Manage endpoint protection section - cleanup (#100)

* Rename landing page, some fixes * Rename id for Endpoitns page * Revise landing page * Update Endpoints page, rename images folder * Update status: Endpoints page * Update Policies page * Update Trusted apps page some subscription refs still remain, will update later * Update trusted-apps-ov.mdx * Update Event filters page * Update status * Update Host isolation exceptions page * Update Blocklist page * Rename id, slug, file * Update Optimize Defend page * Rename troubleshoot endpoints: id, slug, file * Update troubleshooting page * Fix xref
elastic · Sep 21, 2023 · 89f255e · 89f255e
1 parent 8fb383d
commit 89f255e
Show file tree

Hide file tree

Showing 22 changed files with 171 additions and 182 deletions.
diff --git a/api/endpoint-api/blocklist-api.mdx b/api/endpoint-api/blocklist-api.mdx
@@ -36,7 +36,7 @@ export let endpoint_artifact_api_doc_name = "blocklist"
 
 export let endpoint_artifact_page_title = "Blocklist"
 
-Create, retrieve, update, and delete endpoint \<\<blocklist>> entries with the <DocLink id="serverlessSecurityExceptionsApiOverview">Exceptions API</DocLink>. Endpoint {endpoint_artifact_name} are managed using a static container id (`list_id`) of `pass:a[{endpoint_artifact_list_id}]`, which must be created prior to adding the {endpoint_artifact_name}. To use these APIs, you must have privileges to manage endpoints. Refer to <DocLink id="serverlessSecurityAdminPageOv">Endpoints</DocLink> for more information.
+Create, retrieve, update, and delete endpoint \<\<blocklist>> entries with the <DocLink id="serverlessSecurityExceptionsApiOverview">Exceptions API</DocLink>. Endpoint {endpoint_artifact_name} are managed using a static container id (`list_id`) of `pass:a[{endpoint_artifact_list_id}]`, which must be created prior to adding the {endpoint_artifact_name}. To use these APIs, you must have privileges to manage endpoints. Refer to <DocLink id="serverlessSecurityEndpointsPage">Endpoints</DocLink> for more information.
 
 ## Create {endpoint_artifact_name} container
 

diff --git a/assets/asset-management.mdx b/assets/asset-management.mdx
@@ -15,5 +15,5 @@ The **Assets** page allows you to manage the following features:
 
 * [((fleet))](((fleet-guide))/manage-agents-in-fleet.html)
 * [((integrations))](((fleet-guide))/integrations.html)
-* <DocLink id="serverlessSecuritySecManageIntro">Endpoint protection</DocLink>
+* <DocLink id="serverlessSecurityManageEndpointProtection">Endpoint protection</DocLink>
 * <DocLink id="serverlessSecurityCloudNativeSecurityOverview">Cloud security</DocLink>
diff --git a/edr-manage/blocklist.mdx b/edr-manage/blocklist.mdx
@@ -4,30 +4,32 @@ slug: /serverless/security/blocklist
 title: Blocklist
 # description: Description to be written
 tags: [ 'serverless', 'security', 'how-to' ]
-status: rough content
+status: in review
 ---
 
-import RoughContent from '../partials/rough-content-notice.mdx'
+import InReview from '../partials/in-review-notice.mdx'
 
-<RoughContent />
+<InReview />
 
 <div id="blocklist"></div>
 
-The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users. 
+The blocklist (**Assets** -> **Blocklist**) allows you to prevent specified applications from running on hosts, extending the list of processes that ((elastic-defend)) considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users. 
 
-The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to \<\<endpoint-artifacts>>.
+The blocklist is not intended to broadly block benign applications for non-security reasons; only use it to block potentially harmful applications. To compare the blocklist with other endpoint artifacts, refer to <DocLink id="serverlessSecurityOptimizeEdr" />.
 
 <DocCallOut title="Requirements">
 
 * In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the ((elastic-defend)) integration policy in the <DocLink id="serverlessSecurityConfigureEndpointIntegrationPolicy" section="malware-protection">Malware protection settings</DocLink>. This setting is enabled by default.
 
-* You must have the **Blocklist** <DocLink id="serverlessSecurityEndpointManagementReq">privilege</DocLink> to access this feature.
+* You must have the appropriate user role to use this feature.
+{/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */}
+{/* * You must have the **Blocklist** <DocLink id="serverlessSecurityEndpointManagementReq">privilege</DocLink> to access this feature. */}
 
 </DocCallOut>
 
 By default, a blocklist entry is recognized globally across all hosts running ((elastic-defend)). If you have a [Platinum or Enterprise subscription](https://www.elastic.co/pricing), you can also assign a blocklist entry to specific ((elastic-defend)) integration policies, which blocks the process only on hosts assigned to that policy.
 
