From 9361f364595b107b5c2b6735637e7f33d7dd5ac7 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 8 Aug 2022 08:53:19 -0400 Subject: [PATCH 1/5] First draft --- .../configure-integration-policy.asciidoc | 9 ++++++--- docs/getting-started/index.asciidoc | 1 + .../self-healing-rollback.asciidoc | 20 +++++++++++++++++++ docs/management/admin/admin-pg-ov.asciidoc | 2 +- 4 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 docs/getting-started/self-healing-rollback.asciidoc diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc index a5ba19c1a0..5a01b64b04 100644 --- a/docs/getting-started/configure-integration-policy.asciidoc +++ b/docs/getting-started/configure-integration-policy.asciidoc @@ -166,13 +166,16 @@ image::images/register-as-antivirus.png[Detail of Register as antivirus option.] [[adv-policy-settings]] == Advanced policy settings (optional) -Users with unique configuration and security requirements can select **Show Advanced Settings** +Users with unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. -In this section, you can <>. - NOTE: Advanced settings are not recommended for most users. +This section includes: + +* <> +* <> + [discrete] [[save-policy]] == Save the general policy settings diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 10385621d3..8115ae2133 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -19,6 +19,7 @@ include::install-endpoint.asciidoc[leveloffset=+1] include::install-elastic-endpoint.asciidoc[leveloffset=+1] include::configure-integration-policy.asciidoc[leveloffset=+1] include::endpoint-diagnostic-data.asciidoc[leveloffset=+2] +include::self-healing-rollback.asciidoc[leveloffset=+2] include::threat-intel-integrations.asciidoc[leveloffset=+1] include::advanced-setting.asciidoc[leveloffset=+1] include::uninstall-endpoint.asciidoc[leveloffset=+1] diff --git a/docs/getting-started/self-healing-rollback.asciidoc b/docs/getting-started/self-healing-rollback.asciidoc new file mode 100644 index 0000000000..df3b51a544 --- /dev/null +++ b/docs/getting-started/self-healing-rollback.asciidoc @@ -0,0 +1,20 @@ +[[self-healing-rollback]] += Configure self-healing rollback for Windows endpoints + +{endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when enabled protection features generate a prevention alert. All activity on the host reverts to its state five minutes before the prevention alert. + +This can help contain the impact of an attack, as {endpoint-cloud-sec} not only stops suspicious activity, but also erases changes and artifacts that the attacker made prior to detection. + +Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature, and it's only supported for Windows endpoints. + +[CAUTION] +==== +This feature can cause data loss, since it reverts _all_ recent changes on the host, not just changes directly related to a threat. + +Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to limit false positives before enabling this feature. +==== + +. In the {security-app}, go to *Manage* -> *Policies*, then select the integration policy you want to configure. +. Scroll down to the bottom of the policy and click *Show advanced settings*. +. Enter `true` for the setting `windows.advanced.alerts.rollback.self_healing.enabled`. +. Click *Save*. diff --git a/docs/management/admin/admin-pg-ov.asciidoc b/docs/management/admin/admin-pg-ov.asciidoc index 9bfca21204..1681af37cc 100644 --- a/docs/management/admin/admin-pg-ov.asciidoc +++ b/docs/management/admin/admin-pg-ov.asciidoc @@ -79,7 +79,7 @@ NOTE: Users must have permission to read/write to {fleet} APIs to make changes t [role="screenshot"] image::images/integration-pg.png[Integration page] -Users who have unique configuration and security requirements can select **Show Advanced Settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. +Users who have unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. NOTE: Advanced settings are not recommended for most users. From 6786c9df43a0449d150d43ae4d69b76750e2a487 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 8 Aug 2022 09:13:10 -0400 Subject: [PATCH 2/5] Edits --- docs/getting-started/self-healing-rollback.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/getting-started/self-healing-rollback.asciidoc b/docs/getting-started/self-healing-rollback.asciidoc index df3b51a544..d18bca29ce 100644 --- a/docs/getting-started/self-healing-rollback.asciidoc +++ b/docs/getting-started/self-healing-rollback.asciidoc @@ -1,9 +1,9 @@ [[self-healing-rollback]] = Configure self-healing rollback for Windows endpoints -{endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when enabled protection features generate a prevention alert. All activity on the host reverts to its state five minutes before the prevention alert. +{endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. All activity on the host reverts to its state five minutes before the prevention alert. -This can help contain the impact of an attack, as {endpoint-cloud-sec} not only stops suspicious activity, but also erases changes and artifacts that the attacker made prior to detection. +This can help contain the impact of malicious activity, as {endpoint-cloud-sec} not only stops the activity but also erases any attack artifacts deployed prior to detection. Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature, and it's only supported for Windows endpoints. @@ -11,7 +11,7 @@ Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise ==== This feature can cause data loss, since it reverts _all_ recent changes on the host, not just changes directly related to a threat. -Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to limit false positives before enabling this feature. +Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to eliminate false positives before enabling this feature. ==== . In the {security-app}, go to *Manage* -> *Policies*, then select the integration policy you want to configure. From 9a4689090e27dc1ad8e148d71f5ca7fc8c656b67 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 16 Aug 2022 15:14:58 -0400 Subject: [PATCH 3/5] Apply suggestions from review Add more nuance about how rollback targets files, etc. --- docs/getting-started/self-healing-rollback.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/self-healing-rollback.asciidoc b/docs/getting-started/self-healing-rollback.asciidoc index d18bca29ce..150a0bd395 100644 --- a/docs/getting-started/self-healing-rollback.asciidoc +++ b/docs/getting-started/self-healing-rollback.asciidoc @@ -9,7 +9,7 @@ Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise [CAUTION] ==== -This feature can cause data loss, since it reverts _all_ recent changes on the host, not just changes directly related to a threat. +This feature can cause permanent data loss, since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but it may also include incidental actions that aren't directly related to the threat. Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to eliminate false positives before enabling this feature. ==== From 3d1a08f30f3cab6bf06b282dba506d2da7386bdc Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Sat, 20 Aug 2022 17:09:42 -0400 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com> --- docs/getting-started/self-healing-rollback.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/self-healing-rollback.asciidoc b/docs/getting-started/self-healing-rollback.asciidoc index 150a0bd395..14df6f8292 100644 --- a/docs/getting-started/self-healing-rollback.asciidoc +++ b/docs/getting-started/self-healing-rollback.asciidoc @@ -5,11 +5,11 @@ This can help contain the impact of malicious activity, as {endpoint-cloud-sec} not only stops the activity but also erases any attack artifacts deployed prior to detection. -Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature, and it's only supported for Windows endpoints. +Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature and is only supported for Windows endpoints. [CAUTION] ==== -This feature can cause permanent data loss, since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but it may also include incidental actions that aren't directly related to the threat. +This feature can cause permanent data loss since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but may also include incidental actions that aren't directly related to the threat. Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to eliminate false positives before enabling this feature. ==== From 3376e6ef4c820f35b9dbcc6eca47fe43b2ffb83f Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 23 Aug 2022 16:43:34 -0400 Subject: [PATCH 5/5] Update docs/getting-started/self-healing-rollback.asciidoc --- docs/getting-started/self-healing-rollback.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/self-healing-rollback.asciidoc b/docs/getting-started/self-healing-rollback.asciidoc index 14df6f8292..eac96ae7a9 100644 --- a/docs/getting-started/self-healing-rollback.asciidoc +++ b/docs/getting-started/self-healing-rollback.asciidoc @@ -1,7 +1,7 @@ [[self-healing-rollback]] = Configure self-healing rollback for Windows endpoints -{endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. All activity on the host reverts to its state five minutes before the prevention alert. +{endpoint-cloud-sec}'s self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert). This can help contain the impact of malicious activity, as {endpoint-cloud-sec} not only stops the activity but also erases any attack artifacts deployed prior to detection.