From 6561643a02242be9f5938008db4e37ae568d7df2 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:07:58 +0000 Subject: [PATCH 1/2] Fixes style issue on Event filters page (#6162) (cherry picked from commit 73637d5f25521bd902a44dc05139b5b9b52305f6) # Conflicts: # docs/serverless/edr-manage/event-filters.asciidoc --- docs/management/admin/event-filters.asciidoc | 6 +- .../edr-manage/event-filters.asciidoc | 119 ++++++++++++++++++ 2 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 docs/serverless/edr-manage/event-filters.asciidoc diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 94a64c0e43..99dcf2b3f5 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -16,12 +16,12 @@ IMPORTANT: Since an event filter blocks an event from streaming to {es}, be cons By default, event filters are recognized globally across all hosts running {elastic-defend}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign an event filter to a specific {elastic-defend} integration policy, which would filter endpoint events from the hosts assigned to that policy. -Create event filters from the Hosts page or the Event filters page. +Create event filters from the **Hosts** page or the **Event filters** page. . Do one of the following: + -- -* To create an event filter from the Hosts page: +* To create an event filter from the **Hosts** page: .. Select the *Events* tab to view the Events table. + .. Find the event to filter, click the *More actions* menu (*...*), then select *Add Endpoint event filter*. @@ -29,7 +29,7 @@ Create event filters from the Hosts page or the Event filters page. TIP: Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {elastic-endpoint}. + For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. -* To create an event filter from the Event filters page: +* To create an event filter from the **Event filters** page: .. Cick *Add event filter*, which opens a flyout. -- + diff --git a/docs/serverless/edr-manage/event-filters.asciidoc b/docs/serverless/edr-manage/event-filters.asciidoc new file mode 100644 index 0000000000..587411f867 --- /dev/null +++ b/docs/serverless/edr-manage/event-filters.asciidoc @@ -0,0 +1,119 @@ +[[security-event-filters]] += Event filters + +// :keywords: serverless, security, how-to + +preview:[] + +Event filters allow you to filter out endpoint events that you don't want stored in {es} — for example, high-volume events. By creating event filters, you can optimize your storage in {es}. + +Event filters do not lower CPU usage on hosts; {elastic-endpoint} still monitors events to detect and prevent possible threats, but without writing event data to {es}. To compare event filters with other endpoint artifacts, refer to <>. + +.Requirements +[NOTE] +==== +You must have the appropriate user role to use this feature. + +// Placeholder statement until we know which specific roles are required. Classic statement below for reference. + +// You must have the **Event Filters** privilege to access this feature. +==== + +[IMPORTANT] +==== +Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters. +==== + +By default, event filters are recognized globally across all hosts running {elastic-defend}. You can also assign an event filter to a specific {elastic-defend} integration policy, which would filter endpoint events from the hosts assigned to that policy. + +Create event filters from the **Hosts** page or the **Event filters** page. + +. Do one of the following: ++ +** To create an event filter from the **Hosts** page: ++ +... Select the **Events** tab to view the Events table. +... Find the event to filter, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions menu icon]), then select **Add Endpoint event filter**. ++ +[TIP] +==== +Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {elastic-endpoint}. +For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. +==== +** To create an event filter from the **Event filters** page: ++ +... Click **Add event filter**, which opens a flyout. ++ +[role="screenshot"] +image::images/event-filters/-management-admin-event-filter.png[] +. Fill in these fields in the **Details** section: ++ +.. `Name`: Enter a name for the event filter. +.. `Description`: Enter a filter description (optional). +. In the **Conditions** section, depending which page you're using to create the filter, either modify the pre-populated conditions or add new conditions to define how {elastic-sec} will filter events. Use these settings: ++ +.. `Select operating system`: Select the appropriate operating system. +.. Select which kind of event filter you'd like to create: ++ +*** `Events`: Create a generic event filter that can match any event type. All matching events are excluded. +*** `Process Descendants`: Specify a process, and suppress the activity of its descendant processes. Events from the matched process will be ingested, but events from its descendant processes will be excluded. ++ +This option adds the condition `event.category is process` to narrow the filter to process-type events. You can add more conditions to identify the process whose descendants you want to exclude. +.. `Field`: Select a field to identify the event being filtered. +.. `Operator`: Select an operator to define the condition. Available options are: ++ +*** `is` +*** `is not` +*** `is one of` +*** `is not one of` +*** `matches` | `does not match`: Allows you to use wildcards in `Value`, such as `C:\path*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). ++ +[IMPORTANT] +==== +Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. +==== +.. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. +. To define multiple conditions, click the `AND` button and configure a new condition. You can also add nested conditions with the `Add nested condition` button. For example, the event filter pictured above excludes events whose `event.category` field is `network`, and whose `process.executable` field is as specified. +. Select an option in the **Assignment** section to assign the event filter to a specific integration policy: ++ +** `Global`: Assign the event filter to all integration policies for {elastic-defend}. +** `Per Policy`: Assign the event filter to one or more specific {elastic-defend} integration policies. Select each policy in which you want the events to be filtered. ++ +[NOTE] +==== +You can also select the `Per Policy` option without immediately assigning a policy to the event filter. For example, you could do this to create and review your event filter configurations before putting them into action with a policy. +==== +. Add a comment if you want to provide more information about the event filter (optional). +. Click **Add event filter**. The new filter is added to the **Event filters** list. + +[discrete] +[[manage-event-filters]] +== View and manage event filters + +The **Event filters** page (**Assets** → **Event filters**) displays all the event filters that have been added to the {security-app}. To refine the list, use the search bar to search by filter name, description, comments, or field value. + +[role="screenshot"] +image::images/event-filters/-management-admin-event-filters-list.png[] + +[discrete] +[[edit-event-filter]] +=== Edit an event filter + +You can individually modify each event filter. You can also change the policies that an event filter is assigned to. + +To edit an event filter: + +. Click the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) for the event filter you want to edit, then select **Edit event filter**. +. Modify details or conditions as needed. +. Click **Save**. + +[discrete] +[[delete-event-filter]] +=== Delete an event filter + +You can delete an event filter, which removes it entirely from all {elastic-defend} integration policies. + +To delete an event filter: + +. Click the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) on the event filter you want to delete, then select **Delete event filter**. +. On the dialog that opens, verify that you are removing the correct event filter, then click **Delete**. A confirmation message is displayed. From 596594344e28a4823c0928e0519071a711290f1a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 14 Nov 2024 16:09:55 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../edr-manage/event-filters.asciidoc | 119 ------------------ 1 file changed, 119 deletions(-) delete mode 100644 docs/serverless/edr-manage/event-filters.asciidoc diff --git a/docs/serverless/edr-manage/event-filters.asciidoc b/docs/serverless/edr-manage/event-filters.asciidoc deleted file mode 100644 index 587411f867..0000000000 --- a/docs/serverless/edr-manage/event-filters.asciidoc +++ /dev/null @@ -1,119 +0,0 @@ -[[security-event-filters]] -= Event filters - -// :keywords: serverless, security, how-to - -preview:[] - -Event filters allow you to filter out endpoint events that you don't want stored in {es} — for example, high-volume events. By creating event filters, you can optimize your storage in {es}. - -Event filters do not lower CPU usage on hosts; {elastic-endpoint} still monitors events to detect and prevent possible threats, but without writing event data to {es}. To compare event filters with other endpoint artifacts, refer to <>. - -.Requirements -[NOTE] -==== -You must have the appropriate user role to use this feature. - -// Placeholder statement until we know which specific roles are required. Classic statement below for reference. - -// You must have the **Event Filters** privilege to access this feature. -==== - -[IMPORTANT] -==== -Since an event filter blocks an event from streaming to {es}, be conscious of event filter conditions you set and any existing rule conditions. If there is too much overlap, the rule may run less frequently than specified and, therefore, will not trigger the corresponding alert for that rule. This is the expected behavior of event filters. -==== - -By default, event filters are recognized globally across all hosts running {elastic-defend}. You can also assign an event filter to a specific {elastic-defend} integration policy, which would filter endpoint events from the hosts assigned to that policy. - -Create event filters from the **Hosts** page or the **Event filters** page. - -. Do one of the following: -+ -** To create an event filter from the **Hosts** page: -+ -... Select the **Events** tab to view the Events table. -... Find the event to filter, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[More actions menu icon]), then select **Add Endpoint event filter**. -+ -[TIP] -==== -Since you can only create filters for endpoint events, be sure to filter the Events table to display events generated by the {elastic-endpoint}. -For example, in the KQL search bar, enter the following query to find endpoint network events: `event.dataset : endpoint.events.network`. -==== -** To create an event filter from the **Event filters** page: -+ -... Click **Add event filter**, which opens a flyout. -+ -[role="screenshot"] -image::images/event-filters/-management-admin-event-filter.png[] -. Fill in these fields in the **Details** section: -+ -.. `Name`: Enter a name for the event filter. -.. `Description`: Enter a filter description (optional). -. In the **Conditions** section, depending which page you're using to create the filter, either modify the pre-populated conditions or add new conditions to define how {elastic-sec} will filter events. Use these settings: -+ -.. `Select operating system`: Select the appropriate operating system. -.. Select which kind of event filter you'd like to create: -+ -*** `Events`: Create a generic event filter that can match any event type. All matching events are excluded. -*** `Process Descendants`: Specify a process, and suppress the activity of its descendant processes. Events from the matched process will be ingested, but events from its descendant processes will be excluded. -+ -This option adds the condition `event.category is process` to narrow the filter to process-type events. You can add more conditions to identify the process whose descendants you want to exclude. -.. `Field`: Select a field to identify the event being filtered. -.. `Operator`: Select an operator to define the condition. Available options are: -+ -*** `is` -*** `is not` -*** `is one of` -*** `is not one of` -*** `matches` | `does not match`: Allows you to use wildcards in `Value`, such as `C:\path*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). -+ -[IMPORTANT] -==== -Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. -==== -.. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**. -. To define multiple conditions, click the `AND` button and configure a new condition. You can also add nested conditions with the `Add nested condition` button. For example, the event filter pictured above excludes events whose `event.category` field is `network`, and whose `process.executable` field is as specified. -. Select an option in the **Assignment** section to assign the event filter to a specific integration policy: -+ -** `Global`: Assign the event filter to all integration policies for {elastic-defend}. -** `Per Policy`: Assign the event filter to one or more specific {elastic-defend} integration policies. Select each policy in which you want the events to be filtered. -+ -[NOTE] -==== -You can also select the `Per Policy` option without immediately assigning a policy to the event filter. For example, you could do this to create and review your event filter configurations before putting them into action with a policy. -==== -. Add a comment if you want to provide more information about the event filter (optional). -. Click **Add event filter**. The new filter is added to the **Event filters** list. - -[discrete] -[[manage-event-filters]] -== View and manage event filters - -The **Event filters** page (**Assets** → **Event filters**) displays all the event filters that have been added to the {security-app}. To refine the list, use the search bar to search by filter name, description, comments, or field value. - -[role="screenshot"] -image::images/event-filters/-management-admin-event-filters-list.png[] - -[discrete] -[[edit-event-filter]] -=== Edit an event filter - -You can individually modify each event filter. You can also change the policies that an event filter is assigned to. - -To edit an event filter: - -. Click the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) for the event filter you want to edit, then select **Edit event filter**. -. Modify details or conditions as needed. -. Click **Save**. - -[discrete] -[[delete-event-filter]] -=== Delete an event filter - -You can delete an event filter, which removes it entirely from all {elastic-defend} integration policies. - -To delete an event filter: - -. Click the actions menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) on the event filter you want to delete, then select **Delete event filter**. -. On the dialog that opens, verify that you are removing the correct event filter, then click **Delete**. A confirmation message is displayed.