elastic · natasha-moore-elastic · Jan 8, 2025 · Nov 11, 2024 · Nov 12, 2024 · Nov 12, 2024
@@ -129,22 +129,16 @@ Closes all alerts that match the exception's conditions and were generated only
 [[endpoint-rule-exceptions]]
 === Add {elastic-endpoint} exceptions
 
-Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields:
+You can add {elastic-endpoint} exceptions to <<endpoint-protection-rules, endpoint protection rules>> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
 
-* `kibana.alert.original_event.module determined:endpoint`
-* `kibana.alert.original_event.kind:alert`
-
-You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option.
-
-Endpoint exceptions are added to the Endpoint Security rule *and* the {elastic-endpoint} on your hosts.
+Endpoint exceptions are added to the endpoint protection rules *and* the {elastic-endpoint} on your hosts.
 
 [IMPORTANT]
 =============
-Exceptions added to the Endpoint Security rule affect all alerts sent
-from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint
-alerts.
+Exceptions added to the endpoint protection rules affect all alerts sent
+from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts.
 
-Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
+Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
 =============
 
 [IMPORTANT]
@@ -158,7 +152,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there
 
 * To add an Endpoint exception from the rule details page:
 .. Find *Detection rules (SIEM)* in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
-.. In the Rules table, search for and select the Elastic *Endpoint Security* rule.
+.. In the Rules table, search for and select one of the <<endpoint-protection-rules, endpoint protection rules>>.
 .. Scroll down the rule details page, select the *Endpoint exceptions* tab, then click *Add endpoint exception*.
 
 * To add an Endpoint exception from the Alerts table:
@@ -170,7 +164,7 @@ alert, click the *More actions* menu (*...*), then select *Add Endpoint exceptio
 .. Find the *Shared exception lists* page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field].
 .. Expand the Endpoint Security Exception List or click the list name to open the list's details page. Next, click *Add endpoint exception*. 
 +
-NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.
+NOTE: The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <<rule-ui-advanced-params, *{elastic-endpoint} exceptions*>> option selected.
 
 --
 +

@@ -22,21 +22,9 @@ how to modify the rules to reduce false positives and get a better set of
 actionable alerts. You can also use exceptions and value lists when creating or
 modifying your own rules.
 
-There are two special prebuilt rules you need to know about:
+There are several special prebuilt rules you need to know about:
 
-* <<endpoint-security, *Endpoint Security*>>:
-Automatically creates an alert from all incoming Elastic Endpoint alerts. To
-receive Elastic Endpoint alerts, you must install the Endpoint agent on your
-hosts (see <<install-endpoint>>).
-+
-When this rule is enabled, the following Endpoint events are displayed as
-detection alerts:
-+
-** Malware Prevention Alert
-** Malware Detection Alert
-+
-NOTE: When you load the prebuilt rules, this is the only rule that is enabled
-by default.
+* <<endpoint-protection-rules, *Endpoint protection rules*>>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention.
 
 * <<external-alerts, *External Alerts*>>: Automatically creates an alert for
 all incoming third-party system alerts (for example, Suricata alerts).

@@ -562,13 +562,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo
 alerts created by the rule. You can also add action buttons to <<invest-guide-run-osquery, run Osquery>> or <<interactive-investigation-guides, launch Timeline investigations>> using alert data.
 .. *Author* (optional): The rule's authors.
 .. *License* (optional): The rule's license.
-.. *Elastic endpoint exceptions* (optional): Adds all Elastic Endpoint Security
-rule exceptions to this rule (refer to <<endpoint-rule-exceptions>> to learn more about adding endpoint exceptions).
+.. *Elastic endpoint exceptions* (optional): Adds all <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> to this rule.
 +
 NOTE: If you select this option, you can add
-<<endpoint-rule-exceptions, Endpoint exceptions>> on the Rule details page.
-Additionally, all future exceptions added to the Endpoint Security rule
-also affect this rule.
+{elastic-endpoint} exceptions on the Rule details page.
+Additionally, all future exceptions added to <<endpoint-protection-rules, endpoint protection rules>> will also affect this rule.
 +
 
