[DOCS] Endpoint self-healing rollback #2267
Conversation
joepeeples
added
Team: Docs
Team: Endpoint
ferullo
left a comment
ferullo
left a comment
There was a problem hiding this comment.
@joe-desimone @nfritts do you have thoughts on this doc?
nastasha-solomon
left a comment
nastasha-solomon
left a comment
There was a problem hiding this comment.
Left one suggestion. LGTM overall!
Add more nuance about how rollback targets files, etc.
jmikell821
left a comment
jmikell821
left a comment
There was a problem hiding this comment.
I had a few questions and just some slight suggestions. Curious to find out the answers -- thanks!
| [[self-healing-rollback]] | ||
| = Configure self-healing rollback for Windows endpoints | ||
|
|
||
| {endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. All activity on the host reverts to its state five minutes before the prevention alert. |
There was a problem hiding this comment.
Question about terminology: is this an Endpoint Security feature, an Endpoint and Cloud Security feature (which is basically the integration, right?) or a policy configuration? I want to make sure we aren't confusing the terms, so just checking for clarification, thanks! cc: @ferullo @joe-desimone
There was a problem hiding this comment.
I think "Endpoint and Cloud Security feature" is appropriate here, because it's part of that integration and this sentence is talking about what the feature is and does, not how it's configured. After the rename of the integration, there isn't really anything called "Endpoint Security" anymore. @ferullo @joe-desimone thoughts?
There was a problem hiding this comment.
I think Endpoint and Cloud Security is appropriate here.
|
|
||
| {endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. All activity on the host reverts to its state five minutes before the prevention alert. | ||
|
|
||
| This can help contain the impact of malicious activity, as {endpoint-cloud-sec} not only stops the activity but also erases any attack artifacts deployed prior to detection. |
There was a problem hiding this comment.
Same question about terminology. Isn't Elastic Endpoint doing the stopping of malicious activity? 🤔
There was a problem hiding this comment.
"Elastic Endpoint" seems to me more like an internal piece of technology than something a customer directly experiences. I was using the integration name here to more generally say that the product or the integration stops and rolls back the attack. But @ferullo @joe-desimone etc please let us know what you think.
There was a problem hiding this comment.
the integration name seems correct here.
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
|
Hi @joepeeples, We have validated the Kibana documentation with reference to this PR and found that the docs are correct Hence, we are marking this PR as QA:Approved. Thank you! |
muskangulati-qasource
added
QA:Validated
* First draft * Edits * Apply suggestions from review Add more nuance about how rollback targets files, etc. * Apply suggestions from code review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/getting-started/self-healing-rollback.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit 946f6aa)
* First draft * Edits * Apply suggestions from review Add more nuance about how rollback targets files, etc. * Apply suggestions from code review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> * Update docs/getting-started/self-healing-rollback.asciidoc Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> (cherry picked from commit 946f6aa) Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Resolves #2233.
Previews:
Questions for reviewers: