diff --git a/docs/management/admin/admin-pg-ov.asciidoc b/docs/management/admin/admin-pg-ov.asciidoc index 3aa98707d9..ffb9789fd7 100644 --- a/docs/management/admin/admin-pg-ov.asciidoc +++ b/docs/management/admin/admin-pg-ov.asciidoc @@ -3,12 +3,13 @@ The Endpoints page allows administrators to view and manage endpoints that are running the <>. -[NOTE] -===== -{fleet} must be enabled in a {kib} space for administrative actions to function correctly. +.Requirements +[sidebar] +-- +* {fleet} must be enabled in a {kib} space for administrative actions to function correctly. -You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. -===== +* You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. +-- [[endpoints-list-ov]] [discrete] diff --git a/docs/management/admin/blocklist.asciidoc b/docs/management/admin/blocklist.asciidoc index e7dae6733c..442e4e1199 100644 --- a/docs/management/admin/blocklist.asciidoc +++ b/docs/management/admin/blocklist.asciidoc @@ -6,12 +6,13 @@ The blocklist allows you to prevent specified applications from running on hosts The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to <>. -[NOTE] -===== -In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {elastic-defend} integration policy in the <>. This setting is enabled by default. +.Requirements +[sidebar] +-- +* In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {elastic-defend} integration policy in the <>. This setting is enabled by default. -You must have the built-in `superuser` role to access the blocklist. For more information, refer to {ref}/built-in-users.html[Built-in users]. -===== +* You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. +-- By default, a blocklist entry is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {elastic-defend} integration policies, which blocks the process only on hosts assigned to that policy. diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 7ef54dad10..9e15a9ce34 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -6,7 +6,11 @@ Event filters allow you to filter endpoint events that you do not need or want s Event filters do not lower CPU usage on hosts; {elastic-endpoint} still monitors events to detect and prevent possible threats, but without writing event data to {es}. To compare event filters with other endpoint artifacts, refer to <>. -NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +.Requirements +[sidebar] +-- +You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. +-- IMPORTANT: Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters. diff --git a/docs/management/admin/host-isolation-exceptions.asciidoc b/docs/management/admin/host-isolation-exceptions.asciidoc index c9cc830d34..a9d0da0cff 100644 --- a/docs/management/admin/host-isolation-exceptions.asciidoc +++ b/docs/management/admin/host-isolation-exceptions.asciidoc @@ -6,7 +6,11 @@ You can configure host isolation exceptions for specific IP addresses that <> for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. -Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. +.Requirements +[sidebar] +-- +* Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature. -[NOTE] -========================= -For {stack} version >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: +* For {stack} versions >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: -* CentOS/RHEL 8 -* Debian 11 -* Ubuntu 18.04 -* Ubuntu 20.04 -* Ubuntu 22.04 -* AWS Linux 2 +** CentOS/RHEL 8 +** Debian 11 +** Ubuntu 18.04, 20.04, and 22.04 +** AWS Linux 2 -To isolate and release hosts in any operating system, you must have the built-in `superuser` role. For more information, refer to {ref}/built-in-users.html[Built-in users]. -========================= +* To isolate and release hosts in any operating system, you must have the `superuser` {ref}/built-in-roles.html[built-in user role]. +-- [role="screenshot"] image::images/isolated-host.png[Endpoint page highlighting a host that's been isolated] diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 4295c32bb7..73b8ac5c04 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -12,7 +12,7 @@ Response actions are supported on all endpoint platforms (Linux, macOS, and Wind * Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions. -* You must have the `superuser` {ref}/built-in-users.html[built-in user role] to access the response console. +* You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. -- [role="screenshot"] diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index fb1324f963..2c1780716d 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -4,7 +4,11 @@ You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration. -NOTE: You must have the built-in `superuser` role to access this feature. For more information, refer to {ref}/built-in-users.html[Built-in users]. +.Requirements +[sidebar] +-- +You must have the `superuser` {ref}/built-in-roles.html[built-in user role] to access this feature. +-- Trusted applications create blindspots for {elastic-defend}, because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors -- such as antivirus software -- to execute their malicious DLLs. Such activity appears to originate from the trusted application's process.