-1. Go to **Manage** -> **Blocklist**.
+1. Go to **Assets** -> **Blocklist**.
 
 1. Click **Add blocklist entry**. The **Add blocklist** flyout appears.
 
@@ -38,13 +40,13 @@ By default, a blocklist entry is recognized globally across all hosts running ((
 1. In the **Conditions** section, enter the following information about the application you want to block:
     1. `Select operating system`: Select the appropriate operating system from the drop-down.
     1. `Field`: Select a field to identify the application being blocked:
-  * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable.
-  * `Path`: The full file path of the application's executable.
-  * `Signature`: (Windows only) The name of the application's digital signer.
+        * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable.
+        * `Path`: The full file path of the application's executable.
+        * `Signature`: (Windows only) The name of the application's digital signer.
 
-      <DocCallOut title="Tip">
-      To find the signer's name for an application, go to **Kibana** -> **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`).
-      </DocCallOut>
+            <DocCallOut title="Tip">
+            To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`).
+            </DocCallOut>
 
     1. `Operator`: The operator is `is one of` and cannot be modified.
 
@@ -56,24 +58,24 @@ By default, a blocklist entry is recognized globally across all hosts running ((
 
 1. Select an option in the **Assignment** section to assign the blocklist entry to a specific integration policy:
 
-* `Global`: Assign the blocklist entry to all ((elastic-defend)) integration policies.
-* `Per Policy`: Assign the blocklist entry to one or more specific ((elastic-defend)) integration policies. Select each policy where you want the blocklist entry to apply.
+    * `Global`: Assign the blocklist entry to all ((elastic-defend)) integration policies.
+    * `Per Policy`: Assign the blocklist entry to one or more specific ((elastic-defend)) integration policies. Select each policy where you want the blocklist entry to apply.
 
-    <DocCallOut title="Note">
-    You can also select the `Per Policy` option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy.
-    </DocCallOut>
+        <DocCallOut title="Note">
+        You can also select the `Per Policy` option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy.
+        </DocCallOut>
 
 1. Click **Add blocklist**. The new entry is added to the **Blocklist** page.
 
 1. When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the ((elastic-defend)) integration policies that you just assigned:
-    1. Go to **Manage** -> **Policies**, then click on an integration policy.
+    1. Go to **Assets** -> **Policies**, then click on an integration policy.
     1. On the **Policy settings** tab, ensure that the **Malware protections enabled** and **Blocklist enabled** toggles are switched on. Both settings are enabled by default.
 
 <div id="manage-blocklist"></div>
 
 ## View and manage the blocklist
 
-The **Blocklist** page displays all the blocklist entries that have been added to the ((security-app)). To refine the list, use the search bar to search by name, description, or field value.
+The **Blocklist** page (**Assets** -> **Blocklist**) displays all the blocklist entries that have been added to the ((security-app)). To refine the list, use the search bar to search by name, description, or field value.
 
 ![](../images/blocklist/-management-admin-blocklist.png)
 
@@ -84,7 +86,7 @@ You can individually modify each blocklist entry. With a Platinum or Enterprise
 
 To edit a blocklist entry:
 
-1. Click the actions menu (*...*) for the blocklist entry you want to edit, then select **Edit blocklist**.
+1. Click the actions menu (<DocIcon type="boxesHorizontal" title="Actions menu icon" />) for the blocklist entry you want to edit, then select **Edit blocklist**.
 1. Modify details as needed.
 1. Click **Save**.
 
@@ -95,6 +97,6 @@ You can delete a blocklist entry, which removes it entirely from all ((elastic-d
 
 To delete a blocklist entry:
 
-1. Click the actions menu (*...*) for the blocklist entry you want to delete, then select **Delete blocklist**.
+1. Click the actions menu (<DocIcon type="boxesHorizontal" title="Actions menu icon" />) for the blocklist entry you want to delete, then select **Delete blocklist**.
 1. On the dialog that opens, verify that you are removing the correct blocklist entry, then click **Delete**. A confirmation message displays.
 
diff --git a/edr-manage/endpoints-page.mdx b/edr-manage/endpoints-page.mdx
@@ -1,25 +1,27 @@
 ---
-id: serverlessSecurityAdminPageOv
+id: serverlessSecurityEndpointsPage
 slug: /serverless/security/endpoints-page
 title: Endpoints
 # description: Description to be written
 tags: [ 'serverless', 'security', 'overview' ]
-status: rough content
+status: in review
 ---
 
