From bdd498633fb368ce80a9f47940a2a7fc24424d61 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Fri, 8 Nov 2024 16:32:39 -0500 Subject: [PATCH 1/2] Supported rule types for automated response actions (#6050) * Remove statement on rule type limitations * update serverless asciidoc file instead of mdx file --------- Co-authored-by: Colleen McGinnis (cherry picked from commit 6fb01bcaf4aacc318635713e4bf25b6a523a2c39) # Conflicts: # docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc --- .../admin/automated-response-actions.asciidoc | 1 - .../automated-response-actions.asciidoc | 40 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc diff --git a/docs/management/admin/automated-response-actions.asciidoc b/docs/management/admin/automated-response-actions.asciidoc index ec339f1731..aade5888d5 100644 --- a/docs/management/admin/automated-response-actions.asciidoc +++ b/docs/management/admin/automated-response-actions.asciidoc @@ -14,7 +14,6 @@ Add {elastic-defend}'s <> to detection rules * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Hosts must have {agent} installed with the {elastic-defend} integration. * Your user role must have the ability to create detection rules and the privilege to perform <> (for example, the **Host Isolation** privilege to isolate hosts). -* You can only add automated response actions to <>, <>, <>, and <> type rules. -- To add automated response actions to a new or existing rule: diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc b/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc new file mode 100644 index 0000000000..c3085b9344 --- /dev/null +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc @@ -0,0 +1,40 @@ +[[security-automated-response-actions]] += Automated response actions + +// :description: Automatically respond to events with endpoint response actions triggered by detection rules. +// :keywords: serverless, security, defend, how-to, manage + +preview:[] + +Add {elastic-defend}'s <> to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. + +.Requirements +[NOTE] +==== +* Automated response actions require the Endpoint Protection Complete <>. +* Hosts must have {agent} installed with the {elastic-defend} integration. +* Your user role must have the ability to create detection rules and the privilege to perform <> (for example, custom roles require the **Host Isolation** privilege to isolate hosts). +==== + +To add automated response actions to a new or existing rule: + +. Do one of the following: ++ +** **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **{elastic-defend}**. +** **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. +. Select an option in the **Response action** field: ++ +** **Isolate**: <>, blocking communication with other hosts on the network. +** **Kill process**: Terminate a process on the host. +** **Suspend process**: Temporarily suspend a process on the host. ++ +[IMPORTANT] +==== +Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. +==== +. For process actions, specify how to identify the process you want to terminate or suspend: ++ +** Turn on the toggle to use the alert's **process.pid** value as the identifier. +** To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. +. Enter a comment describing why you’re performing the action on the host (optional). +. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). From 01a9202b000080d50d7e35403e299f1d3b6a149b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Fri, 8 Nov 2024 21:33:57 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../automated-response-actions.asciidoc | 40 ------------------- 1 file changed, 40 deletions(-) delete mode 100644 docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc b/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc deleted file mode 100644 index c3085b9344..0000000000 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc +++ /dev/null @@ -1,40 +0,0 @@ -[[security-automated-response-actions]] -= Automated response actions - -// :description: Automatically respond to events with endpoint response actions triggered by detection rules. -// :keywords: serverless, security, defend, how-to, manage - -preview:[] - -Add {elastic-defend}'s <> to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. - -.Requirements -[NOTE] -==== -* Automated response actions require the Endpoint Protection Complete <>. -* Hosts must have {agent} installed with the {elastic-defend} integration. -* Your user role must have the ability to create detection rules and the privilege to perform <> (for example, custom roles require the **Host Isolation** privilege to isolate hosts). -==== - -To add automated response actions to a new or existing rule: - -. Do one of the following: -+ -** **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **{elastic-defend}**. -** **Existing rule**: Edit the rule's settings, then go to the **Actions** tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. -. Select an option in the **Response action** field: -+ -** **Isolate**: <>, blocking communication with other hosts on the network. -** **Kill process**: Terminate a process on the host. -** **Suspend process**: Temporarily suspend a process on the host. -+ -[IMPORTANT] -==== -Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. -==== -. For process actions, specify how to identify the process you want to terminate or suspend: -+ -** Turn on the toggle to use the alert's **process.pid** value as the identifier. -** To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. -. Enter a comment describing why you’re performing the action on the host (optional). -. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules).