-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] 8 New Endpoint Security rules #5993
Comments
@approksiu - can you confirm:
|
@caitlinbetz yes, all you mention is correct. |
👀 |
Looking at this PR's changes, it looks like the existing "Endpoint Security" rule is also being renamed to "Elastic Defend": @approksiu @caitlinbetz @Mikaayenson Could someone confirm this? |
@joepeeples Yes. This rule only looks at Defend alerts. |
We have a few more follow-up questions:
|
These rules will only be available from 8.16 onwards, as they depend on a data field provided by Elastic Defend from 8.16. We can release these rules out-of-band once the docs are ready - rules release is more flexible than the stack release.
There are no API changes AFAIK.
The name update will be shown to them in the update flyout and they can proceed with updating the rule as with the other updates. When you import rules, there is a different workflow.
If we don't mention it in the rules themselves, there is no need to document it at the moment. Promotion means it take an alert from logs and "promotes" it to the ELastic Security alert, basically creating an alert document.
We have a special shared exception list "Endpoint exceptions", which makes sure exceptions are applied on Elastic Defend as well. These new rules will be using the same exception list "Endpoint exceptions", so if user switches to using the new rules and stops using Endpont Security rule, the exceptions will continue working.
These rules typically overwrite rule name with the the alert/rule name value from the original incoming alert (in this case from Elastic Defend), here the behavior is not changing, and we plan to address this in the future when we can show original Elastic Defent rules in the SIEM. At the moment users benefit from ability to set more specific actions based on whether the malicious activity was prevented or just detected. @natasha-moore-elastic let me know if there are more questions. |
Description
We are creating 8 new, optional, Elastic Defend (Endpoint) promotion rules (https://github.com/elastic/security-team/issues/6287). These will be 4 Detection & 4 Prevention rules for Behavior Protection, Malware, Ransomware, & Memory protection (8 total).
Today, when a user installs Elastic Defend, we automatically enable the "Endpoint Security" promotion rule which ensures alerts are properly generated from Defend (https://www.elastic.co/guide/en/security/master/detection-engine-overview.html). However, using a single promotion rule for all the Elastic Endpoint security alerts implies that all alerts from the endpoint (prevention or detection alerts) are handled the same way. Users must manually inspect each alert’s metadata to determine if it was preventive or only detection. In addition, users can't configure different actions (endpoint response actions or otherwise) based on the alert type. These additional endpoint security rules provide more of this flexibility.
Enabling the single Endpoint Security rule by default upon installation of Defend will continue to be the default behavior. These 8 new rules will be optional - user can manually enable these in the Rules section of the app.
I don't believe we have any content in our Defend focused pages about rules (I believe the main mention is on the page noted above, https://www.elastic.co/guide/en/security/master/detection-engine-overview.html). It could be beneficial to add something to the install or policy pages regarding how they can use these different rules.
Background & resources
Which documentation set does this change impact?
ESS and serverless
ESS release
8.16
Serverless release
TBD
Feature differences
No changes between ESS/Serverless
API docs impact
TBD
Prerequisites, privileges, feature flags
No response
The text was updated successfully, but these errors were encountered: