Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] 8 New Endpoint Security promotion rules #5993

Open
caitlinbetz opened this issue Oct 24, 2024 · 3 comments
Open

[Request] 8 New Endpoint Security promotion rules #5993

caitlinbetz opened this issue Oct 24, 2024 · 3 comments
Labels
v8.16.0

Comments

@caitlinbetz
Copy link

caitlinbetz commented Oct 24, 2024
edited
Loading

Description

We are creating 8 new, optional, Elastic Defend (Endpoint) promotion rules (https://github.com/elastic/security-team/issues/6287). These will be 4 Detection & 4 Prevention rules for Behavior Protection, Malware, Ransomware, & Memory protection (8 total).

Today, when a user installs Elastic Defend, we automatically enable the "Endpoint Security" promotion rule which ensures alerts are properly generated from Defend (https://www.elastic.co/guide/en/security/master/detection-engine-overview.html). However, using a single promotion rule for all the Elastic Endpoint security alerts implies that all alerts from the endpoint (prevention or detection alerts) are handled the same way. Users must manually inspect each alert’s metadata to determine if it was preventive or only detection. In addition, users can't configure different actions (endpoint response actions or otherwise) based on the alert type. These additional endpoint security rules provide more of this flexibility.

Enabling the single Endpoint Security rule by default upon installation of Defend will continue to be the default behavior. These 8 new rules will be optional - user can manually enable these in the Rules section of the app.

I don't believe we have any content in our Defend focused pages about rules (I believe the main mention is on the page noted above, https://www.elastic.co/guide/en/security/master/detection-engine-overview.html). It could be beneficial to add something to the install or policy pages regarding how they can use these different rules.

Background & resources

Which documentation set does this change impact?

ESS and serverless

ESS release

8.16

Serverless release

TBD

Feature differences

No changes between ESS/Serverless

API docs impact

TBD

Prerequisites, privileges, feature flags

No response
@caitlinbetz
Copy link
Author

@approksiu - can you confirm:

  • If user has all 8 new rules enabled, and the existing endpoint security rule, they will receive duplicate alerts
  • there is no downside/user impact to enabling all 8 new rules (with original endpoint security rule disabled) - they will receive appropriate alerts based on defend policy config
  • no differences between serverless and ESS? (when will these be made available for serverless?)

@approksiu
Copy link
Contributor

@caitlinbetz yes, all you mention is correct.

@nicpenning
Copy link

👀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
v8.16.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nicpenning @caitlinbetz @approksiu