From 7a1c0362f0724777adb0de96fc1ce95a7e10f37a Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 1 Oct 2024 13:09:34 -0400 Subject: [PATCH 1/2] New rule types support automated response actions (#5797) * Update serverless procedure * Update ESS procedure * Fix feature tier requirements * Add new terms rule type * Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> (cherry picked from commit 2279d8a847b839d7de3149424c64ae31e0396b88) # Conflicts: # docs/serverless/endpoint-response-actions/automated-response-actions.mdx --- .../admin/automated-response-actions.asciidoc | 6 +-- .../automated-response-actions.mdx | 43 +++++++++++++++++++ 2 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 docs/serverless/endpoint-response-actions/automated-response-actions.mdx diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc index b1ee3c0c48..ec339f1731 100644 --- a/docs/management/admin/automated-response-actions.asciidoc +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -14,13 +14,13 @@ Add {elastic-defend}'s <> to detection rules * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Hosts must have {agent} installed with the {elastic-defend} integration. * Your user role must have the ability to create detection rules and the privilege to perform <> (for example, the **Host Isolation** privilege to isolate hosts). -* You can only add automated response actions to custom query rules. +* You can only add automated response actions to <>, <>, <>, and <> type rules. -- -You can add automated response actions to a new or existing custom query rule. +To add automated response actions to a new or existing rule: . Do one of the following: -* *New rule*: On the last step of <> creation, go to the **Response Actions** section and select **{elastic-defend}**. +* *New rule*: On the last step of rule creation, go to the **Response Actions** section and select **{elastic-defend}**. * *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. . Select an option in the **Response action** field: diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx new file mode 100644 index 0000000000..a110dfaaf0 --- /dev/null +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx @@ -0,0 +1,43 @@ +--- +slug: /serverless/security/automated-response-actions +title: Automated response actions +description: Automatically respond to events with endpoint response actions triggered by detection rules. +tags: ["serverless","security","defend","how-to","manage"] +--- + + +
+ +Add ((elastic-defend))'s response actions to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. + + + +- Automated response actions require the Endpoint Protection Complete project feature. +- Hosts must have ((agent)) installed with the ((elastic-defend)) integration. +- Your user role must have the ability to create detection rules and the privilege to perform specific response actions (for example, custom roles require the **Host Isolation** privilege to isolate hosts). +- You can only add automated response actions to custom query, event correlation (EQL), new terms, and ((esql)) type rules. + + + +To add automated response actions to a new or existing rule: + +1. Do one of the following: + - **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **((elastic-defend))**. + - **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section. + +1. Select an option in the **Response action** field: + - **Isolate**: Isolate the host, blocking communication with other hosts on the network. + - **Kill process**: Terminate a process on the host. + - **Suspend process**: Temporarily suspend a process on the host. + + + Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. + + +1. For process actions, specify how to identify the process you want to terminate or suspend: + - Turn on the toggle to use the alert's **process.pid** value as the identifier. + - To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. + +1. Enter a comment describing why you’re performing the action on the host (optional). + +1. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). From d4f2e5684f8f12c9873f6d7caa91c565220af872 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 1 Oct 2024 17:11:19 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../automated-response-actions.mdx | 43 ------------------- 1 file changed, 43 deletions(-) delete mode 100644 docs/serverless/endpoint-response-actions/automated-response-actions.mdx diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx b/docs/serverless/endpoint-response-actions/automated-response-actions.mdx deleted file mode 100644 index a110dfaaf0..0000000000 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.mdx +++ /dev/null @@ -1,43 +0,0 @@ ---- -slug: /serverless/security/automated-response-actions -title: Automated response actions -description: Automatically respond to events with endpoint response actions triggered by detection rules. -tags: ["serverless","security","defend","how-to","manage"] ---- - - -
- -Add ((elastic-defend))'s response actions to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. - - - -- Automated response actions require the Endpoint Protection Complete project feature. -- Hosts must have ((agent)) installed with the ((elastic-defend)) integration. -- Your user role must have the ability to create detection rules and the privilege to perform specific response actions (for example, custom roles require the **Host Isolation** privilege to isolate hosts). -- You can only add automated response actions to custom query, event correlation (EQL), new terms, and ((esql)) type rules. - - - -To add automated response actions to a new or existing rule: - -1. Do one of the following: - - **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **((elastic-defend))**. - - **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **((elastic-defend))** under the **Response Actions** section. - -1. Select an option in the **Response action** field: - - **Isolate**: Isolate the host, blocking communication with other hosts on the network. - - **Kill process**: Terminate a process on the host. - - **Suspend process**: Temporarily suspend a process on the host. - - - Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. - - -1. For process actions, specify how to identify the process you want to terminate or suspend: - - Turn on the toggle to use the alert's **process.pid** value as the identifier. - - To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. - -1. Enter a comment describing why you’re performing the action on the host (optional). - -1. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules).