[Internal]: Advanced Mode for Trusted Applications

[caitlinbetz]

Description

We've added an "advanced mode" option for trusted applications. The default behavior will remain the same as it is currently, with the option for users to switch into an "advanced" option if they wish. The "advanced mode" allows users to create a filter on more than just hash/signer/executable path, providing the ability to define more complex rules (similar to alert exceptions and event filters) such as trusting specific file paths or remote IP addresses. It'll still be the case that Advanced Trusted Apps will prevent Endpoint from monitoring certain system activity (while Endpoint Exceptions will continue to monitor all activity but just not alert on certain things - no changes there).

Resources

Security team issue: https://github.com/elastic/security-team/issues/9267

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

N/A

What release is this request related to?

9.1

Serverless release

TBD

Collaboration model

The documentation team

Point of contact.

Main contact: @caitlinbetz @dasansol92 @ferullo

Stakeholders:

[gabriellandau]

Bonus points if users can export/import them to/from a flat file, like they can currently do with exceptions.

I wouldn't hold up a MVP over it, though.

[natasha-moore-elastic]

UI dev issue: https://github.com/elastic/security-team/issues/12342
Affected docs: https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications