diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc index b700cc9542..f831ea99b0 100644 --- a/docs/getting-started/configure-integration-policy.asciidoc +++ b/docs/getting-started/configure-integration-policy.asciidoc @@ -178,13 +178,16 @@ image::images/register-as-antivirus.png[Detail of Register as antivirus option.] [[adv-policy-settings]] == Advanced policy settings (optional) -Users with unique configuration and security requirements can select **Show Advanced Settings** +Users with unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. -In this section, you can <>. - NOTE: Advanced settings are not recommended for most users. +This section includes: + +* <> +* <> + [discrete] [[save-policy]] == Save the general policy settings diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 10385621d3..8115ae2133 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -19,6 +19,7 @@ include::install-endpoint.asciidoc[leveloffset=+1] include::install-elastic-endpoint.asciidoc[leveloffset=+1] include::configure-integration-policy.asciidoc[leveloffset=+1] include::endpoint-diagnostic-data.asciidoc[leveloffset=+2] +include::self-healing-rollback.asciidoc[leveloffset=+2] include::threat-intel-integrations.asciidoc[leveloffset=+1] include::advanced-setting.asciidoc[leveloffset=+1] include::uninstall-endpoint.asciidoc[leveloffset=+1] diff --git a/docs/getting-started/self-healing-rollback.asciidoc b/docs/getting-started/self-healing-rollback.asciidoc new file mode 100644 index 0000000000..eac96ae7a9 --- /dev/null +++ b/docs/getting-started/self-healing-rollback.asciidoc @@ -0,0 +1,20 @@ +[[self-healing-rollback]] += Configure self-healing rollback for Windows endpoints + +{endpoint-cloud-sec}'s self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert). + +This can help contain the impact of malicious activity, as {endpoint-cloud-sec} not only stops the activity but also erases any attack artifacts deployed prior to detection. + +Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature and is only supported for Windows endpoints. + +[CAUTION] +==== +This feature can cause permanent data loss since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but may also include incidental actions that aren't directly related to the threat. + +Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to eliminate false positives before enabling this feature. +==== + +. In the {security-app}, go to *Manage* -> *Policies*, then select the integration policy you want to configure. +. Scroll down to the bottom of the policy and click *Show advanced settings*. +. Enter `true` for the setting `windows.advanced.alerts.rollback.self_healing.enabled`. +. Click *Save*. diff --git a/docs/management/admin/admin-pg-ov.asciidoc b/docs/management/admin/admin-pg-ov.asciidoc index e1fe9ea597..682e3c6702 100644 --- a/docs/management/admin/admin-pg-ov.asciidoc +++ b/docs/management/admin/admin-pg-ov.asciidoc @@ -85,7 +85,7 @@ NOTE: Users must have permission to read/write to {fleet} APIs to make changes t [role="screenshot"] image::images/integration-pg.png[Integration page] -Users who have unique configuration and security requirements can select **Show Advanced Settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. +Users who have unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description. NOTE: Advanced settings are not recommended for most users.