 .. *Building block* (optional): Select to create a building-block rule. By

@@ -0,0 +1,43 @@
+[[endpoint-protection-rules]]
+= Endpoint protection rules
+
+Endpoint protection rules are <<prebuilt-rules-management, prebuilt rules>> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the <<endpoint-security>> rule as well as additional detection and prevention rules for different {elastic-defend} protection features.
+
+IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration  on your hosts (refer to <<install-endpoint>>).
+
+When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts:
+
+** Malware Prevention Alert
+** Malware Detection Alert
+
+[discrete]
+[[endpoint-sec-rule]]
+== Endpoint Security rule
+
+The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts. 
+
+NOTE: When you install Elastic prebuilt rules, the {elastic-defend} is enabled by default. 
+
+[discrete]
+[[feature-protection-rules]]
+== Feature-specific protection rules
+
+The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
+
+* Behavior - Detected - Elastic Defend
+* Behavior - Prevented - Endpoint Defend
+* Malicious File - Detected - Elastic Defend
+* Malicious File - Prevented - Elastic Defend
+* Memory Signature - Detected - Elastic Defend
+* Memory Signature - Prevented - Elastic Defend
+* Ransomware - Detected - Elastic Defend
+* Ransomware - Prevented - Elastic Defend
+
+NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
+
+To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <<load-prebuilt-rules,installing and enabling Elastic prebuilt rules>>.
+
+[discrete]
+== Endpoint security exception handling
+
+All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> continue to apply.
@@ -12,6 +12,7 @@ include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.as
 include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/endpoint-event-capture.asciidoc[leveloffset=+1]
+include::{security-docs-root}/docs/management/admin/endpoint-protection-rules.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/endpoint-command-ref.asciidoc[leveloffset=+1]
@@ -0,0 +1,43 @@
+[[endpoint-protection-rules]]
+= Endpoint protection rules
+
+Endpoint protection rules are <<security-prebuilt-rules-management, prebuilt rules>> designed to help you manage and respond to alerts generated by {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different {elastic-defend} protection features.
+
+IMPORTANT: To receive {elastic-endpoint} alerts, you must install {agent} and the {elastic-defend} integration on your hosts (refer to <<security-install-edr>>).
+
+When endpoint protection rules are triggered, {elastic-endpoint} alerts are displayed as detection alerts in the {security-app}. The detection alert name is taken from the {elastic-endpoint} alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following {elastic-endpoint} alerts are displayed as detection alerts:
+
+** Malware Prevention Alert
+** Malware Detection Alert
+
+[discrete]
+[[endpoint-sec-rule]]
+== Endpoint Security rule
+
+The Endpoint Security rule automatically creates an alert from all incoming {elastic-endpoint} alerts.
+
+NOTE: When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default.
+
+[discrete]
+[[feature-protection-rules]]
+== Feature-specific protection rules
+
+The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
+
+* Behavior - Detected - Elastic Defend
+* Behavior - Prevented - Endpoint Defend
+* Malicious File - Detected - Elastic Defend
+* Malicious File - Prevented - Elastic Defend
+* Memory Signature - Detected - Elastic Defend
+* Memory Signature - Prevented - Elastic Defend
+* Ransomware - Detected - Elastic Defend
+* Ransomware - Prevented - Elastic Defend
+
+NOTE: If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
+
+To use these rules, you need to manually enable them from the **Rules** page in the {security-app}. Follow the instructions for <<load-prebuilt-rules,installing and enabling Elastic prebuilt rules>>.
+
+[discrete]
+== Endpoint security exception handling
+
+All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> continue to apply.
@@ -70,6 +70,7 @@ include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3]
 include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
 include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
+include::./edr-manage/endpoint-protection-rules.asciidoc[leveloffset=+3]
 include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]

@@ -135,22 +135,16 @@ is only available when adding exceptions from the Alerts table.
 [[endpoint-rule-exceptions]]
 == Add {elastic-endpoint} exceptions
 
-Like detection rule exceptions, you can add Endpoint agent exceptions either by editing the Endpoint Security rule or by adding them as actions on alerts generated by the Endpoint Security rule. {elastic-endpoint} alerts have the following fields:
+You can add {elastic-endpoint} exceptions to <<endpoint-protection-rules, endpoint protection rules>> or to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option.
 
-* `kibana.alert.original_event.module determined:endpoint`
-* `kibana.alert.original_event.kind:alert`
-
-You can also add Endpoint exceptions to rules that are associated with {elastic-endpoint} rule exceptions. To associate rules when creating or editing a rule, select the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option.
-
-Endpoint exceptions are added to the Endpoint Security rule **and** the {elastic-endpoint} on your hosts.
+Endpoint exceptions are added to the endpoint protection rules **and** the {elastic-endpoint} on your hosts.
 
