diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc index 80cc93875f..55d1eece63 100644 --- a/docs/detections/add-exceptions.asciidoc +++ b/docs/detections/add-exceptions.asciidoc @@ -129,22 +129,16 @@ Closes all alerts that match the exception's conditions and were generated only [[endpoint-rule-exceptions]] === Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields: +You can add {elastic-endpoint} exceptions to <> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. -* `kibana.alert.original_event.module determined:endpoint` -* `kibana.alert.original_event.kind:alert` - -You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. - -Endpoint exceptions are added to the Endpoint Security rule *and* the {elastic-endpoint} on your hosts. +Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts. [IMPORTANT] ============= -Exceptions added to the Endpoint Security rule affect all alerts sent -from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint -alerts. +Exceptions added to the endpoint protection rules affect all alerts sent +from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts. -Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ============= [IMPORTANT] @@ -158,7 +152,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there * To add an Endpoint exception from the rule details page: .. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -.. In the Rules table, search for and select the Elastic *Endpoint Security* rule. +.. In the Rules table, search for and select one of the <>. .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*. * To add an Endpoint exception from the Alerts table: @@ -170,7 +164,7 @@ alert, click the *More actions* menu (*...*), then select *Add Endpoint exceptio .. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. + -NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. +NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <> option selected. -- + diff --git a/docs/detections/detection-engine-intro.asciidoc b/docs/detections/detection-engine-intro.asciidoc index 105e2ade3e..f649a98a16 100644 --- a/docs/detections/detection-engine-intro.asciidoc +++ b/docs/detections/detection-engine-intro.asciidoc @@ -22,21 +22,9 @@ how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules. -There are two special prebuilt rules you need to know about: +There are several special prebuilt rules you need to know about: -* <>: -Automatically creates an alert from all incoming Elastic Endpoint alerts. To -receive Elastic Endpoint alerts, you must install the Endpoint agent on your -hosts (see <>). -+ -When this rule is enabled, the following Endpoint events are displayed as -detection alerts: -+ -** Malware Prevention Alert -** Malware Detection Alert -+ -NOTE: When you load the prebuilt rules, this is the only rule that is enabled -by default. +* <>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention. * <>: Automatically creates an alert for all incoming third-party system alerts (for example, Suricata alerts). diff --git a/docs/detections/rules-ui-create.asciidoc b/docs/detections/rules-ui-create.asciidoc index 9491f98c19..2302d127d9 100644 --- a/docs/detections/rules-ui-create.asciidoc +++ b/docs/detections/rules-ui-create.asciidoc @@ -562,13 +562,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. *Author* (optional): The rule's authors. .. *License* (optional): The rule's license. -.. *Elastic endpoint exceptions* (optional): Adds all Elastic Endpoint Security -rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). +.. *Elastic endpoint exceptions* (optional): Adds all <> to this rule. + NOTE: If you select this option, you can add -<> on the Rule details page. -Additionally, all future exceptions added to the Endpoint Security rule -also affect this rule. +{elastic-endpoint} exceptions on the Rule details page. +Additionally, all future exceptions added to <> will also affect this rule. + .. *Building block* (optional): Select to create a building-block rule. By diff --git a/docs/management/admin/endpoint-protection-rules.asciidoc b/docs/management/admin/endpoint-protection-rules.asciidoc new file mode 100644 index 0000000000..c79c57e663 --- /dev/null +++ b/docs/management/admin/endpoint-protection-rules.asciidoc @@ -0,0 +1,43 @@ +[[endpoint-protection-rules]] += Endpoint protection rules + +Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <> rule as well as additional detection and prevention rules for different {elastic-defend} protection features. + +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). + +When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert + +[discrete] +[[endpoint-sec-rule]] +== Endpoint Security rule + +The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts. + +NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default. + +[discrete] +[[feature-protection-rules]] +== Feature-specific protection rules + +The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. + +* Behavior - Detected - Elastic Defend +* Behavior - Prevented - Endpoint Defend +* Malicious File - Detected - Elastic Defend +* Malicious File - Prevented - Elastic Defend +* Memory Signature - Detected - Elastic Defend +* Memory Signature - Prevented - Elastic Defend +* Ransomware - Detected - Elastic Defend +* Ransomware - Prevented - Elastic Defend + +NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts. + +To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <>. + +[discrete] +== Endpoint security exception handling + +All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 45e8abcb1c..e284a64348 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -12,6 +12,7 @@ include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.as include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-event-capture.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/endpoint-protection-rules.