From d6802e8425493b16499b67df5d4a5415141c6979 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 19 Oct 2022 17:00:45 -0400 Subject: [PATCH 1/3] Reformat into sidebars --- docs/management/admin/admin-pg-ov.asciidoc | 11 ++++--- docs/management/admin/blocklist.asciidoc | 11 ++++--- docs/management/admin/event-filters.asciidoc | 6 +++- .../admin/host-isolation-exceptions.asciidoc | 6 +++- .../admin/host-isolation-ov.asciidoc | 31 ++++++++++--------- docs/management/admin/trusted-apps.asciidoc | 6 +++- 6 files changed, 43 insertions(+), 28 deletions(-) diff --git a/docs/management/admin/admin-pg-ov.asciidoc b/docs/management/admin/admin-pg-ov.asciidoc index 3aa98707d9..46b6313fd5 100644 --- a/docs/management/admin/admin-pg-ov.asciidoc +++ b/docs/management/admin/admin-pg-ov.asciidoc @@ -3,12 +3,13 @@ The Endpoints page allows administrators to view and manage endpoints that are running the <>. -[NOTE] -===== -{fleet} must be enabled in a {kib} space for administrative actions to function correctly. +.Requirements +[sidebar] +-- +* {fleet} must be enabled in a {kib} space for administrative actions to function correctly. -You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. -===== +* You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +-- [[endpoints-list-ov]] [discrete] diff --git a/docs/management/admin/blocklist.asciidoc b/docs/management/admin/blocklist.asciidoc index e7dae6733c..b811da0f98 100644 --- a/docs/management/admin/blocklist.asciidoc +++ b/docs/management/admin/blocklist.asciidoc @@ -6,12 +6,13 @@ The blocklist allows you to prevent specified applications from running on hosts The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to <>. -[NOTE] -===== -In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {elastic-defend} integration policy in the <>. This setting is enabled by default. +.Requirements +[sidebar] +-- +* In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {elastic-defend} integration policy in the <>. This setting is enabled by default. -You must have the built-in `superuser` role to access the blocklist. For more information, refer to {ref}/built-in-users.html[Built-in users]. -===== +* You must have the built-in `superuser` role to access the blocklist. For more information, refer to {ref}/built-in-users.html[Built-in users]. +-- By default, a blocklist entry is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {elastic-defend} integration policies, which blocks the process only on hosts assigned to that policy. diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 7ef54dad10..78fc1691ef 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -6,7 +6,11 @@ Event filters allow you to filter endpoint events that you do not need or want s Event filters do not lower CPU usage on hosts; {elastic-endpoint} still monitors events to detect and prevent possible threats, but without writing event data to {es}. To compare event filters with other endpoint artifacts, refer to <>. -NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +.Requirements +[sidebar] +-- +You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +-- IMPORTANT: Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters. diff --git a/docs/management/admin/host-isolation-exceptions.asciidoc b/docs/management/admin/host-isolation-exceptions.asciidoc index c9cc830d34..c3d340c0bf 100644 --- a/docs/management/admin/host-isolation-exceptions.asciidoc +++ b/docs/management/admin/host-isolation-exceptions.asciidoc @@ -6,7 +6,11 @@ You can configure host isolation exceptions for specific IP addresses that <> for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. -Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. - -[NOTE] -========================= -For {stack} version >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: - -* CentOS/RHEL 8 -* Debian 11 -* Ubuntu 18.04 -* Ubuntu 20.04 -* Ubuntu 22.04 -* AWS Linux 2 - -To isolate and release hosts in any operating system, you must have the built-in `superuser` role. For more information, refer to {ref}/built-in-users.html[Built-in users]. -========================= +.Requirements +[sidebar] +-- +* Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. + +* For {stack} version >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: + +** CentOS/RHEL 8 +** Debian 11 +** Ubuntu 18.04 +** Ubuntu 20.04 +** Ubuntu 22.04 +** AWS Linux 2 + +* To isolate and release hosts in any operating system, you must have the built-in `superuser` role. For more information, refer to {ref}/built-in-users.html[Built-in users]. +-- [role="screenshot"] image::images/isolated-host.png[Endpoint page highlighting a host that's been isolated] diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index fb1324f963..aaf362b6d1 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -4,7 +4,11 @@ You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration. -NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +.Requirements +[sidebar] +-- +You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +-- Trusted applications create blindspots for {elastic-defend}, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors -- such as antivirus software -- to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. From 70e80017407cb12175e7381b392bb020a121b3e8 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Thu, 20 Oct 2022 12:06:39 -0400 Subject: [PATCH 2/3] Revise into a snappier statement --- docs/management/admin/admin-pg-ov.asciidoc | 2 +- docs/management/admin/blocklist.asciidoc | 2 +- docs/management/admin/event-filters.asciidoc | 2 +- docs/management/admin/host-isolation-exceptions.asciidoc | 2 +- docs/management/admin/host-isolation-ov.asciidoc | 2 +- docs/management/admin/response-actions.asciidoc | 2 +- docs/management/admin/trusted-apps.asciidoc | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/management/admin/admin-pg-ov.asciidoc b/docs/management/admin/admin-pg-ov.asciidoc index 46b6313fd5..ffb9789fd7 100644 --- a/docs/management/admin/admin-pg-ov.asciidoc +++ b/docs/management/admin/admin-pg-ov.asciidoc @@ -8,7 +8,7 @@ The Endpoints page allows administrators to view and manage endpoints that are r -- * {fleet} must be enabled in a {kib} space for administrative actions to function correctly. -* You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +* You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- [[endpoints-list-ov]] diff --git a/docs/management/admin/blocklist.asciidoc b/docs/management/admin/blocklist.asciidoc index b811da0f98..442e4e1199 100644 --- a/docs/management/admin/blocklist.asciidoc +++ b/docs/management/admin/blocklist.asciidoc @@ -11,7 +11,7 @@ The blocklist is not intended to broadly block benign applications for non-secur -- * In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {elastic-defend} integration policy in the <>. This setting is enabled by default. -* You must have the built-in `superuser` role to access the blocklist. For more information, refer to {ref}/built-in-users.html[Built-in users]. +* You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- By default, a blocklist entry is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {elastic-defend} integration policies, which blocks the process only on hosts assigned to that policy. diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 78fc1691ef..9e15a9ce34 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -9,7 +9,7 @@ Event filters do not lower CPU usage on hosts; {elastic-endpoint} still monitors .Requirements [sidebar] -- -You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- IMPORTANT: Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters. diff --git a/docs/management/admin/host-isolation-exceptions.asciidoc b/docs/management/admin/host-isolation-exceptions.asciidoc index c3d340c0bf..a9d0da0cff 100644 --- a/docs/management/admin/host-isolation-exceptions.asciidoc +++ b/docs/management/admin/host-isolation-exceptions.asciidoc @@ -9,7 +9,7 @@ Host isolation exceptions support IPv4 addresses, with optional classless inter- .Requirements [sidebar] -- -You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- IMPORTANT: Each host isolation exception IP address should be a highly trusted and secure location since you're allowing it to communicate with hosts that have been isolated to prevent a potential threat from spreading. diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index 418532e62d..f6d3a8c502 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -20,7 +20,7 @@ Isolated hosts, however, can still send data to {es} and {kib}. You can also cre ** Ubuntu 22.04 ** AWS Linux 2 -* To isolate and release hosts in any operating system, you must have the built-in `superuser` role. For more information, refer to {ref}/built-in-users.html[Built-in users]. +* To isolate and release hosts in any operating system, you must have the `superuser` {ref}/built-in-roles.html[built-in user role]. -- [role="screenshot"] diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 4295c32bb7..73b8ac5c04 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -12,7 +12,7 @@ Response actions are supported on all endpoint platforms (Linux, macOS, and Wind * Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions. -* You must have the `superuser` {ref}/built-in-users.html[built-in user role] to access the response console. +* You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- [role="screenshot"] diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index aaf362b6d1..2c1780716d 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -7,7 +7,7 @@ You can add Windows, macOS, and Linux applications that should be trusted, such .Requirements [sidebar] -- -You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- Trusted applications create blindspots for {elastic-defend}, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors -- such as antivirus software -- to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. From 4f58267255ef9a78ce4500ffbab90ef04e1ef357 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 24 Oct 2022 13:43:21 -0400 Subject: [PATCH 3/3] Apply suggestions from Ben's review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/management/admin/host-isolation-ov.asciidoc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index f6d3a8c502..4d4f596bfc 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -11,13 +11,11 @@ Isolated hosts, however, can still send data to {es} and {kib}. You can also cre -- * Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. -* For {stack} version >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: +* For {stack} versions >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: ** CentOS/RHEL 8 ** Debian 11 -** Ubuntu 18.04 -** Ubuntu 20.04 -** Ubuntu 22.04 +** Ubuntu 18.04, 20.04, and 22.04 ** AWS Linux 2 * To isolate and release hosts in any operating system, you must have the `superuser` {ref}/built-in-roles.html[built-in user role].