 [IMPORTANT]
 ====
-Exceptions added to the Endpoint Security rule affect all alerts sent
-from the Endpoint agent. Be careful not to unintentionally prevent useful Endpoint
-alerts.
+Exceptions added to the endpoint protection rules affect all alerts sent
+from {elastic-endpoint}. Be careful not to unintentionally prevent useful Endpoint alerts.
 
-Additionally, to add an Endpoint exception to the Endpoint Security rule, there must be at least one Endpoint Security alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
+Additionally, to add an Endpoint exception to an endpoint protection rule, there must be at least one {elastic-endpoint} alert generated in the system. For non-production use, if no alerts exist, you can trigger a test alert using malware emulation techniques or tools such as the Anti Malware Testfile from the https://www.eicar.org/[European Institute for Computer Anti-Virus Research (EICAR)].
 ====
 
 [IMPORTANT]
@@ -162,7 +156,7 @@ Additionally, to add an Endpoint exception to the Endpoint Security rule, there
 +
 ** To add an Endpoint exception from the rule details page:
 +
-... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select the Elastic **Endpoint Security** rule.
+... Go to the rule details page (**Rules** → **Detection rules (SIEM)**), and then search for and select one of the <<endpoint-protection-rules, endpoint protection rules>>.
 ... Scroll down the rule details page, select the **Endpoint exceptions** tab, then click **Add endpoint exception**.
 ** To add an Endpoint exception from the Alerts table:
 +
@@ -176,7 +170,7 @@ alert, click the **More actions** menu (image:images/icons/boxesHorizontal.svg[A
 +
 [NOTE]
 ====
-The Endpoint Security Exception List is automatically created. By default, it's associated with the Endpoint Security rule and any rules with the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option selected.
+The Endpoint Security Exception List is automatically created. By default, it's associated with endpoint protection rules and any rules with the <<rule-ui-advanced-params,**{elastic-endpoint} exceptions**>> option selected.
 ====
 +
 The **Add Endpoint Exception** flyout opens.

@@ -23,26 +23,11 @@ how to modify the rules to reduce false positives and get a better set of
 actionable alerts. You can also use exceptions and value lists when creating or
 modifying your own rules.
 
-There are two special prebuilt rules you need to know about:
+There are several special prebuilt rules you need to know about:
 
 // Links to prebuilt rule pages temporarily removed for initial serverless docs.
 
-* **Endpoint Security**:
-Automatically creates an alert from all incoming Elastic Endpoint alerts. To
-receive Elastic Endpoint alerts, you must install the Endpoint agent on your
-hosts (see <<security-install-edr,Install and configure the {elastic-defend} integration>>).
-+
-When this rule is enabled, the following Endpoint events are displayed as
-detection alerts:
-+
-** Malware Prevention Alert
-** Malware Detection Alert
-+
-[NOTE]
-====
-When you load the prebuilt rules, this is the only rule that is enabled
-by default.
-====
+* <<endpoint-protection-rules, *Endpoint protection rules*>>: Automatically create alerts based on {elastic-defend}'s threat monitoring and prevention.
 
 // Links to prebuilt rule pages temporarily removed for initial serverless docs.
 

@@ -596,12 +596,11 @@ After you create the rule, you can find all custom highlighted fields in the Abo
 alerts created by the rule. You can also add action buttons to <<security-invest-guide-run-osquery,run Osquery>> or <<security-interactive-investigation-guides,launch Timeline investigations>> using alert data.
 .. **Author** (optional): The rule's authors.
 .. **License** (optional): The rule's license.
-.. **Elastic endpoint exceptions** (optional): Adds all Elastic Endpoint Security
-rule exceptions to this rule (refer to <<endpoint-rule-exceptions,Add {elastic-endpoint} exceptions>> to learn more about adding endpoint exceptions).
+.. **Elastic endpoint exceptions** (optional): Adds all <<endpoint-rule-exceptions, {elastic-endpoint} exceptions>> to this rule.
 +
 [NOTE]
 ====
-If you select this option, you can add <<endpoint-rule-exceptions,Endpoint exceptions>> on the Rule details page. Additionally, all future exceptions added to the Endpoint Security rule also affect this rule.
+If you select this option, you can add {elastic-endpoint} exceptions on the Rule details page. Additionally, all future exceptions added to <<endpoint-protection-rules, endpoint protection rules>> will also affect this rule.
 ====
 .. **Building block** (optional): Select to create a building-block rule. By default, alerts generated from a building-block rule are not displayed in the UI. See <<security-building-block-rules,Use building block rules>> for more information.
 .. **Max alerts per run** (optional): Specify the maximum number of alerts the rule can create each time it runs. Default is 100.