-import RoughContent from '../partials/rough-content-notice.mdx'
+import InReview from '../partials/in-review-notice.mdx'
 
-<RoughContent />
+<InReview />
 
-<div id="admin-page-ov"></div>
+<div id="endpoints-page-ov"></div>
 
-The Endpoints page allows administrators to view and manage endpoints that are running the <DocLink id="serverlessSecurityInstallDefend">((elastic-defend)) integration</DocLink>.
+The **Endpoints** page (**Assets** -> **Endpoints**) allows administrators to view and manage endpoints that are running the <DocLink id="serverlessSecurityInstallDefend">((elastic-defend)) integration</DocLink>.
 
 <DocCallOut title="Requirements">
 
-* ((fleet)) must be enabled in a ((kib)) space for administrative actions to function correctly.
+* ((fleet)) must be enabled for administrative actions to function correctly.
 
-* You must have the **Endpoint List** <DocLink id="serverlessSecurityEndpointManagementReq">privilege</DocLink> to access this feature.
+* You must have the appropriate user role to use this feature.
+{/* Placeholder statement until we know which specific roles are required. Classic statement below for reference. */}
+{/* * You must have the **Endpoint List** <DocLink id="serverlessSecurityEndpointManagementReq">privilege</DocLink> to access this feature. */}
 
 </DocCallOut>
 
@@ -29,37 +31,37 @@ The Endpoints page allows administrators to view and manage endpoints that are r
 
 The **Endpoints** list displays all hosts running ((elastic-defend)) and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top.
 
-![Endpoints page](../images/admin-page-ov/-management-admin-endpoints-pg.png)
+![Endpoints page](../images/endpoints-page/-management-admin-endpoints-pg.png)
 
 The Endpoints list provides the following data:
 
-* **Endpoint**: The system hostname. Click the link to display <DocLink id="serverlessSecurityAdminPageOv" section="endpoint-details">endpoint details</DocLink> in a flyout.
+* **Endpoint**: The system hostname. Click the link to display <DocLink id="serverlessSecurityEndpointsPage" section="endpoint-details">endpoint details</DocLink> in a flyout.
 
 * **Agent Status**: The current status of the ((agent)), which is one of the following:
 
-    * `Healthy`: The agent is online and communicating with ((kib)).
+    * `Healthy`: The agent is online and communicating with ((elastic-sec)).
 
     * `Unenrolling`: The agent is currently unenrolling and will soon be removed from Fleet. Afterward, the endpoint will also uninstall.
 
-    * `Unhealthy`: The agent is online but requires attention from an administrator because it's reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to <DocLink id="serverlessSecurityTsManagement" section="ts-unhealthy-agent">Endpoint management troubleshooting</DocLink> for more on resolving an unhealthy agent status.
+    * `Unhealthy`: The agent is online but requires attention from an administrator because it's reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to <DocLink id="serverlessSecurityTroubleshootEndpoints" section="ts-unhealthy-agent">Endpoint management troubleshooting</DocLink> for more on resolving an unhealthy agent status.
 
     * `Updating`: The agent is online and is updating the agent policy or binary, or is enrolling or unenrolling.
 
-    * `Offline`: The agent is still enrolled but may be on a machine that is shut down or currently does not have internet access. In this state, the agent is no longer communicating with ((kib)) at a regular interval.
+    * `Offline`: The agent is still enrolled but may be on a machine that is shut down or currently does not have internet access. In this state, the agent is no longer communicating with ((elastic-sec)) at a regular interval.
 
         <DocCallOut title="Note">
         ((agent)) statuses in ((fleet)) correspond to the agent statuses in the ((security-app)).
         </DocCallOut>
 
-* **Policy:** The name of the associated integration policy when the agent was installed. Click the link to display the <DocLink id="serverlessSecurityAdminPageOv" section="integration-policy-details">integration policy details</DocLink> page.
+* **Policy:** The name of the associated integration policy when the agent was installed. Click the link to display the <DocLink id="serverlessSecurityEndpointsPage" section="integration-policy-details">integration policy details</DocLink> page.
 
-* **Policy status:** Indicates whether the integration policy was successfully applied. Click the link to view <DocLink id="serverlessSecurityAdminPageOv" section="policy-status">policy status</DocLink> response details in a flyout.
+* **Policy status:** Indicates whether the integration policy was successfully applied. Click the link to view <DocLink id="serverlessSecurityEndpointsPage" section="policy-status">policy status</DocLink> response details in a flyout.
 
 * **OS**: The host's operating system.
 
 * **IP address**: All IP addresses associated with the hostname.
 
-* **Version**: The ((stack)) version currently running.
+* **Version**: The ((agent)) version currently running.
 
 * **Last active**: A date and timestamp of the last time the ((agent)) was active.
 
@@ -69,7 +71,7 @@ The Endpoints list provides the following data:
 
     * **Respond**: Open the <DocLink id="serverlessSecurityResponseActions">response console</DocLink> to perform response actions directly on the host.
 
-    * **View response actions history**: View a <DocLink id="serverlessSecurityAdminPageOv" section="response-actions-history">history of response actions</DocLink> performed on the host.
+    * **View response actions history**: View a <DocLink id="serverlessSecurityEndpointsPage" section="response-actions-history">history of response actions</DocLink> performed on the host.
 
     * **View host details**: View host details on the **Hosts** page in the ((security-app)).
 
@@ -85,15 +87,15 @@ The Endpoints list provides the following data:
 
 Click any link in the **Endpoint** column to display host details in a flyout. You can also use the **Take Action** menu button to perform the same actions as those listed in the Actions context menu, such as isolating the host, viewing host details, and viewing or reassigning the agent policy. 
 
-<DocImage size="xl" url="../images/admin-page-ov/-management-admin-host-flyout.png" alt="Endpoint details flyout" />
+<DocImage size="xl" url="../images/endpoints-page/-management-admin-host-flyout.png" alt="Endpoint details flyout" />
 
 <div id="response-action-history-tab"></div>
 
 ### Response actions history
 
 The endpoint details flyout also includes the **Response actions history** tab, which provides a log of the <DocLink id="serverlessSecurityResponseActions">response actions</DocLink> performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to <DocLink id="serverlessSecurityResponseActionsHistory">Response actions history</DocLink> for more details.
 
-<DocImage size="xl" url="../images/admin-page-ov/-management-admin-response-actions-history-endpoint-details.png" alt="Response actions history with a few past actions" />
+<DocImage size="xl" url="../images/endpoints-page/-management-admin-response-actions-history-endpoint-details.png" alt="Response actions history with a few past actions" />
 
 <div id="integration-policy-details"></div>
 
@@ -107,15 +109,15 @@ On this page, you can view and configure endpoint protection and event collectio
 Users must have permission to read/write to ((fleet)) APIs to make changes to the configuration.
 </DocCallOut>
 
-![Integration page](../images/admin-page-ov/-management-admin-integration-pg.png)
+![Integration page](../images/endpoints-page/-management-admin-integration-pg.png)
 
 Users who have unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description.
 
 <DocCallOut title="Note">
 Advanced settings are not recommended for most users.
 </DocCallOut>
 
-![Integration page](../images/admin-page-ov/-management-admin-integration-advanced-settings.png)
+![Integration page](../images/endpoints-page/-management-admin-integration-advanced-settings.png)
 
 <div id="policy-status"></div>
 
@@ -138,18 +140,15 @@ The status of the integration policy appears in the **Policy status** column and
 For more details on what's causing a policy status, click the link in the **Policy status** column and review the details flyout. Expand each section and subsection to display individual responses from the agent.
 
 <DocCallOut title="Tip">
-If you need help troubleshooting a configuration failure, refer to <DocLink id="serverlessSecurityTsManagement" section="ts-unhealthy-agent">Endpoint management troubleshooting</DocLink> and [((fleet)) troubleshooting](((fleet-guide))/fleet-troubleshooting.html).
+If you need help troubleshooting a configuration failure, refer to <DocLink id="serverlessSecurityTroubleshootEndpoints" section="ts-unhealthy-agent">Endpoint management troubleshooting</DocLink> and [((fleet)) troubleshooting](((fleet-guide))/fleet-troubleshooting.html).
 </DocCallOut>
 
-<DocImage size="l" url="../images/admin-page-ov/-management-admin-config-status.png" alt="Config status details" />
+<DocImage size="l" url="../images/endpoints-page/-management-admin-config-status.png" alt="Config status details" />
 
 ### Filter endpoints
 
 To filter the Endpoints list, use the search bar to enter a query using **[((kib)) Query Language (KQL)](((kibana-ref))/kuery-query.html)**. To refresh the search results, click **Refresh**.
 
-![](../images/admin-page-ov/-management-admin-filter-endpoints.png)
-
 <DocCallOut title="Note">
 The date and time picker on the right side of the page allows you to set a time interval to automatically refresh the Endpoints list — for example, to check if new endpoints were added or deleted.
 </DocCallOut>
-