Skip to content

Commit

Permalink
Fixes link ref on Install Elastic Defend page (#6164)
Browse files Browse the repository at this point in the history
(cherry picked from commit a6c3736)

# Conflicts:
#	docs/serverless/edr-install-config/install-elastic-defend.asciidoc
  • Loading branch information
natasha-moore-elastic authored and mergify[bot] committed Nov 22, 2024
1 parent 1719333 commit f1d6c35
Showing 1 changed file with 117 additions and 0 deletions.
117 changes: 117 additions & 0 deletions docs/serverless/edr-install-config/install-elastic-defend.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
[[security-install-edr]]
= Install the {elastic-defend} integration

// :description: Start protecting your endpoints with {elastic-defend}.
// :keywords: serverless, security, how-to

++++
<titleabbrev>Install Elastic Defend</titleabbrev>
++++


Like other Elastic integrations, {elastic-defend} is integrated into the {agent} using {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor events on your host and send data to the {security-app}.

.Requirements
[NOTE]
====
* {fleet} is required for {elastic-defend}.
* To configure the {elastic-defend} integration on the {agent}, you must have permission to use {fleet}.
* You must have the appropriate user role to configure an integration policy and access the **Endpoints** page.
// Placeholder statement until we know which specific roles are required. Classic statement below for reference.
// * You must have the **{elastic-defend} Policy Management: All** <DocLink slug="/serverless/security/endpoint-management-req">privilege</DocLink> to configure an integration policy, and the **Endpoint List** <DocLink slug="/serverless/security/endpoint-management-req">privilege</DocLink> to access the **Endpoints** page.
====

[discrete]
[[security-before-you-begin]]
== Before you begin

If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <<security-elastic-endpoint-deploy-reqs>> for more information.

[NOTE]
====
{elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes.
====

[discrete]
[[add-security-integration]]
== Add the {elastic-defend} integration

. Go to the **Integrations** page, which you can access in several ways:
+
** The **Add integrations** link at the top of most pages
** **Assets** → **Browse Integrations**
** **Project settings** → **Integrations**
+
[role="screenshot"]
image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-integrations-page.png[Search result for "{elastic-defend}" on the Integrations page.]
. Search for and select **{elastic-defend}**, then select **Add {elastic-defend}**. The integration configuration page appears.
+
[NOTE]
====
If this is the first integration you've installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can <<enroll-agent,install {agent}>> after setting up the {elastic-defend} integration.
====
+
[role="screenshot"]
image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-security-configuration.png[Add {elastic-defend} integration page]
. Configure the {elastic-defend} integration with an **Integration name** and optional **Description**.
. Select the type of environment you want to protect, either **Traditional Endpoints** or **Cloud Workloads**.
. Select a configuration preset. Each preset comes with different default settings for {agent} — you can further customize these later by <<security-configure-endpoint-integration-policy,configuring the {elastic-defend} integration policy>>.
+
|===
| |

| **Traditional Endpoint presets**
a| All traditional endpoint presets _except_ **Data Collection** have these preventions enabled by default: malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events:

* **Data Collection:** All events; no preventions
* **Next-Generation Antivirus (NGAV):** Process events; all preventions
* **Essential EDR (Endpoint Detection & Response):** Process, Network, File events; all preventions
* **Complete EDR (Endpoint Detection & Response):** All events; all preventions

| **Cloud Workloads presets**
a| Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, <<security-session-view,session data>> collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events.

* **All events:** Includes data from automated sessions.
* **Interactive only:** Filters out data from non-interactive sessions by creating an <<security-event-filters,event filter>>.
|===
. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
. When you're ready, click **Save and continue**.
. To complete the integration, select **Add {agent} to your hosts** and continue to the next section to install the {agent} on your hosts.

[discrete]
[[enroll-security-agent]]
== Configure and enroll the {agent}

To enable the {elastic-defend} integration, you must enroll agents in the relevant policy using {fleet}.

[IMPORTANT]
====
Before you add an {agent}, a {fleet-server} must be running. Refer to {fleet-guide}/add-a-fleet-server.html[Add a {fleet-server}].
{elastic-defend} cannot be integrated with an {agent} in standalone mode.
====

[discrete]
[[enroll-agent]]
=== Add the {agent}

. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to **Assets** → **{fleet}** → **Agents** → **Add agent**.
+
[role="screenshot"]
image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.]
. Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+
The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {elastic-defend}).
+
[role="screenshot"]
image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with {elastic-defend} integration highlighted.]
. Ensure that the **Enroll in {fleet}** option is selected. {elastic-defend} cannot be integrated with {agent} in standalone mode.
. Select the appropriate platform or operating system for the host, then copy the provided commands.
. On the host, open a command-line interface and navigate to the directory where you want to install {agent}. Paste and run the commands from {fleet} to download, extract, enroll, and start {agent}.
. (Optional) Return to the **Add agent** flyout in {fleet}, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {es}.
. After you have enrolled the {agent} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {fleet}. Otherwise, select **Close**.
+
The host will now appear on the **Endpoints** page in the {security-app}. It may take another minute or two for endpoint data to appear in {elastic-sec}.
. For macOS, continue with <<security-install-endpoint-manually,these instructions>> to grant {elastic-endpoint} the required permissions.

0 comments on commit f1d6c35

Please sign in to comment.