Skip to content

[BUG] Endpoint Trusted Applications docs need to mention that process events will always be generated (Classic docs) #4640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jan 24, 2024
Merged

[BUG] Endpoint Trusted Applications docs need to mention that process events will always be generated (Classic docs) #4640

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
974a2ce
Add explanation to TA page, expand Optimize page
joepeeples Jan 18, 2024
1d1f0ab
Apply suggestions from code review
joepeeples Jan 22, 2024
74a93e7
Apply suggestions from code review
joepeeples Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/management/admin/endpoint-artifacts.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ a| *_Prevents {elastic-endpoint} from monitoring a process._* Use to avoid confl

* Creates intentional blind spots in your security environment — use sparingly!
* Doesn't monitor the application for threats, nor does it generate alerts, even if it behaves like malware, ransomware, etc.
* Doesn't generate events for the application except process events for visualizations.
* Doesn't generate events for the application except process events for visualizations and other internal use by the {stack}.
* Might improve performance, since {elastic-endpoint} monitors fewer processes.
* Might still generate malicious behavior alerts, if the application's process events indicate malicious behavior. To suppress alerts, create <<endpoint-rule-exceptions,Endpoint alert exceptions>>.

Expand Down
2 changes: 2 additions & 0 deletions docs/management/admin/trusted-apps.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ Trusted applications create blindspots for {elastic-defend}, because the applica

Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an <<endpoint-rule-exceptions,Endpoint alert exception>>, which prevents {elastic-defend} from generating alerts. To compare trusted applications with other endpoint artifacts, refer to <<endpoint-artifacts>>.

Additionally, trusted applications still generate process events for visualizations and other internal use by the {stack}. To prevent process events from being written to {es}, use an <<event-filters,event filter>> to filter out the specific events that you don't want stored in {es}, but be aware that features that depend on these process events may not function correctly.

By default, a trusted application is recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a trusted application to a specific {elastic-defend} integration policy, enabling the application to be trusted by only the hosts assigned to that policy.

To add a trusted application:
Expand Down