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-command-ref.asciidoc[leveloffset=+1] diff --git a/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc new file mode 100644 index 0000000000..f71d61c72f --- /dev/null +++ b/docs/serverless/edr-manage/endpoint-protection-rules.asciidoc @@ -0,0 +1,43 @@ +[[endpoint-protection-rules]] += Endpoint protection rules + +Endpoint protection rules are <> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {elastic-defend} protection features. + +IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <>). + +When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts: + +** Malware Prevention Alert +** Malware Detection Alert + +[discrete] +[[endpoint-sec-rule]] +== Endpoint Security rule + +The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts. + +NOTE: When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default. + +[discrete] +[[feature-protection-rules]] +== Feature-specific protection rules + +The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected. + +* Behavior - Detected - Elastic Defend +* Behavior - Prevented - Endpoint Defend +* Malicious File - Detected - Elastic Defend +* Malicious File - Prevented - Elastic Defend +* Memory Signature - Detected - Elastic Defend +* Memory Signature - Prevented - Elastic Defend +* Ransomware - Detected - Elastic Defend +* Ransomware - Prevented - Elastic Defend + +NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts. + +To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <>. + +[discrete] +== Endpoint security exception handling + +All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <> continue to apply. \ No newline at end of file diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc index 056e164581..83e32bbd4e 100644 --- a/docs/serverless/index.asciidoc +++ b/docs/serverless/index.asciidoc @@ -70,6 +70,7 @@ include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3] include::./edr-manage/blocklist.asciidoc[leveloffset=+3] include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3] include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3] +include::./edr-manage/endpoint-protection-rules.asciidoc[leveloffset=+3] include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3] include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3] include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3] diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index 4269745f2e..5013dc4db8 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -135,22 +135,16 @@ is only available when adding exceptions from the Alerts table. [[endpoint-rule-exceptions]] == Add {elastic-endpoint} exceptions -Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields: +You can add {elastic-endpoint} exceptions to <> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. -* `kibana.alert.original_event.module determined:endpoint` -* `kibana.alert.original_event.kind:alert` - -You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <> option. - -Endpoint exceptions are added to the Endpoint Security rule **and** the {elastic-endpoint} on your hosts. +Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts. [IMPORTANT] ==== -Exceptions added to the Endpoint Security rule affect all alerts sent -from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint -alerts. +Exceptions added to the endpoint protection rules affect all alerts sent +from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts. -Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. +Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)]. ==== [IMPORTANT] @@ -162,7 +156,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there + ** To add an Endpoint exception from the rule details page: + -... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select the Elastic **Endpoint Security** rule. +... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select one of the <>. ... Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**. ** To add an Endpoint exception from the Alerts table: + @@ -176,7 +170,7 @@ alert, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[A + [NOTE] ==== -The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <> option selected. +The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <> option selected. ==== + The **Add Endpoint Exception** flyout opens. diff --git a/docs/serverless/rules/detection-engine-overview.asciidoc b/docs/serverless/rules/detection-engine-overview.asciidoc index 605a843dc8..3d89447e5c 100644 --- a/docs/serverless/rules/detection-engine-overview.asciidoc +++ b/docs/serverless/rules/detection-engine-overview.asciidoc @@ -23,26 +23,11 @@ how to modify the rules to reduce false positives and get a better set of actionable alerts. You can also use exceptions and value lists when creating or modifying your own rules. -There are two special prebuilt rules you need to know about: +There are several special prebuilt rules you need to know about: // Links to prebuilt rule pages temporarily removed for initial serverless docs. -* **Endpoint Security**: -Automatically creates an alert from all incoming Elastic Endpoint alerts. To -receive Elastic Endpoint alerts, you must install the Endpoint agent on your -hosts (see <>). -+ -When this rule is enabled, the following Endpoint events are displayed as -detection alerts: -+ -** Malware Prevention Alert -** Malware Detection Alert -+ -[NOTE] -==== -When you load the prebuilt rules, this is the only rule that is enabled -by default. -==== +* <>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention. // Links to prebuilt rule pages temporarily removed for initial serverless docs. diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index beb1cc8e9f..736ea49017 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -596,12 +596,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo alerts created by the rule. You can also add action buttons to <> or <> using alert data. .. **Author** (optional): The rule's authors. .. **License** (optional): The rule's license. -.. **Elastic endpoint exceptions** (optional): Adds all Elastic Endpoint Security -rule exceptions to this rule (refer to <> to learn more about adding endpoint exceptions). +.. **Elastic endpoint exceptions** (optional): Adds all <> to this rule. + [NOTE] ==== -If you select this option, you can add <> on the Rule details page. Additionally, all future exceptions added to the Endpoint Security rule also affect this rule. +If you select this option, you can add {elastic-endpoint} exceptions on the Rule details page. Additionally, all future exceptions added to <> will also affect this rule. ==== .. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <> for more information. .. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100.