From 201cedb446cb601018cd308e740daf267f97dad5 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Fri, 2 Aug 2024 14:42:01 +0100 Subject: [PATCH 1/2] Adds Allowlist Elastic Endpoint in third-party antivirus apps page to serverless docs (#5639) * Adds Allowlist Elastic Endpoint in third-party antivirus apps page to serverless docs * Adds page description * Apply suggestions from code review Co-authored-by: Joe Peeples * Removes div id * Adds note to allowlist pages --------- Co-authored-by: Joe Peeples (cherry picked from commit f8e7ca6e32243193bcc4519304530e4cf8377d94) # Conflicts: # docs/serverless/edr-manage/trusted-apps-ov.mdx # docs/serverless/serverless-security.docnav.json --- .../allowlist-endpoint-3rd-party-av.asciidoc | 2 + docs/management/admin/trusted-apps.asciidoc | 2 + .../allowlist-endpoint-3rd-party-av.mdx | 69 ++ .../serverless/edr-manage/trusted-apps-ov.mdx | 105 +++ .../serverless-security.docnav.json | 684 ++++++++++++++++++ 5 files changed, 862 insertions(+) create mode 100644 docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx create mode 100644 docs/serverless/edr-manage/trusted-apps-ov.mdx create mode 100644 docs/serverless/serverless-security.docnav.json diff --git a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc index 3a53338b53..2dc920c781 100644 --- a/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc @@ -1,6 +1,8 @@ [[allowlist-endpoint-3rd-party-av-apps]] = Allowlist Elastic Endpoint in third-party antivirus apps +NOTE: If you use other antivirus (AV) software along with {elastic-defend}, you may need to add the other system as a trusted application in the {security-app}. Refer to <> for more information. + Third-party antivirus (AV) applications may identify the expected behavior of {elastic-endpoint} as a potential threat. Add {elastic-endpoint}'s digital signatures and file paths to your AV software's allowlist to ensure {elastic-endpoint} continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. NOTE: Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index 3a738a8dee..9bab1a50b2 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -2,6 +2,8 @@ [chapter, role="xpack"] = Trusted applications +NOTE: If you use {elastic-defend} along with other antivirus (AV) software, you might need to configure the other system to trust {elastic-endpoint}. Refer to <> for more information. + You can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the {elastic-defend} integration. .Requirements diff --git a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx new file mode 100644 index 0000000000..992d8ac5d7 --- /dev/null +++ b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx @@ -0,0 +1,69 @@ +--- +slug: /serverless/security/allowlist-endpoint +title: Allowlist ((elastic-endpoint)) in third-party antivirus apps +description: Add ((elastic-endpoint)) as a trusted application in third-party antivirus (AV) software. +tags: [ 'serverless', 'security', 'overview' ] +status: in review +--- + + + + +If you use other antivirus (AV) software along with ((elastic-defend)), you may need to add the other system as a trusted application in the ((security-app)). Refer to for more information. + + +Third-party antivirus (AV) applications may identify the expected behavior of ((elastic-endpoint)) as a potential threat. Add ((elastic-endpoint))'s digital signatures and file paths to your AV software's allowlist to ensure ((elastic-endpoint)) continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. + + +Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. + + +## Allowlist ((elastic-endpoint)) on Windows + +File paths: + +* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` +* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` +* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` + + + The executable runs as `elastic-endpoint.exe`. + + +Digital signatures: + +* `Elasticsearch, Inc.` +* `Elasticsearch B.V.` + +For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software). + +## Allowlist ((elastic-endpoint)) on macOS + +File paths: + +* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` + + + The system extension runs as `co.elastic.systemextension`. + + +* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` + + + The executable runs as `elastic-endpoint`. + + +Digital signatures: + +* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` +* Team ID: `2BT3HPN62Z` + +## Allowlist ((elastic-endpoint)) on Linux + +File path: + +* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` + + + The executable runs as `elastic-endpoint`. + \ No newline at end of file diff --git a/docs/serverless/edr-manage/trusted-apps-ov.mdx b/docs/serverless/edr-manage/trusted-apps-ov.mdx new file mode 100644 index 0000000000..2576a17d41 --- /dev/null +++ b/docs/serverless/edr-manage/trusted-apps-ov.mdx @@ -0,0 +1,105 @@ +--- +slug: /serverless/security/trusted-applications +title: Trusted applications +# description: Description to be written +tags: [ 'serverless', 'security', 'how-to' ] +status: in review +--- + + +
+ + +If you use ((elastic-defend)) along with other antivirus (AV) software, you might need to configure the other system to trust ((elastic-endpoint)). Refer to for more information. + + +On the **Trusted applications** page (**Assets** → **Trusted applications**), you can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the ((elastic-defend)) integration. + + + +You must have the appropriate user role to use this feature. +{/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} +{/* You must have the **Trusted Applications** privilege to access this feature. */} + + + +Trusted applications create blindspots for ((elastic-defend)), because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. + +Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents ((elastic-defend)) from generating alerts. To compare trusted applications with other endpoint artifacts, refer to . + +Additionally, trusted applications still generate process events for visualizations and other internal use by the ((stack)). To prevent process events from being written to ((es)), use an event filter to filter out the specific events that you don't want stored in ((es)), but be aware that features that depend on these process events may not function correctly. + +By default, a trusted application is recognized globally across all hosts running ((elastic-defend)). You can also assign a trusted application to a specific ((elastic-defend)) integration policy, enabling the application to be trusted by only the hosts assigned to that policy. + +To add a trusted application: + +1. Go to **Manage** → **Trusted applications**. + +1. Click **Add trusted application**. + +1. Fill in the following fields in the **Add trusted application** flyout: + + * `Name your trusted application`: Enter a name for the trusted application. + + * `Description`(Optional): Enter a description for the trusted application. + + * `Select operating system`: Select the appropriate