You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/detections/add-exceptions.asciidoc
+7-13Lines changed: 7 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -129,22 +129,16 @@ Closes all alerts that match the exception's conditions and were generated only
129
129
[[endpoint-rule-exceptions]]
130
130
=== Add {elastic-endpoint} exceptions
131
131
132
-
Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields:
132
+
You can add {elastic-endpoint} exceptions to <<endpoint-protection-rules, endpoint protection rules>> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
138
-
139
-
Endpoint exceptions are added to the Endpoint Security rule *and* the {elastic-endpoint} on your hosts.
134
+
Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts.
140
135
141
136
[IMPORTANT]
142
137
=============
143
-
Exceptions added to the Endpoint Security rule affect all alerts sent
144
-
from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint
145
-
alerts.
138
+
Exceptions added to the endpoint protection rules affect all alerts sent
139
+
from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts.
146
140
147
-
Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
141
+
Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
148
142
=============
149
143
150
144
[IMPORTANT]
@@ -158,7 +152,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there
158
152
159
153
* To add an Endpoint exception from the rule details page:
160
154
.. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
161
-
.. In the Rules table, search for and select the Elastic *Endpoint Security* rule.
155
+
.. In the Rules table, search for and select one of the <<endpoint-protection-rules, endpoint protection rules>>.
162
156
.. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*.
163
157
164
158
* To add an Endpoint exception from the Alerts table:
@@ -170,7 +164,7 @@ alert, click the *More actions* menu (*...*), then select *Add Endpoint exceptio
170
164
.. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
171
165
.. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*.
172
166
+
173
-
NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.
167
+
NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.
Copy file name to clipboardExpand all lines: docs/detections/detection-engine-intro.asciidoc
+2-14Lines changed: 2 additions & 14 deletions
Original file line number
Diff line number
Diff line change
@@ -22,21 +22,9 @@ how to modify the rules to reduce false positives and get a better set of
22
22
actionable alerts. You can also use exceptions and value lists when creating or
23
23
modifying your own rules.
24
24
25
-
There are two special prebuilt rules you need to know about:
25
+
There are several special prebuilt rules you need to know about:
26
26
27
-
* <<endpoint-security, *Endpoint Security*>>:
28
-
Automatically creates an alert from all incoming Elastic Endpoint alerts. To
29
-
receive Elastic Endpoint alerts, you must install the Endpoint agent on your
30
-
hosts (see <<install-endpoint>>).
31
-
+
32
-
When this rule is enabled, the following Endpoint events are displayed as
33
-
detection alerts:
34
-
+
35
-
** Malware Prevention Alert
36
-
** Malware Detection Alert
37
-
+
38
-
NOTE: When you load the prebuilt rules, this is the only rule that is enabled
39
-
by default.
27
+
* <<endpoint-protection-rules, *Endpoint protection rules*>>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention.
40
28
41
29
* <<external-alerts, *External Alerts*>>: Automatically creates an alert for
42
30
all incoming third-party system alerts (for example, Suricata alerts).
Copy file name to clipboardExpand all lines: docs/detections/rules-ui-create.asciidoc
+3-5Lines changed: 3 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -562,13 +562,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo
562
562
alerts created by the rule. You can also add action buttons to <<invest-guide-run-osquery, run Osquery>> or <<interactive-investigation-guides, launch Timeline investigations>> using alert data.
563
563
.. *Author* (optional): The rule's authors.
564
564
.. *License* (optional): The rule's license.
565
-
.. *Elastic endpoint exceptions* (optional): Adds all Elastic Endpoint Security
566
-
rule exceptions to this rule (refer to <<endpoint-rule-exceptions>> to learn more about adding endpoint exceptions).
565
+
.. *Elastic endpoint exceptions* (optional): Adds all <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> to this rule.
567
566
+
568
567
NOTE: If you select this option, you can add
569
-
<<endpoint-rule-exceptions, Endpoint exceptions>> on the Rule details page.
570
-
Additionally, all future exceptions added to the Endpoint Security rule
571
-
also affect this rule.
568
+
{elastic-endpoint} exceptions on the Rule details page.
569
+
Additionally, all future exceptions added to <<endpoint-protection-rules, endpoint protection rules>> will also affect this rule.
572
570
+
573
571
574
572
.. *Building block* (optional): Select to create a building-block rule. By
Endpoint protection rules are <<prebuilt-rules-management, prebuilt rules>> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <<endpoint-security>> rule as well as additional detection and prevention rules for different {elastic-defend} protection features.
5
+
6
+
IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <<install-endpoint>>).
7
+
8
+
When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts:
9
+
10
+
** Malware Prevention Alert
11
+
** Malware Detection Alert
12
+
13
+
[discrete]
14
+
[[endpoint-sec-rule]]
15
+
== Endpoint Security rule
16
+
17
+
The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts.
18
+
19
+
NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default.
20
+
21
+
[discrete]
22
+
[[feature-protection-rules]]
23
+
== Feature-specific protection rules
24
+
25
+
The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
26
+
27
+
* Behavior - Detected - Elastic Defend
28
+
* Behavior - Prevented - Endpoint Defend
29
+
* Malicious File - Detected - Elastic Defend
30
+
* Malicious File - Prevented - Elastic Defend
31
+
* Memory Signature - Detected - Elastic Defend
32
+
* Memory Signature - Prevented - Elastic Defend
33
+
* Ransomware - Detected - Elastic Defend
34
+
* Ransomware - Prevented - Elastic Defend
35
+
36
+
NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
37
+
38
+
To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <<load-prebuilt-rules,installing and enabling Elastic prebuilt rules>>.
39
+
40
+
[discrete]
41
+
== Endpoint security exception handling
42
+
43
+
All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> continue to apply.
Endpoint protection rules are <<security-prebuilt-rules-management, prebuilt rules>> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {elastic-defend} protection features.
5
+
6
+
IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <<security-install-edr>>).
7
+
8
+
When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts:
9
+
10
+
** Malware Prevention Alert
11
+
** Malware Detection Alert
12
+
13
+
[discrete]
14
+
[[endpoint-sec-rule]]
15
+
== Endpoint Security rule
16
+
17
+
The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts.
18
+
19
+
NOTE: When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default.
20
+
21
+
[discrete]
22
+
[[feature-protection-rules]]
23
+
== Feature-specific protection rules
24
+
25
+
The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
26
+
27
+
* Behavior - Detected - Elastic Defend
28
+
* Behavior - Prevented - Endpoint Defend
29
+
* Malicious File - Detected - Elastic Defend
30
+
* Malicious File - Prevented - Elastic Defend
31
+
* Memory Signature - Detected - Elastic Defend
32
+
* Memory Signature - Prevented - Elastic Defend
33
+
* Ransomware - Detected - Elastic Defend
34
+
* Ransomware - Prevented - Elastic Defend
35
+
36
+
NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
37
+
38
+
To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <<load-prebuilt-rules,installing and enabling Elastic prebuilt rules>>.
39
+
40
+
[discrete]
41
+
== Endpoint security exception handling
42
+
43
+
All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> continue to apply.
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?v=4&size=40){kind=avatar}
0 commit comments