-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes link ref on Install Elastic Defend page (#6164)
(cherry picked from commit a6c3736) # Conflicts: # docs/serverless/edr-install-config/install-elastic-defend.asciidoc
- Loading branch information
1 parent
1719333
commit f1d6c35
Showing
1 changed file
with
117 additions
and
0 deletions.
There are no files selected for viewing
117 changes: 117 additions & 0 deletions
117
docs/serverless/edr-install-config/install-elastic-defend.asciidoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
[[security-install-edr]] | ||
= Install the {elastic-defend} integration | ||
|
||
// :description: Start protecting your endpoints with {elastic-defend}. | ||
// :keywords: serverless, security, how-to | ||
|
||
++++ | ||
<titleabbrev>Install Elastic Defend</titleabbrev> | ||
++++ | ||
|
||
|
||
Like other Elastic integrations, {elastic-defend} is integrated into the {agent} using {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor events on your host and send data to the {security-app}. | ||
|
||
.Requirements | ||
[NOTE] | ||
==== | ||
* {fleet} is required for {elastic-defend}. | ||
* To configure the {elastic-defend} integration on the {agent}, you must have permission to use {fleet}. | ||
* You must have the appropriate user role to configure an integration policy and access the **Endpoints** page. | ||
// Placeholder statement until we know which specific roles are required. Classic statement below for reference. | ||
// * You must have the **{elastic-defend} Policy Management: All** <DocLink slug="/serverless/security/endpoint-management-req">privilege</DocLink> to configure an integration policy, and the **Endpoint List** <DocLink slug="/serverless/security/endpoint-management-req">privilege</DocLink> to access the **Endpoints** page. | ||
==== | ||
|
||
[discrete] | ||
[[security-before-you-begin]] | ||
== Before you begin | ||
|
||
If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <<security-elastic-endpoint-deploy-reqs>> for more information. | ||
|
||
[NOTE] | ||
==== | ||
{elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes. | ||
==== | ||
|
||
[discrete] | ||
[[add-security-integration]] | ||
== Add the {elastic-defend} integration | ||
|
||
. Go to the **Integrations** page, which you can access in several ways: | ||
+ | ||
** The **Add integrations** link at the top of most pages | ||
** **Assets** → **Browse Integrations** | ||
** **Project settings** → **Integrations** | ||
+ | ||
[role="screenshot"] | ||
image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-integrations-page.png[Search result for "{elastic-defend}" on the Integrations page.] | ||
. Search for and select **{elastic-defend}**, then select **Add {elastic-defend}**. The integration configuration page appears. | ||
+ | ||
[NOTE] | ||
==== | ||
If this is the first integration you've installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can <<enroll-agent,install {agent}>> after setting up the {elastic-defend} integration. | ||
==== | ||
+ | ||
[role="screenshot"] | ||
image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-security-configuration.png[Add {elastic-defend} integration page] | ||
. Configure the {elastic-defend} integration with an **Integration name** and optional **Description**. | ||
. Select the type of environment you want to protect, either **Traditional Endpoints** or **Cloud Workloads**. | ||
. Select a configuration preset. Each preset comes with different default settings for {agent} — you can further customize these later by <<security-configure-endpoint-integration-policy,configuring the {elastic-defend} integration policy>>. | ||
+ | ||
|=== | ||
| | | ||
|
||
| **Traditional Endpoint presets** | ||
a| All traditional endpoint presets _except_ **Data Collection** have these preventions enabled by default: malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events: | ||
|
||
* **Data Collection:** All events; no preventions | ||
* **Next-Generation Antivirus (NGAV):** Process events; all preventions | ||
* **Essential EDR (Endpoint Detection & Response):** Process, Network, File events; all preventions | ||
* **Complete EDR (Endpoint Detection & Response):** All events; all preventions | ||
|
||
| **Cloud Workloads presets** | ||
a| Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, <<security-session-view,session data>> collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events. | ||
|
||
* **All events:** Includes data from automated sessions. | ||
* **Interactive only:** Filters out data from non-interactive sessions by creating an <<security-event-filters,event filter>>. | ||
|=== | ||
. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. | ||
. When you're ready, click **Save and continue**. | ||
. To complete the integration, select **Add {agent} to your hosts** and continue to the next section to install the {agent} on your hosts. | ||
|
||
[discrete] | ||
[[enroll-security-agent]] | ||
== Configure and enroll the {agent} | ||
|
||
To enable the {elastic-defend} integration, you must enroll agents in the relevant policy using {fleet}. | ||
|
||
[IMPORTANT] | ||
==== | ||
Before you add an {agent}, a {fleet-server} must be running. Refer to {fleet-guide}/add-a-fleet-server.html[Add a {fleet-server}]. | ||
{elastic-defend} cannot be integrated with an {agent} in standalone mode. | ||
==== | ||
|
||
[discrete] | ||
[[enroll-agent]] | ||
=== Add the {agent} | ||
|
||
. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to **Assets** → **{fleet}** → **Agents** → **Add agent**. | ||
+ | ||
[role="screenshot"] | ||
image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.] | ||
. Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. | ||
+ | ||
The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {elastic-defend}). | ||
+ | ||
[role="screenshot"] | ||
image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with {elastic-defend} integration highlighted.] | ||
. Ensure that the **Enroll in {fleet}** option is selected. {elastic-defend} cannot be integrated with {agent} in standalone mode. | ||
. Select the appropriate platform or operating system for the host, then copy the provided commands. | ||
. On the host, open a command-line interface and navigate to the directory where you want to install {agent}. Paste and run the commands from {fleet} to download, extract, enroll, and start {agent}. | ||
. (Optional) Return to the **Add agent** flyout in {fleet}, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {es}. | ||
. After you have enrolled the {agent} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {fleet}. Otherwise, select **Close**. | ||
+ | ||
The host will now appear on the **Endpoints** page in the {security-app}. It may take another minute or two for endpoint data to appear in {elastic-sec}. | ||
. For macOS, continue with <<security-install-endpoint-manually,these instructions>> to grant {elastic-endpoint} the required permissions. |