operating system from the drop-down. + + * `Field`: Select a field to identify the trusted application: + * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. + * `Path`: The full file path of the application's executable. + * `Signature`: (Windows only) The name of the application's digital signer. + + + To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`). + + + * `Operator`: Select an operator to define the condition: + * `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operation is required for the `Hash` and `Signature` field types. + * `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This operator is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + + * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**. + + + You can only add a single field type value per trusted application. For example, if you try to add two `Path` values, you'll get an error message. Also, an application's hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the ((security-app)), be as specific as possible in your entries. For example, combine `Signature` information with a known `Path`. + + +1. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy: + * `Global`: Assign the trusted application to all integration policies for ((elastic-defend)). + * `Per Policy`: Assign the trusted application to one or more specific ((elastic-defend)) integration policies. Select each policy in which you want the application to be trusted. + + + You can also select the `Per Policy` option without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy. + + +1. Click **Add trusted application**. The application is added to the **Trusted applications** list. + +
+ +## View and manage trusted applications + +The **Trusted applications** page (**Assets** → **Trusted applications**) displays all the trusted applications that have been added to the ((security-app)). To refine the list, use the search bar to search by name, description, or field value. + +![](../images/trusted-apps-ov/-management-admin-trusted-apps-list.png) + +
+ +### Edit a trusted application +You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to. + +To edit a trusted application: + +1. Click the actions menu (*...*) on the trusted application you want to edit, then select **Edit trusted application**. +1. Modify details as needed. +1. Click **Save**. + +
+ +### Delete a trusted application +You can delete a trusted application, which removes it entirely from all ((elastic-defend)) integration policies. + +To delete a trusted application: + +1. Click the actions menu (*...*) on the trusted application you want to delete, then select **Delete trusted application**. +1. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message is displayed. + diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json new file mode 100644 index 0000000000..d9ad8925bb --- /dev/null +++ b/docs/serverless/serverless-security.docnav.json @@ -0,0 +1,684 @@ +{ + "mission": "Elastic Security", + "id": "serverless-security", + "landingPageSlug": "/serverless/security/what-is-security-serverless", + "icon": "logoSecurity", + "description": "Description to be written", + "items": [ + { + "slug": "/serverless/security/overview", + "classic-sources": [ "enSecurityEsOverview" ] + }, + { + "slug": "/serverless/security/security-billing" + }, + { + "slug": "/serverless/security/create-project" + }, + { + "slug": "/serverless/security/security-ui", + "classic-sources": [ "enSecurityEsUiOverview" ] + }, + { + "label": "AI for security", + "slug": "/serverless/security/ai-for-security", + "items": [ + { + "slug": "/serverless/security/ai-assistant" + }, + { + "slug": "/serverless/security/attack-discovery" + }, + { + "slug": "/serverless/security/llm-connector-guides", + "items": [ + { + "slug": "/serverless/security/connect-to-azure-openai" + }, + { + "slug": "/serverless/security/connect-to-bedrock" + }, + { + "slug": "/serverless/security/connect-to-openai" + }, + { + "slug": "/serverless/security/connect-to-google-vertex" + }, + { + "slug": "/serverless/security/connect-to-byo-llm" + } + ] + }, + { + "slug": "/serverless/security/ai-use-cases", + "items": [ + { + "slug": "/serverless/security/ai-usecase-incident-reporting" + }, + { + "slug": "/serverless/security/triage-alerts-with-elastic-ai-assistant" + }, + { + "slug": "/serverless/security/ai-assistant-esql-queries" + } + ] + }, + { + "slug": "/serverless/security/llm-performance-matrix" + } + ] + }, + { + "label": "Ingest data", + "slug": "/serverless/security/ingest-data", + "classic-sources": [ "enSecurityIngestData" ], + "items": [ + { + "slug": "/serverless/security/threat-intelligence", + "classic-sources": [ "enSecurityEsThreatIntelIntegrations" ] + } + ] + }, + { + "label": "Secure your endpoints", + "slug": "/serverless/security/install-edr", + "classic-sources": [ "enSecurityInstallEndpoint" ], + "items": [ + { + "label": "Prevent Agent uninstallation", + "slug": "/serverless/security/agent-tamper-protection" + }, + { + "label": "Configure an integration policy", + "slug": "/serverless/security/configure-endpoint-integration-policy", + "classic-sources": [ "enSecurityConfigureEndpointIntegrationPolicy" ], + "items": [ + { + "label": "Configure protection updates", + "slug": "/serverless/security/protection-artifact-control" + }, + { + "slug": "/serverless/security/endpoint-diagnostic-data", + "classic-sources": [ "enSecurityEndpointDiagnosticData" ] + }, + { + "label": "Self-healing rollback (Windows)", + "slug": "/serverless/security/self-healing-rollback", + "classic-sources": [ "enSecuritySelfHealingRollback" ] + }, + { + "label": "File system monitoring (Linux)", + "slug": "/serverless/security/linux-file-monitoring", + "classic-sources": [ "enSecurityLinuxFileMonitoring" ] + } + ] + }, + { + "slug": "/serverless/security/elastic-endpoint-deploy-reqs", + "classic-sources": [ "enSecurityElasticEndpointDeployReqs" ], + "items": [ + { + "label": "macOS Catalina through Monterey", + "slug": "/serverless/security/install-endpoint-manually", + "classic-sources": [ "enSecurityDeployElasticEndpoint" ] + }, + { + "label": "macOS Ventura and higher", + "slug": "/serverless/security/deploy-elastic-endpoint-ven", + "classic-sources": [ "enSecurityDeployElasticEndpointVen" ] + }, + { + "label": "Enable the Endgame sensor (Optional)", + "slug": "/serverless/security/endgame-sensor-full-disk-access", + "classic-sources": [ "enSecurityEndgameSensorFullDiskAccess" ] + } + ] + }, + { + "slug": "/serverless/security/uninstall-agent" + }, + { + "label": "Uninstall Elastic Endpoint", + "slug": "/serverless/security/uninstall-endpoint", + "classic-sources": [ "enSecurityUninstallEndpoint" ] + } + ] + }, + { + "slug": "/serverless/security/cloud-native-security-overview", + "classic-sources": [ "enSecurityCloudNativeSecurityOverview" ], + "items": [ + { + "slug": "/serverless/security/security-posture-management", + "classic-sources": [ "enSecuritySecurityPostureManagement" ] + }, + { + "slug": "/serverless/security/enable-cloudsec" + }, + { + "slug": "/serverless/security/cspm", + "classic-sources": [ "enSecurityCspm" ], + "items": [ + { + "slug": "/serverless/security/cspm-get-started", + "classic-sources": [ "enSecurityCspmGetStarted" ] + }, + { + "slug": "/serverless/security/cspm-get-started-gcp", + "classic-sources": [ "enSecurityCspmGetStartedGcp" ] + }, + { + "slug": "/serverless/security/cspm-get-started-azure", + "classic-sources": [ "enSecurityCspmGetStartedAzure" ] + }, + { + "slug": "/serverless/security/cspm-findings-page", + "classic-sources": [ "enSecurityCspmFindingsPage" ] + }, + { + "slug": "/serverless/security/benchmark-rules", + "classic-sources": [ "enSecurityCspmBenchmarkRules" ] + }, + { + "slug": "/serverless/security/cloud-posture-dashboard-dash", + "classic-sources": [ "enSecurityCloudPostureDashboard" ] + }, + { + "slug": "/serverless/security/cspm-security-posture-faq", + "classic-sources": [ "enSecurityCspmSecurityPostureFaq" ] + } + ] + }, + { + "slug": "/serverless/security/kspm", + "classic-sources": [ "enSecurityKspm" ], + "items": [ + { + "slug": "/serverless/security/get-started-with-kspm", + "classic-sources": [ "enSecurityGetStartedWithKspm" ] + }, + { + "slug": "/serverless/security/cspm-findings-page", + "classic-sources": [ "enSecurityCspmFindingsPage" ] + }, + { + "slug": "/serverless/security/benchmark-rules", + "classic-sources": [ "enSecurityBenchmarkRules" ] + }, + { + "slug": "/serverless/security/cloud-posture-dashboard-dash", + "classic-sources": [ "enSecurityCloudPostureDashboard" ] + }, + { + "slug": "/serverless/security/security-posture-faq", + "classic-sources": [ "enSecuritySecurityPostureFaq" ] + } + ] + }, + { + "slug": "/serverless/security/vuln-management-overview", + "classic-sources": [ "enSecurityVulnManagementOverview" ], + "items": [ + { + "slug": "/serverless/security/vuln-management-get-started", + "classic-sources": [ "enSecurityVulnManagementGetStarted" ] + }, + { + "slug": "/serverless/security/vuln-management-findings", + "classic-sources": [ "enSecurityVulnManagementFindings" ] + }, + { + "slug": "/serverless/security/vuln-management-dashboard-dash", + "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] + }, + { + "slug": "/serverless/security/vuln-management-faq", + "classic-sources": [ "enSecurityVulnManagementFaq" ] + } + ] + }, + { + "slug": "/serverless/security/d4c-overview", + "classic-sources": [ "enSecurityD4cOverview" ], + "items": [ + { + "slug": "/serverless/security/d4c-get-started", + "classic-sources": [ "enSecurityD4cGetStarted" ] + }, + { + "slug": "/serverless/security/d4c-policy-guide", + "classic-sources": [ "enSecurityD4cPolicyGuide" ] + }, + { + "slug": "/serverless/security/kubernetes-dashboard-dash", + "classic-sources": [ "enSecurityKubernetesDashboard" ] + } + ] + }, + { + "slug": "/serverless/security/cloud-workload-protection", + "classic-sources": [ "enSecurityCloudWorkloadProtection" ], + "items": [ + { + "slug": "/serverless/security/session-view", + "classic-sources": [ "enSecuritySessionView" ] + }, + { + "slug": "/serverless/security/environment-variable-capture", + "classic-sources": [ "enSecurityEnvironmentVariableCapture" ] + } + ] + } + ] + }, + { + "slug": "/serverless/security/explore-your-data", + "classic-sources": [ "enSecurityExploreYourData" ], + "items": [ + { + "slug": "/serverless/security/hosts-overview", + "classic-sources": [ "enSecurityHostsOverview" ] + }, + { + "slug": "/serverless/security/network-page-overview", + "classic-sources": [ "enSecurityNetworkPageOverview" ] + }, + { + "slug": "/serverless/security/users-page", + "classic-sources": [ "enSecurityUsersPage" ] + }, + { + "slug": "/serverless/security/data-views-in-sec", + "classic-sources": [ "enSecurityDataViewsInSec" ] + }, + { + "label": "Create runtime fields", + "slug": "/serverless/security/runtime-fields", + "classic-sources": [ "enSecurityRuntimeFields" ] + }, + { + "slug": "/serverless/security/siem-field-reference", + "classic-sources": [ "enSecuritySiemFieldReference" ] + } + ] + }, + { + "slug": "/serverless/security/dashboards-overview", + "classic-sources": [ "enSecurityDashboardsOverview" ], + "items": [ + { + "label": "Overview", + "slug": "/serverless/security/overview-dashboard", + "classic-sources": [ "enSecurityOverviewDashboard" ] + }, + { + "label": "Detection & Response", + "slug": "/serverless/security/detection-response-dashboard", + "classic-sources": [ "enSecurityDetectionResponseDashboard" ] + }, + { + "label": "Kubernetes", + "slug": "/serverless/security/kubernetes-dashboard-dash", + "classic-sources": [ "enSecurityKubernetesDashboard" ] + }, + { + "label": "Cloud Security Posture", + "slug": "/serverless/security/cloud-posture-dashboard-dash", + "classic-sources": [ "enSecurityCloudPostureDashboard" ] + }, + { + "label": "Entity Analytics", + "slug": "/serverless/security/detection-entity-dashboard", + "classic-sources": [ "enSecurityDetectionEntityDashboard" ] + }, + { + "label": "Data Quality", + "slug": "/serverless/security/data-quality-dash" + }, + { + "label": "Cloud Native Vulnerability Management", + "slug": "/serverless/security/vuln-management-dashboard-dash", + "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] + }, + { + "label": "Detection rule monitoring", + "slug": "/serverless/security/rule-monitoring-dashboard", + "classic-sources": [ "enSecurityRuleMonitoringDashboard" ] + } ] + }, + { + "slug": "/serverless/security/detection-engine-overview", + "classic-sources": [ "enSecurityDetectionEngineOverview" ] + }, + { + "label": "Rules", + "slug": "/serverless/security/about-rules", + "classic-sources": [ "enSecurityAboutRules" ], + "items": [ + { + "slug": "/serverless/security/rules-create", + "classic-sources": [ "enSecurityRulesUiCreate" ], + "items": [ + { + "slug": "/serverless/security/interactive-investigation-guides", + "classic-sources": [ "enSecurityInteractiveInvestigationGuides" ] + }, + { + "slug": "/serverless/security/building-block-rules", + "classic-sources": [ "enSecurityBuildingBlockRule" ] + } + ] + }, + { + "label": "Use Elastic prebuilt rules", + "slug": "/serverless/security/prebuilt-rules-management", + "classic-sources": [ "enSecurityPrebuiltRulesManagement" ] + }, + { + "slug": "/serverless/security/rules-ui-management", + "classic-sources": [ "enSecurityRulesUiManagement" ] + }, + { + "slug": "/serverless/security/alerts-ui-monitor", + "classic-sources": [ "enSecurityAlertsUiMonitor" ] + }, + { + "slug": "/serverless/security/rule-exceptions", + "classic-sources": [ "enSecurityDetectionsUiExceptions" ], + "items": [ + { + "slug": "/serverless/security/value-lists-exceptions", + "classic-sources": [ "enSecurityValueListsExceptions" ] + }, + { + "slug": "/serverless/security/add-exceptions", + "classic-sources": [ "enSecurityAddExceptions" ] + }, + { + "slug": "/serverless/security/shared-exception-lists", + "classic-sources": [ "enSecuritySharedExceptionLists" ] + } + ] + }, + { + "slug": "/serverless/security/rules-coverage", + "classic-sources": [ "enSecurityRulesCoverage" ] + }, + { + "slug": "/serverless/security/tune-detection-signals", + "classic-sources": [ "enSecurityTuningDetectionSignals" ] + }, + { + "slug": "/serverless/security/ts-detection-rules", + "classic-sources": [ "enSecurityTsDetectionRules" ] + }, + { + "slug": "/serverless/security/prebuilt-rules", + "classic-sources": [ "enSecurityPrebuiltRules" ], + "classic-skip": true + } + ] + }, + { + "label": "Alerts", + "slug": "/serverless/security/alerts-manage", + "classic-sources": [ "enSecurityAlertsUiManage" ], + "items": [ + { + "label": "Visualize alerts", + "slug": "/serverless/security/visualize-alerts", + "classic-sources": [ "enSecurityVisualizeAlerts" ] + }, + { + "label": "View alert details", + "slug": "/serverless/security/view-alert-details", + "classic-sources": [ "enSecurityViewAlertDetails" ] + }, + { + "label": "Add alerts to cases", + "slug": "/serverless/security/signals-to-cases", + "classic-sources": [ "enSecuritySignalsToCases" ] + }, + { + "label": "Suppress alerts", + "slug": "/serverless/security/alert-suppression", + "classic-sources": [ "enSecurityAlertSuppression" ] + }, + { + "slug": "/serverless/security/reduce-notifications-alerts", + "classic-sources": [ "enSecurityReduceNotificationsAlerts" ] + }, + { + "slug": "/serverless/security/visual-event-analyzer", + "classic-sources": [ "enSecurityVisualEventAnalyzer" ] + }, + { + "slug": "/serverless/security/query-alert-indices", + "classic-sources": [ "enSecurityQueryAlertIndices" ] + }, + { + "slug": "/serverless/security/alert-schema", + "classic-sources": [ "enSecurityAlertSchema" ] + } + ] + }, + { + "label": "Advanced Entity Analytics", + "slug": "/serverless/security/advanced-entity-analytics", + "items": [ + { + "label": "Entity risk scoring", + "slug": "/serverless/security/entity-risk-scoring", + "items": [ + { + "label": "Asset criticality", + "slug": "/serverless/security/asset-criticality" + }, + { + "label": "Turn on risk scoring", + "slug": "/serverless/security/turn-on-risk-engine" + }, + { + "label": "View risk score data", + "slug": "/serverless/security/analyze-risk-score-data" + } + ] + }, + { + "label": "Advanced behavioral detections", + "slug": "/serverless/security/advanced-behavioral-detections", + "items": [ + { + "slug": "/serverless/security/machine-learning", + "classic-sources": [ "enSecurityMachineLearning" ] + }, + { + "slug": "/serverless/security/tuning-anomaly-results", + "classic-sources": [ "enSecurityTuningAnomalyResults" ] + }, + { + "slug": "/serverless/security/behavioral-detection-use-cases" + }, + { + "slug": "/serverless/security/prebuilt-ml-jobs", + "classic-sources": [ "enSecurityPrebuiltMlJobs" ] + } + ] + } + ] + }, + { + "slug": "/serverless/security/investigate-events", + "classic-sources": [ "enSecurityInvestigateEvents" ], + "items": [ + { + "slug": "/serverless/security/timelines-ui", + "classic-sources": [ "enSecurityTimelinesUi" ], + "items": [ + { + "slug": "/serverless/security/timeline-templates-ui", + "classic-sources": [ "enSecurityTimelineTemplatesUi" ] + }, + { + "slug": "/serverless/security/timeline-object-schema", + "classic-sources": [ "enSecurityTimelineObjectSchema" ] + } + ] + }, + { + "slug": "/serverless/security/cases-overview", + "classic-sources": [ "enSecurityCasesOverview" ], + "items": [ + { + "slug": "/serverless/security/cases-open-manage", + "classic-sources": [ "enSecurityCasesOpenManage" ] + }, + { + "slug": "/serverless/security/cases-settings" + } + ] + }, + { + "slug": "/serverless/security/indicators-of-compromise", + "classic-sources": [ "enSecurityIndicatorsOfCompromise" ] + } + ] + }, + { + "slug": "/serverless/security/query-operating-systems", + "classic-sources": [ "enSecurityUseOsquery" ], + "items": [ + { + "slug": "/serverless/security/osquery-response-action", + "classic-sources": [ "enSecurityOsqueryResponseAction" ] + }, + { + "slug": "/serverless/security/invest-guide-run-osquery", + "classic-sources": [ "enSecurityInvestGuideRunOsquery" ] + }, + { + "slug": "/serverless/security/alerts-run-osquery", + "classic-sources": [ "enSecurityAlertsRunOsquery" ] + }, + { + "slug": "/serverless/security/examine-osquery-results", + "classic-sources": [ "enSecurityViewOsqueryResults" ] + }, + { + "slug": "/serverless/security/osquery-placeholder-fields", + "classic-sources": [ "enSecurityOsqueryPlaceholderFields" ] + } + ] + }, + { + "slug": "/serverless/security/response-actions", + "classic-sources": [ "enSecurityResponseActions" ], + "items": [ + { + "slug": "/serverless/security/automated-response-actions" + }, + { + "slug": "/serverless/security/isolate-host", + "classic-sources": [ "enSecurityHostIsolationOv" ] + }, + { + "slug": "/serverless/security/response-actions-history", + "classic-sources": [ "enSecurityResponseActionsHistory" ] + }, + { + "slug": "/serverless/security/third-party-actions" + }, + { + "slug": "/serverless/security/response-actions-config" + } + ] + }, + { + "slug": "/serverless/security/manage-endpoint-protection", + "classic-sources": [ "enSecuritySecManageIntro" ], + "items": [ + { + "slug": "/serverless/security/endpoints-page", + "classic-sources": [ "enSecurityAdminPageOv" ] + }, + { + "slug": "/serverless/security/policies-page", + "classic-sources": [ "enSecurityPoliciesPageOv" ] + }, + { + "slug": "/serverless/security/trusted-applications", + "classic-sources": [ "enSecurityTrustedAppsOv" ] + }, + { + "slug": "/serverless/security/event-filters", + "classic-sources": [ "enSecurityEventFilters" ] + }, + { + "slug": "/serverless/security/host-isolation-exceptions", + "classic-sources": [ "enSecurityHostIsolationExceptions" ] + }, + { + "slug": "/serverless/security/blocklist", + "classic-sources": [ "enSecurityBlocklist" ] + }, + { + "slug": "/serverless/security/endpoint-event-capture" + }, + { + "slug": "/serverless/security/optimize-edr", + "classic-sources": [ "enSecurityEndpointArtifacts" ] + }, + { + "slug": "/serverless/security/allowlist-endpoint" + }, + { + "slug": "/serverless/security/troubleshoot-endpoints", + "classic-sources": [ "enSecurityTsManagement" ] + } + ] + }, + { + "slug": "/serverless/security/asset-management" + }, + { + "slug": "/serverless/security/manage-settings", + "items": [ + { + "slug": "/serverless/security/project-settings" + }, + { + "slug": "/serverless/security/advanced-settings", + "classic-sources": [ "enSecurityAdvancedSettings" ] + }, + { + "slug": "/serverless/security/requirements-overview", + "classic-sources": [ "enSecuritySecRequirements" ], + "items": [ + { + "slug": "/serverless/security/detections-requirements", + "classic-sources": [ "enSecurityDetectionsPermissionsSection" ] + }, + { + "slug": "/serverless/security/cases-requirements", + "classic-sources": [ "enSecurityCasePermissions" ] + }, + { + "slug": "/serverless/security/ers-requirements" + }, + { + "slug": "/serverless/security/ml-requirements", + "classic-sources": [ "enSecurityMlRequirements" ] + }, + { + "slug": "/serverless/security/conf-map-ui", + "classic-sources": [ "enSecurityConfMapUi" ] + } + ] + } + ] + }, + { + "slug": "/serverless/security/security-technical-preview-limitations" + } + ] +} From 6f170ca16cff4183a5b147e7644e2e60dcf813e9 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 2 Aug 2024 13:46:12 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../allowlist-endpoint-3rd-party-av.mdx | 69 -- .../serverless/edr-manage/trusted-apps-ov.mdx | 105 --- .../serverless-security.docnav.json | 684 ------------------ 3 files changed, 858 deletions(-) delete mode 100644 docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx delete mode 100644 docs/serverless/edr-manage/trusted-apps-ov.mdx delete mode 100644 docs/serverless/serverless-security.docnav.json diff --git a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx deleted file mode 100644 index 992d8ac5d7..0000000000 --- a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.mdx +++ /dev/null @@ -1,69 +0,0 @@ ---- -slug: /serverless/security/allowlist-endpoint -title: Allowlist ((elastic-endpoint)) in third-party antivirus apps -description: Add ((elastic-endpoint)) as a trusted application in third-party antivirus (AV) software. -tags: [ 'serverless', 'security', 'overview' ] -status: in review ---- - - - - -If you use other antivirus (AV) software along with ((elastic-defend)), you may need to add the other system as a trusted application in the ((security-app)). Refer to for more information. - - -Third-party antivirus (AV) applications may identify the expected behavior of ((elastic-endpoint)) as a potential threat. Add ((elastic-endpoint))'s digital signatures and file paths to your AV software's allowlist to ensure ((elastic-endpoint)) continues to function as intended. We recommend you allowlist both the file paths and digital signatures, if applicable. - - -Your AV software may refer to allowlisted processes as process exclusions, ignored processes, or trusted processes. It is important to note that file, folder, and path-based exclusions/exceptions are distinct from trusted applications and will not achieve the same result. This page explains how to ignore actions taken by processes, not how to ignore the files that spawned those processes. - - -## Allowlist ((elastic-endpoint)) on Windows - -File paths: - -* ELAM driver: `c:\Windows\system32\drivers\elastic-endpoint-driver.sys` -* Driver: `c:\Windows\system32\drivers\ElasticElam.sys` -* Executable: `c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe` - - - The executable runs as `elastic-endpoint.exe`. - - -Digital signatures: - -* `Elasticsearch, Inc.` -* `Elasticsearch B.V.` - -For additional information about allowlisting on Windows, refer to [Trusting Elastic Defend in other software](https://github.com/elastic/endpoint/blob/main/PerformanceIssues-Windows.md#trusting-elastic-defend-in-other-software). - -## Allowlist ((elastic-endpoint)) on macOS - -File paths: - -* System extension (recursive directory structure): `/Applications/ElasticEndpoint.app/` - - - The system extension runs as `co.elastic.systemextension`. - - -* Executable: `/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint` - - - The executable runs as `elastic-endpoint`. - - -Digital signatures: - -* Authority/Developer ID Application: `Elasticsearch, Inc (2BT3HPN62Z)` -* Team ID: `2BT3HPN62Z` - -## Allowlist ((elastic-endpoint)) on Linux - -File path: - -* Executable: `/opt/Elastic/Endpoint/elastic-endpoint` - - - The executable runs as `elastic-endpoint`. - \ No newline at end of file diff --git a/docs/serverless/edr-manage/trusted-apps-ov.mdx b/docs/serverless/edr-manage/trusted-apps-ov.mdx deleted file mode 100644 index 2576a17d41..0000000000 --- a/docs/serverless/edr-manage/trusted-apps-ov.mdx +++ /dev/null @@ -1,105 +0,0 @@ ---- -slug: /serverless/security/trusted-applications -title: Trusted applications -# description: Description to be written -tags: [ 'serverless', 'security', 'how-to' ] -status: in review ---- - - -
- - -If you use ((elastic-defend)) along with other antivirus (AV) software, you might need to configure the other system to trust ((elastic-endpoint)). Refer to for more information. - - -On the **Trusted applications** page (**Assets** → **Trusted applications**), you can add Windows, macOS, and Linux applications that should be trusted, such as other antivirus or endpoint security applications. Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software installed on your hosts. Trusted applications apply only to hosts running the ((elastic-defend)) integration. - - - -You must have the appropriate user role to use this feature. -{/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */} -{/* You must have the **Trusted Applications** privilege to access this feature. */} - - - -Trusted applications create blindspots for ((elastic-defend)), because the applications are no longer monitored for threats. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted application's process. - -Trusted applications might still generate alerts in some cases, such as if the application's process events indicate malicious behavior. To reduce false positive alerts, add an Endpoint alert exception, which prevents ((elastic-defend)) from generating alerts. To compare trusted applications with other endpoint artifacts, refer to . - -Additionally, trusted applications still generate process events for visualizations and other internal use by the ((stack)). To prevent process events from being written to ((es)), use an event filter to filter out the specific events that you don't want stored in ((es)), but be aware that features that depend on these process events may not function correctly. - -By default, a trusted application is recognized globally across all hosts running ((elastic-defend)). You can also assign a trusted application to a specific ((elastic-defend)) integration policy, enabling the application to be trusted by only the hosts assigned to that policy. - -To add a trusted application: - -1. Go to **Manage** → **Trusted applications**. - -1. Click **Add trusted application**. - -1. Fill in the following fields in the **Add trusted application** flyout: - - * `Name your trusted application`: Enter a name for the trusted application. - - * `Description`(Optional): Enter a description for the trusted application. - - * `Select operating system`: Select the appropriate operating system from the drop-down. - - * `Field`: Select a field to identify the trusted application: - * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. - * `Path`: The full file path of the application's executable. - * `Signature`: (Windows only) The name of the application's digital signer. - - - To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`). - - - * `Operator`: Select an operator to define the condition: - * `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operation is required for the `Hash` and `Signature` field types. - * `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This operator is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters). - - * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**. - - - You can only add a single field type value per trusted application. For example, if you try to add two `Path` values, you'll get an error message. Also, an application's hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the ((security-app)), be as specific as possible in your entries. For example, combine `Signature` information with a known `Path`. - - -1. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy: - * `Global`: Assign the trusted application to all integration policies for ((elastic-defend)). - * `Per Policy`: Assign the trusted application to one or more specific ((elastic-defend)) integration policies. Select each policy in which you want the application to be trusted. - - - You can also select the `Per Policy` option without immediately assigning a policy to the trusted application. For example, you could do this to create and review your trusted application configurations before putting them into action with a policy. - - -1. Click **Add trusted application**. The application is added to the **Trusted applications** list. - -
- -## View and manage trusted applications - -The **Trusted applications** page (**Assets** → **Trusted applications**) displays all the trusted applications that have been added to the ((security-app)). To refine the list, use the search bar to search by name, description, or field value. - -![](../images/trusted-apps-ov/-management-admin-trusted-apps-list.png) - -
- -### Edit a trusted application -You can individually modify each trusted application. You can also change the policies that a trusted application is assigned to. - -To edit a trusted application: - -1. Click the actions menu (*...*) on the trusted application you want to edit, then select **Edit trusted application**. -1. Modify details as needed. -1. Click **Save**. - -
- -### Delete a trusted application -You can delete a trusted application, which removes it entirely from all ((elastic-defend)) integration policies. - -To delete a trusted application: - -1. Click the actions menu (*...*) on the trusted application you want to delete, then select **Delete trusted application**. -1. On the dialog that opens, verify that you are removing the correct application, then click **Delete**. A confirmation message is displayed. - diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json deleted file mode 100644 index d9ad8925bb..0000000000 --- a/docs/serverless/serverless-security.docnav.json +++ /dev/null @@ -1,684 +0,0 @@ -{ - "mission": "Elastic Security", - "id": "serverless-security", - "landingPageSlug": "/serverless/security/what-is-security-serverless", - "icon": "logoSecurity", - "description": "Description to be written", - "items": [ - { - "slug": "/serverless/security/overview", - "classic-sources": [ "enSecurityEsOverview" ] - }, - { - "slug": "/serverless/security/security-billing" - }, - { - "slug": "/serverless/security/create-project" - }, - { - "slug": "/serverless/security/security-ui", - "classic-sources": [ "enSecurityEsUiOverview" ] - }, - { - "label": "AI for security", - "slug": "/serverless/security/ai-for-security", - "items": [ - { - "slug": "/serverless/security/ai-assistant" - }, - { - "slug": "/serverless/security/attack-discovery" - }, - { - "slug": "/serverless/security/llm-connector-guides", - "items": [ - { - "slug": "/serverless/security/connect-to-azure-openai" - }, - { - "slug": "/serverless/security/connect-to-bedrock" - }, - { - "slug": "/serverless/security/connect-to-openai" - }, - { - "slug": "/serverless/security/connect-to-google-vertex" - }, - { - "slug": "/serverless/security/connect-to-byo-llm" - } - ] - }, - { - "slug": "/serverless/security/ai-use-cases", - "items": [ - { - "slug": "/serverless/security/ai-usecase-incident-reporting" - }, - { - "slug": "/serverless/security/triage-alerts-with-elastic-ai-assistant" - }, - { - "slug": "/serverless/security/ai-assistant-esql-queries" - } - ] - }, - { - "slug": "/serverless/security/llm-performance-matrix" - } - ] - }, - { - "label": "Ingest data", - "slug": "/serverless/security/ingest-data", - "classic-sources": [ "enSecurityIngestData" ], - "items": [ - { - "slug": "/serverless/security/threat-intelligence", - "classic-sources": [ "enSecurityEsThreatIntelIntegrations" ] - } - ] - }, - { - "label": "Secure your endpoints", - "slug": "/serverless/security/install-edr", - "classic-sources": [ "enSecurityInstallEndpoint" ], - "items": [ - { - "label": "Prevent Agent uninstallation", - "slug": "/serverless/security/agent-tamper-protection" - }, - { - "label": "Configure an integration policy", - "slug": "/serverless/security/configure-endpoint-integration-policy", - "classic-sources": [ "enSecurityConfigureEndpointIntegrationPolicy" ], - "items": [ - { - "label": "Configure protection updates", - "slug": "/serverless/security/protection-artifact-control" - }, - { - "slug": "/serverless/security/endpoint-diagnostic-data", - "classic-sources": [ "enSecurityEndpointDiagnosticData" ] - }, - { - "label": "Self-healing rollback (Windows)", - "slug": "/serverless/security/self-healing-rollback", - "classic-sources": [ "enSecuritySelfHealingRollback" ] - }, - { - "label": "File system monitoring (Linux)", - "slug": "/serverless/security/linux-file-monitoring", - "classic-sources": [ "enSecurityLinuxFileMonitoring" ] - } - ] - }, - { - "slug": "/serverless/security/elastic-endpoint-deploy-reqs", - "classic-sources": [ "enSecurityElasticEndpointDeployReqs" ], - "items": [ - { - "label": "macOS Catalina through Monterey", - "slug": "/serverless/security/install-endpoint-manually", - "classic-sources": [ "enSecurityDeployElasticEndpoint" ] - }, - { - "label": "macOS Ventura and higher", - "slug": "/serverless/security/deploy-elastic-endpoint-ven", - "classic-sources": [ "enSecurityDeployElasticEndpointVen" ] - }, - { - "label": "Enable the Endgame sensor (Optional)", - "slug": "/serverless/security/endgame-sensor-full-disk-access", - "classic-sources": [ "enSecurityEndgameSensorFullDiskAccess" ] - } - ] - }, - { - "slug": "/serverless/security/uninstall-agent" - }, - { - "label": "Uninstall Elastic Endpoint", - "slug": "/serverless/security/uninstall-endpoint", - "classic-sources": [ "enSecurityUninstallEndpoint" ] - } - ] - }, - { - "slug": "/serverless/security/cloud-native-security-overview", - "classic-sources": [ "enSecurityCloudNativeSecurityOverview" ], - "items": [ - { - "slug": "/serverless/security/security-posture-management", - "classic-sources": [ "enSecuritySecurityPostureManagement" ] - }, - { - "slug": "/serverless/security/enable-cloudsec" - }, - { - "slug": "/serverless/security/cspm", - "classic-sources": [ "enSecurityCspm" ], - "items": [ - { - "slug": "/serverless/security/cspm-get-started", - "classic-sources": [ "enSecurityCspmGetStarted" ] - }, - { - "slug": "/serverless/security/cspm-get-started-gcp", - "classic-sources": [ "enSecurityCspmGetStartedGcp" ] - }, - { - "slug": "/serverless/security/cspm-get-started-azure", - "classic-sources": [ "enSecurityCspmGetStartedAzure" ] - }, - { - "slug": "/serverless/security/cspm-findings-page", - "classic-sources": [ "enSecurityCspmFindingsPage" ] - }, - { - "slug": "/serverless/security/benchmark-rules", - "classic-sources": [ "enSecurityCspmBenchmarkRules" ] - }, - { - "slug": "/serverless/security/cloud-posture-dashboard-dash", - "classic-sources": [ "enSecurityCloudPostureDashboard" ] - }, - { - "slug": "/serverless/security/cspm-security-posture-faq", - "classic-sources": [ "enSecurityCspmSecurityPostureFaq" ] - } - ] - }, - { - "slug": "/serverless/security/kspm", - "classic-sources": [ "enSecurityKspm" ], - "items": [ - { - "slug": "/serverless/security/get-started-with-kspm", - "classic-sources": [ "enSecurityGetStartedWithKspm" ] - }, - { - "slug": "/serverless/security/cspm-findings-page", - "classic-sources": [ "enSecurityCspmFindingsPage" ] - }, - { - "slug": "/serverless/security/benchmark-rules", - "classic-sources": [ "enSecurityBenchmarkRules" ] - }, - { - "slug": "/serverless/security/cloud-posture-dashboard-dash", - "classic-sources": [ "enSecurityCloudPostureDashboard" ] - }, - { - "slug": "/serverless/security/security-posture-faq", - "classic-sources": [ "enSecuritySecurityPostureFaq" ] - } - ] - }, - { - "slug": "/serverless/security/vuln-management-overview", - "classic-sources": [ "enSecurityVulnManagementOverview" ], - "items": [ - { - "slug": "/serverless/security/vuln-management-get-started", - "classic-sources": [ "enSecurityVulnManagementGetStarted" ] - }, - { - "slug": "/serverless/security/vuln-management-findings", - "classic-sources": [ "enSecurityVulnManagementFindings" ] - }, - { - "slug": "/serverless/security/vuln-management-dashboard-dash", - "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] - }, - { - "slug": "/serverless/security/vuln-management-faq", - "classic-sources": [ "enSecurityVulnManagementFaq" ] - } - ] - }, - { - "slug": "/serverless/security/d4c-overview", - "classic-sources": [ "enSecurityD4cOverview" ], - "items": [ - { - "slug": "/serverless/security/d4c-get-started", - "classic-sources": [ "enSecurityD4cGetStarted" ] - }, - { - "slug": "/serverless/security/d4c-policy-guide", - "classic-sources": [ "enSecurityD4cPolicyGuide" ] - }, - { - "slug": "/serverless/security/kubernetes-dashboard-dash", - "classic-sources": [ "enSecurityKubernetesDashboard" ] - } - ] - }, - { - "slug": "/serverless/security/cloud-workload-protection", - "classic-sources": [ "enSecurityCloudWorkloadProtection" ], - "items": [ - { - "slug": "/serverless/security/session-view", - "classic-sources": [ "enSecuritySessionView" ] - }, - { - "slug": "/serverless/security/environment-variable-capture", - "classic-sources": [ "enSecurityEnvironmentVariableCapture" ] - } - ] - } - ] - }, - { - "slug": "/serverless/security/explore-your-data", - "classic-sources": [ "enSecurityExploreYourData" ], - "items": [ - { - "slug": "/serverless/security/hosts-overview", - "classic-sources": [ "enSecurityHostsOverview" ] - }, - { - "slug": "/serverless/security/network-page-overview", - "classic-sources": [ "enSecurityNetworkPageOverview" ] - }, - { - "slug": "/serverless/security/users-page", - "classic-sources": [ "enSecurityUsersPage" ] - }, - { - "slug": "/serverless/security/data-views-in-sec", - "classic-sources": [ "enSecurityDataViewsInSec" ] - }, - { - "label": "Create runtime fields", - "slug": "/serverless/security/runtime-fields", - "classic-sources": [ "enSecurityRuntimeFields" ] - }, - { - "slug": "/serverless/security/siem-field-reference", - "classic-sources": [ "enSecuritySiemFieldReference" ] - } - ] - }, - { - "slug": "/serverless/security/dashboards-overview", - "classic-sources": [ "enSecurityDashboardsOverview" ], - "items": [ - { - "label": "Overview", - "slug": "/serverless/security/overview-dashboard", - "classic-sources": [ "enSecurityOverviewDashboard" ] - }, - { - "label": "Detection & Response", - "slug": "/serverless/security/detection-response-dashboard", - "classic-sources": [ "enSecurityDetectionResponseDashboard" ] - }, - { - "label": "Kubernetes", - "slug": "/serverless/security/kubernetes-dashboard-dash", - "classic-sources": [ "enSecurityKubernetesDashboard" ] - }, - { - "label": "Cloud Security Posture", - "slug": "/serverless/security/cloud-posture-dashboard-dash", - "classic-sources": [ "enSecurityCloudPostureDashboard" ] - }, - { - "label": "Entity Analytics", - "slug": "/serverless/security/detection-entity-dashboard", - "classic-sources": [ "enSecurityDetectionEntityDashboard" ] - }, - { - "label": "Data Quality", - "slug": "/serverless/security/data-quality-dash" - }, - { - "label": "Cloud Native Vulnerability Management", - "slug": "/serverless/security/vuln-management-dashboard-dash", - "classic-sources": [ "ensSecurityVulnManagementDashboardDash" ] - }, - { - "label": "Detection rule monitoring", - "slug": "/serverless/security/rule-monitoring-dashboard", - "classic-sources": [ "enSecurityRuleMonitoringDashboard" ] - } ] - }, - { - "slug": "/serverless/security/detection-engine-overview", - "classic-sources": [ "enSecurityDetectionEngineOverview" ] - }, - { - "label": "Rules", - "slug": "/serverless/security/about-rules", - "classic-sources": [ "enSecurityAboutRules" ], - "items": [ - { - "slug": "/serverless/security/rules-create", - "classic-sources": [ "enSecurityRulesUiCreate" ], - "items": [ - { - "slug": "/serverless/security/interactive-investigation-guides", - "classic-sources": [ "enSecurityInteractiveInvestigationGuides" ] - }, - { - "slug": "/serverless/security/building-block-rules", - "classic-sources": [ "enSecurityBuildingBlockRule" ] - } - ] - }, - { - "label": "Use Elastic prebuilt rules", - "slug": "/serverless/security/prebuilt-rules-management", - "classic-sources": [ "enSecurityPrebuiltRulesManagement" ] - }, - { - "slug": "/serverless/security/rules-ui-management", - "classic-sources": [ "enSecurityRulesUiManagement" ] - }, - { - "slug": "/serverless/security/alerts-ui-monitor", - "classic-sources": [ "enSecurityAlertsUiMonitor" ] - }, - { - "slug": "/serverless/security/rule-exceptions", - "classic-sources": [ "enSecurityDetectionsUiExceptions" ], - "items": [ - { - "slug": "/serverless/security/value-lists-exceptions", - "classic-sources": [ "enSecurityValueListsExceptions" ] - }, - { - "slug": "/serverless/security/add-exceptions", - "classic-sources": [ "enSecurityAddExceptions" ] - }, - { - "slug": "/serverless/security/shared-exception-lists", - "classic-sources": [ "enSecuritySharedExceptionLists" ] - } - ] - }, - { - "slug": "/serverless/security/rules-coverage", - "classic-sources": [ "enSecurityRulesCoverage" ] - }, - { - "slug": "/serverless/security/tune-detection-signals", - "classic-sources": [ "enSecurityTuningDetectionSignals" ] - }, - { - "slug": "/serverless/security/ts-detection-rules", - "classic-sources": [ "enSecurityTsDetectionRules" ] - }, - { - "slug": "/serverless/security/prebuilt-rules", - "classic-sources": [ "enSecurityPrebuiltRules" ], - "classic-skip": true - } - ] - }, - { - "label": "Alerts", - "slug": "/serverless/security/alerts-manage", - "classic-sources": [ "enSecurityAlertsUiManage" ], - "items": [ - { - "label": "Visualize alerts", - "slug": "/serverless/security/visualize-alerts", - "classic-sources": [ "enSecurityVisualizeAlerts" ] - }, - { - "label": "View alert details", - "slug": "/serverless/security/view-alert-details", - "classic-sources": [ "enSecurityViewAlertDetails" ] - }, - { - "label": "Add alerts to cases", - "slug": "/serverless/security/signals-to-cases", - "classic-sources": [ "enSecuritySignalsToCases" ] - }, - { - "label": "Suppress alerts", - "slug": "/serverless/security/alert-suppression", - "classic-sources": [ "enSecurityAlertSuppression" ] - }, - { - "slug": "/serverless/security/reduce-notifications-alerts", - "classic-sources": [ "enSecurityReduceNotificationsAlerts" ] - }, - { - "slug": "/serverless/security/visual-event-analyzer", - "classic-sources": [ "enSecurityVisualEventAnalyzer" ] - }, - { - "slug": "/serverless/security/query-alert-indices", - "classic-sources": [ "enSecurityQueryAlertIndices" ] - }, - { - "slug": "/serverless/security/alert-schema", - "classic-sources": [ "enSecurityAlertSchema" ] - } - ] - }, - { - "label": "Advanced Entity Analytics", - "slug": "/serverless/security/advanced-entity-analytics", - "items": [ - { - "label": "Entity risk scoring", - "slug": "/serverless/security/entity-risk-scoring", - "items": [ - { - "label": "Asset criticality", - "slug": "/serverless/security/asset-criticality" - }, - { - "label": "Turn on risk scoring", - "slug": "/serverless/security/turn-on-risk-engine" - }, - { - "label": "View risk score data", - "slug": "/serverless/security/analyze-risk-score-data" - } - ] - }, - { - "label": "Advanced behavioral detections", - "slug": "/serverless/security/advanced-behavioral-detections", - "items": [ - { - "slug": "/serverless/security/machine-learning", - "classic-sources": [ "enSecurityMachineLearning" ] - }, - { - "slug": "/serverless/security/tuning-anomaly-results", - "classic-sources": [ "enSecurityTuningAnomalyResults" ] - }, - { - "slug": "/serverless/security/behavioral-detection-use-cases" - }, - { - "slug": "/serverless/security/prebuilt-ml-jobs", - "classic-sources": [ "enSecurityPrebuiltMlJobs" ] - } - ] - } - ] - }, - { - "slug": "/serverless/security/investigate-events", - "classic-sources": [ "enSecurityInvestigateEvents" ], - "items": [ - { - "slug": "/serverless/security/timelines-ui", - "classic-sources": [ "enSecurityTimelinesUi" ], - "items": [ - { - "slug": "/serverless/security/timeline-templates-ui", - "classic-sources": [ "enSecurityTimelineTemplatesUi" ] - }, - { - "slug": "/serverless/security/timeline-object-schema", - "classic-sources": [ "enSecurityTimelineObjectSchema" ] - } - ] - }, - { - "slug": "/serverless/security/cases-overview", - "classic-sources": [ "enSecurityCasesOverview" ], - "items": [ - { - "slug": "/serverless/security/cases-open-manage", - "classic-sources": [ "enSecurityCasesOpenManage" ] - }, - { - "slug": "/serverless/security/cases-settings" - } - ] - }, - { - "slug": "/serverless/security/indicators-of-compromise", - "classic-sources": [ "enSecurityIndicatorsOfCompromise" ] - } - ] - }, - { - "slug": "/serverless/security/query-operating-systems", - "classic-sources": [ "enSecurityUseOsquery" ], - "items": [ - { - "slug": "/serverless/security/osquery-response-action", - "classic-sources": [ "enSecurityOsqueryResponseAction" ] - }, - { - "slug": "/serverless/security/invest-guide-run-osquery", - "classic-sources": [ "enSecurityInvestGuideRunOsquery" ] - }, - { - "slug": "/serverless/security/alerts-run-osquery", - "classic-sources": [ "enSecurityAlertsRunOsquery" ] - }, - { - "slug": "/serverless/security/examine-osquery-results", - "classic-sources": [ "enSecurityViewOsqueryResults" ] - }, - { - "slug": "/serverless/security/osquery-placeholder-fields", - "classic-sources": [ "enSecurityOsqueryPlaceholderFields" ] - } - ] - }, - { - "slug": "/serverless/security/response-actions", - "classic-sources": [ "enSecurityResponseActions" ], - "items": [ - { - "slug": "/serverless/security/automated-response-actions" - }, - { - "slug": "/serverless/security/isolate-host", - "classic-sources": [ "enSecurityHostIsolationOv" ] - }, - { - "slug": "/serverless/security/response-actions-history", - "classic-sources": [ "enSecurityResponseActionsHistory" ] - }, - { - "slug": "/serverless/security/third-party-actions" - }, - { - "slug": "/serverless/security/response-actions-config" - } - ] - }, - { - "slug": "/serverless/security/manage-endpoint-protection", - "classic-sources": [ "enSecuritySecManageIntro" ], - "items": [ - { - "slug": "/serverless/security/endpoints-page", - "classic-sources": [ "enSecurityAdminPageOv" ] - }, - { - "slug": "/serverless/security/policies-page", - "classic-sources": [ "enSecurityPoliciesPageOv" ] - }, - { - "slug": "/serverless/security/trusted-applications", - "classic-sources": [ "enSecurityTrustedAppsOv" ] - }, - { - "slug": "/serverless/security/event-filters", - "classic-sources": [ "enSecurityEventFilters" ] - }, - { - "slug": "/serverless/security/host-isolation-exceptions", - "classic-sources": [ "enSecurityHostIsolationExceptions" ] - }, - { - "slug": "/serverless/security/blocklist", - "classic-sources": [ "enSecurityBlocklist" ] - }, - { - "slug": "/serverless/security/endpoint-event-capture" - }, - { - "slug": "/serverless/security/optimize-edr", - "classic-sources": [ "enSecurityEndpointArtifacts" ] - }, - { - "slug": "/serverless/security/allowlist-endpoint" - }, - { - "slug": "/serverless/security/troubleshoot-endpoints", - "classic-sources": [ "enSecurityTsManagement" ] - } - ] - }, - { - "slug": "/serverless/security/asset-management" - }, - { - "slug": "/serverless/security/manage-settings", - "items": [ - { - "slug": "/serverless/security/project-settings" - }, - { - "slug": "/serverless/security/advanced-settings", - "classic-sources": [ "enSecurityAdvancedSettings" ] - }, - { - "slug": "/serverless/security/requirements-overview", - "classic-sources": [ "enSecuritySecRequirements" ], - "items": [ - { - "slug": "/serverless/security/detections-requirements", - "classic-sources": [ "enSecurityDetectionsPermissionsSection" ] - }, - { - "slug": "/serverless/security/cases-requirements", - "classic-sources": [ "enSecurityCasePermissions" ] - }, - { - "slug": "/serverless/security/ers-requirements" - }, - { - "slug": "/serverless/security/ml-requirements", - "classic-sources": [ "enSecurityMlRequirements" ] - }, - { - "slug": "/serverless/security/conf-map-ui", - "classic-sources": [ "enSecurityConfMapUi" ] - } - ] - } - ] - }, - { - "slug": "/serverless/security/security-technical-preview-limitations" - } - ] -}