42644 - a7336b71e243e7c92d9504b04a774266 - ``` - - - -## Uninstall {{elastic-endpoint}} [uninstall-endpoint] - -Use these commands to uninstall {{elastic-endpoint}} from a host **ONLY** if [uninstalling an {{agent}}](/reference/ingestion-tools/fleet/uninstall-elastic-agent.md) is unsuccessful. - -Windows - -```shell -cd %TEMP% -copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe -.\elastic-endpoint.exe uninstall -del .\elastic-endpoint.exe -``` - -macOS - -```shell -cd /tmp -cp /Library/Elastic/Endpoint/elastic-endpoint elastic-endpoint -sudo ./elastic-endpoint uninstall -rm elastic-endpoint -``` - -Linux - -```shell -cd /tmp -cp /opt/Elastic/Endpoint/elastic-endpoint elastic-endpoint -sudo ./elastic-endpoint uninstall -rm elastic-endpoint -``` diff --git a/reference/security/index.md b/reference/security/index.md index acf046b6dc..b05a5099b9 100644 --- a/reference/security/index.md +++ b/reference/security/index.md @@ -1,15 +1,13 @@ # Security -% TO-DO: Add links to "What is Elastic Security?"% - -This section of the documentation contains reference information for Elastic Security features, including: +This section of the documentation contains reference information for [{{elastic-sec}}](/solutions/security.md) features, including: * Prebuilt rules * Downloadable rule updates * Prebuilt jobs * Fields and object schemas -You can use these APIs to interface with Elastic Security features: +You can use these APIs to interface with {{elastic-sec}} features: * [Detections API](https://www.elastic.co/docs/api/doc/kibana/v8/group/endpoint-security-detections-api): Manage detection rules and alerts * [Exceptions API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-exceptions-api): Create and manage rule exceptions @@ -17,4 +15,4 @@ You can use these APIs to interface with Elastic Security features: * [Timeline API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-timeline-api): Import and export timelines * [Cases API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-cases): Open and manage cases * [Elastic AI Assistant API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-ai-assistant-api): Interact with and manage Elastic AI Assistant -* [Asset criticality API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-entity-analytics-api): Create and manage asset criticality records \ No newline at end of file +* [Asset criticality API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-security-entity-analytics-api): Create and manage asset criticality records diff --git a/reference/toc.yml b/reference/toc.yml index 6707433f61..abc2669f1e 100644 --- a/reference/toc.yml +++ b/reference/toc.yml @@ -2,26 +2,6 @@ toc: - file: index.md - file: security/index.md children: - - file: security/elastic-defend/index.md - children: - - file: security/elastic-defend/elastic-endpoint-deploy-reqs.md - - file: security/elastic-defend/install-endpoint.md - children: - - file: security/elastic-defend/deploy-elastic-endpoint.md - - file: security/elastic-defend/deploy-elastic-endpoint-ven.md - - file: security/elastic-defend/deploy-with-mdm.md - - file: security/elastic-defend/agent-tamper-protection.md - - file: security/elastic-defend/endpoint-management-req.md - - file: security/elastic-defend/configure-endpoint-integration-policy.md - children: - - file: security/elastic-defend/artifact-control.md - - file: security/elastic-defend/endpoint-diagnostic-data.md - - file: security/elastic-defend/self-healing-rollback.md - - file: security/elastic-defend/linux-file-monitoring.md - - file: security/elastic-defend/endpoint-data-volume.md - - file: security/elastic-defend/create-defend-policy-api.md - - file: security/elastic-defend/offline-endpoint.md - - file: security/elastic-defend/uninstall-agent.md - file: security/fields-and-object-schemas/index.md children: - file: security/fields-and-object-schemas/runtime-fields.md