[DOCS] Guided Onboarding for Elastic Defend #2457
Description
For the 8.5 Release, we will release Guided onboarding for Elastic Defend
https://github.com/elastic/security-team/issues/3981
[after reading the ticket]
Description
This new feature will differentiate guided onboarding for Elastic Security for the EDR and Cloud Security use case. It will also apply different default settings for the use cases to enable security visibility between the different personas.
What's needed
Document the new expected onboarding workflow for the EDR and Cloud Security use case.
Outlined the default configurations for the two workflows
Workflows:
- Integrations -> Elastic Defend -> Add -> Endpoint - NGAV (process events)
- Integrations -> Elastic Defend -> Add -> Endpoint - EDR Essential (file, network, process events)
- Integrations -> Elastic Defend -> Add -> Endpoint - EDR Complete (all events, no session data)
- Integrations -> Elastic Defend -> Add -> Cloud Security - Interactive Only (all events + session data + Event Filter for process.entry_leader.interactive:false attached to policy, memory threat and ransomware disabled)
Integrations -> Elastic Defend -> Add -> Cloud Security - All Events (all events + session data, no event filter, memory threat and ransomware disabled) - Integrations -> Elastic Defend -> Add -> Cloud Security - Prevent Malware (enable malware)
- Integrations -> Elastic Defend -> Add -> Cloud Security - Prevent Malicious Behavior (enable Malicious Behavior, only shows when the license is platinum or enterprise)
Refer to elastic/kibana#139230 for details on which settings are enabled by each option for endpoints.