From 8c8f6d809e45290f40ba326d21d77ccd1a3ba8ea Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 10 Sep 2024 10:45:24 -0400 Subject: [PATCH 1/5] Update serverless procedure --- .../automated-response-actions.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx index 2c91d21d22..6f4f80a6d4 100644 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx @@ -12,17 +12,17 @@ Add ((elastic-defend))'s r -- Automated response actions require an [Enterprise subscription](https://www.elastic.co/pricing). +- Automated response actions require the appropriate project feature. - Hosts must have ((agent)) installed with the ((elastic-defend)) integration. - Your user role must have the ability to create detection rules and to perform specific response actions. -- You can only add automated response actions to custom query rules. +- You can only add automated response actions to custom query, event correlation (EQL), and ((esql)) type rules. -You can add automated response actions to a new or existing custom query rule. +To add automated response actions to a new or existing rule: 1. Do one of the following: - - **New rule**: On the last step of custom query rule creation, go to the **Response Actions** section and select **((elastic-defend))**. + - **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **((elastic-defend))**. - **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section. 1. Select an option in the **Response action** field: From a677526108455202086c92c4e87594d4bb8dc99d Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 10 Sep 2024 10:45:32 -0400 Subject: [PATCH 2/5] Update ESS procedure --- docs/management/admin/automated-response-actions.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc index dad567d2c7..e32480d0bd 100644 --- a/docs/management/admin/automated-response-actions.asciidoc +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -14,13 +14,13 @@ Add {elastic-defend}'s <> to detection rules * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Hosts must have {agent} installed with the {elastic-defend} integration. * Your user role must have the ability to create detection rules and the <> to perform specific response actions (for example, the **Host Isolation** privilege to isolate hosts). -* You can only add automated response actions to custom query rules. +* You can only add automated response actions to <>, <>, and <> type rules. -- -You can add automated response actions to a new or existing custom query rule. +To add automated response actions to a new or existing rule: . Do one of the following: -* *New rule*: On the last step of <> creation, go to the **Response Actions** section and select **{elastic-defend}**. +* *New rule*: On the last step of rule creation, go to the **Response Actions** section and select **{elastic-defend}**. * *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. . Select an option in the **Response action** field: From 718a9024233a64c6785841de02e9338a66af7f2e Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 10 Sep 2024 11:18:09 -0400 Subject: [PATCH 3/5] Fix feature tier requirements --- .../endpoint-response-actions/automated-response-actions.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx index 6f4f80a6d4..840ac89be4 100644 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx @@ -12,7 +12,7 @@ Add ((elastic-defend))'s r -- Automated response actions require the appropriate project feature. +- Automated response actions require the Endpoint Protection Complete project feature. - Hosts must have ((agent)) installed with the ((elastic-defend)) integration. - Your user role must have the ability to create detection rules and to perform specific response actions. - You can only add automated response actions to custom query, event correlation (EQL), and ((esql)) type rules. From 99f7c431aa060d2a912e1e8c8d72b6966a4c3e54 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 23 Sep 2024 09:53:22 -0400 Subject: [PATCH 4/5] Add new terms rule type --- docs/management/admin/automated-response-actions.asciidoc | 2 +- .../endpoint-response-actions/automated-response-actions.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc index e32480d0bd..1d195b8c13 100644 --- a/docs/management/admin/automated-response-actions.asciidoc +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -14,7 +14,7 @@ Add {elastic-defend}'s <> to detection rules * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Hosts must have {agent} installed with the {elastic-defend} integration. * Your user role must have the ability to create detection rules and the <> to perform specific response actions (for example, the **Host Isolation** privilege to isolate hosts). -* You can only add automated response actions to <>, <>, and <> type rules. +* You can only add automated response actions to <>, <>, <>,and <> type rules. -- To add automated response actions to a new or existing rule: diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx index 840ac89be4..afcdc0d0d4 100644 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx @@ -15,7 +15,7 @@ Add ((elastic-defend))'s r - Automated response actions require the Endpoint Protection Complete project feature. - Hosts must have ((agent)) installed with the ((elastic-defend)) integration. - Your user role must have the ability to create detection rules and to perform specific response actions. -- You can only add automated response actions to custom query, event correlation (EQL), and ((esql)) type rules. +- You can only add automated response actions to custom query, event correlation (EQL), new terms, and ((esql)) type rules. From 6ba4d4689f80bda27da968a6acf3d65ca6d35390 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Mon, 23 Sep 2024 16:44:10 -0400 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --- docs/management/admin/automated-response-actions.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc index 1d195b8c13..4b379c59d4 100644 --- a/docs/management/admin/automated-response-actions.asciidoc +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -14,7 +14,7 @@ Add {elastic-defend}'s <> to detection rules * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Hosts must have {agent} installed with the {elastic-defend} integration. * Your user role must have the ability to create detection rules and the <> to perform specific response actions (for example, the **Host Isolation** privilege to isolate hosts). -* You can only add automated response actions to <>, <>, <>,and <> type rules. +* You can only add automated response actions to <>, <>, <>, and <> type rules. -- To add automated response actions to a new or existing rule: