From b73ebb069188ff9a6156e609b9e1691e7af30794 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 21 Nov 2024 14:40:44 +0000 Subject: [PATCH 1/2] Fixes link ref on Install Elastic Defend page (#6164) (cherry picked from commit a6c37361c0eac4126727a75670cdc931ffe9b292) # Conflicts: # docs/serverless/edr-install-config/install-elastic-defend.asciidoc --- .../getting-started/install-endpoint.asciidoc | 2 +- .../install-elastic-defend.asciidoc | 117 ++++++++++++++++++ 2 files changed, 118 insertions(+), 1 deletion(-) create mode 100644 docs/serverless/edr-install-config/install-elastic-defend.asciidoc diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc index 4b64a45007..b01cb6a247 100644 --- a/docs/getting-started/install-endpoint.asciidoc +++ b/docs/getting-started/install-endpoint.asciidoc @@ -20,7 +20,7 @@ Like other Elastic integrations, {elastic-defend} is integrated into the {agent} [[security-before-you-begin]] == Before you begin -If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. +If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. NOTE: {elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes. diff --git a/docs/serverless/edr-install-config/install-elastic-defend.asciidoc b/docs/serverless/edr-install-config/install-elastic-defend.asciidoc new file mode 100644 index 0000000000..b590f19acd --- /dev/null +++ b/docs/serverless/edr-install-config/install-elastic-defend.asciidoc @@ -0,0 +1,117 @@ +[[security-install-edr]] += Install the {elastic-defend} integration + +// :description: Start protecting your endpoints with {elastic-defend}. +// :keywords: serverless, security, how-to + +++++ +Install Elastic Defend +++++ + + +Like other Elastic integrations, {elastic-defend} is integrated into the {agent} using {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor events on your host and send data to the {security-app}. + +.Requirements +[NOTE] +==== +* {fleet} is required for {elastic-defend}. +* To configure the {elastic-defend} integration on the {agent}, you must have permission to use {fleet}. +* You must have the appropriate user role to configure an integration policy and access the **Endpoints** page. + +// Placeholder statement until we know which specific roles are required. Classic statement below for reference. + +// * You must have the **{elastic-defend} Policy Management: All** privilege to configure an integration policy, and the **Endpoint List** privilege to access the **Endpoints** page. +==== + +[discrete] +[[security-before-you-begin]] +== Before you begin + +If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. + +[NOTE] +==== +{elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes. +==== + +[discrete] +[[add-security-integration]] +== Add the {elastic-defend} integration + +. Go to the **Integrations** page, which you can access in several ways: ++ +** The **Add integrations** link at the top of most pages +** **Assets** → **Browse Integrations** +** **Project settings** → **Integrations** ++ +[role="screenshot"] +image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-integrations-page.png[Search result for "{elastic-defend}" on the Integrations page.] +. Search for and select **{elastic-defend}**, then select **Add {elastic-defend}**. The integration configuration page appears. ++ +[NOTE] +==== +If this is the first integration you've installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can <> after setting up the {elastic-defend} integration. +==== ++ +[role="screenshot"] +image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-security-configuration.png[Add {elastic-defend} integration page] +. Configure the {elastic-defend} integration with an **Integration name** and optional **Description**. +. Select the type of environment you want to protect, either **Traditional Endpoints** or **Cloud Workloads**. +. Select a configuration preset. Each preset comes with different default settings for {agent} — you can further customize these later by <>. ++ +|=== +| | + +| **Traditional Endpoint presets** +a| All traditional endpoint presets _except_ **Data Collection** have these preventions enabled by default: malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events: + +* **Data Collection:** All events; no preventions +* **Next-Generation Antivirus (NGAV):** Process events; all preventions +* **Essential EDR (Endpoint Detection & Response):** Process, Network, File events; all preventions +* **Complete EDR (Endpoint Detection & Response):** All events; all preventions + +| **Cloud Workloads presets** +a| Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, <> collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events. + +* **All events:** Includes data from automated sessions. +* **Interactive only:** Filters out data from non-interactive sessions by creating an <>. +|=== +. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. +. When you're ready, click **Save and continue**. +. To complete the integration, select **Add {agent} to your hosts** and continue to the next section to install the {agent} on your hosts. + +[discrete] +[[enroll-security-agent]] +== Configure and enroll the {agent} + +To enable the {elastic-defend} integration, you must enroll agents in the relevant policy using {fleet}. + +[IMPORTANT] +==== +Before you add an {agent}, a {fleet-server} must be running. Refer to {fleet-guide}/add-a-fleet-server.html[Add a {fleet-server}]. + +{elastic-defend} cannot be integrated with an {agent} in standalone mode. +==== + +[discrete] +[[enroll-agent]] +=== Add the {agent} + +. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to **Assets** → **{fleet}** → **Agents** → **Add agent**. ++ +[role="screenshot"] +image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.] +. Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. ++ +The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {elastic-defend}). ++ +[role="screenshot"] +image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with {elastic-defend} integration highlighted.] +. Ensure that the **Enroll in {fleet}** option is selected. {elastic-defend} cannot be integrated with {agent} in standalone mode. +. Select the appropriate platform or operating system for the host, then copy the provided commands. +. On the host, open a command-line interface and navigate to the directory where you want to install {agent}. Paste and run the commands from {fleet} to download, extract, enroll, and start {agent}. +. (Optional) Return to the **Add agent** flyout in {fleet}, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {es}. +. After you have enrolled the {agent} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {fleet}. Otherwise, select **Close**. ++ +The host will now appear on the **Endpoints** page in the {security-app}. It may take another minute or two for endpoint data to appear in {elastic-sec}. +. For macOS, continue with <> to grant {elastic-endpoint} the required permissions. From b51605f38e33d26ddeff14c84f0fc339fcbf0b22 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 21 Nov 2024 14:42:17 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../install-elastic-defend.asciidoc | 117 ------------------ 1 file changed, 117 deletions(-) delete mode 100644 docs/serverless/edr-install-config/install-elastic-defend.asciidoc diff --git a/docs/serverless/edr-install-config/install-elastic-defend.asciidoc b/docs/serverless/edr-install-config/install-elastic-defend.asciidoc deleted file mode 100644 index b590f19acd..0000000000 --- a/docs/serverless/edr-install-config/install-elastic-defend.asciidoc +++ /dev/null @@ -1,117 +0,0 @@ -[[security-install-edr]] -= Install the {elastic-defend} integration - -// :description: Start protecting your endpoints with {elastic-defend}. -// :keywords: serverless, security, how-to - -++++ -Install Elastic Defend -++++ - - -Like other Elastic integrations, {elastic-defend} is integrated into the {agent} using {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor events on your host and send data to the {security-app}. - -.Requirements -[NOTE] -==== -* {fleet} is required for {elastic-defend}. -* To configure the {elastic-defend} integration on the {agent}, you must have permission to use {fleet}. -* You must have the appropriate user role to configure an integration policy and access the **Endpoints** page. - -// Placeholder statement until we know which specific roles are required. Classic statement below for reference. - -// * You must have the **{elastic-defend} Policy Management: All** privilege to configure an integration policy, and the **Endpoint List** privilege to access the **Endpoints** page. -==== - -[discrete] -[[security-before-you-begin]] -== Before you begin - -If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. - -[NOTE] -==== -{elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes. -==== - -[discrete] -[[add-security-integration]] -== Add the {elastic-defend} integration - -. Go to the **Integrations** page, which you can access in several ways: -+ -** The **Add integrations** link at the top of most pages -** **Assets** → **Browse Integrations** -** **Project settings** → **Integrations** -+ -[role="screenshot"] -image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-integrations-page.png[Search result for "{elastic-defend}" on the Integrations page.] -. Search for and select **{elastic-defend}**, then select **Add {elastic-defend}**. The integration configuration page appears. -+ -[NOTE] -==== -If this is the first integration you've installed and the **Ready to add your first integration?** page appears instead, select **Add integration only (skip agent installation)** to proceed. You can <> after setting up the {elastic-defend} integration. -==== -+ -[role="screenshot"] -image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-security-configuration.png[Add {elastic-defend} integration page] -. Configure the {elastic-defend} integration with an **Integration name** and optional **Description**. -. Select the type of environment you want to protect, either **Traditional Endpoints** or **Cloud Workloads**. -. Select a configuration preset. Each preset comes with different default settings for {agent} — you can further customize these later by <>. -+ -|=== -| | - -| **Traditional Endpoint presets** -a| All traditional endpoint presets _except_ **Data Collection** have these preventions enabled by default: malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events: - -* **Data Collection:** All events; no preventions -* **Next-Generation Antivirus (NGAV):** Process events; all preventions -* **Essential EDR (Endpoint Detection & Response):** Process, Network, File events; all preventions -* **Complete EDR (Endpoint Detection & Response):** All events; all preventions - -| **Cloud Workloads presets** -a| Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, <> collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events. - -* **All events:** Includes data from automated sessions. -* **Interactive only:** Filters out data from non-interactive sessions by creating an <>. -|=== -. Enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. -. When you're ready, click **Save and continue**. -. To complete the integration, select **Add {agent} to your hosts** and continue to the next section to install the {agent} on your hosts. - -[discrete] -[[enroll-security-agent]] -== Configure and enroll the {agent} - -To enable the {elastic-defend} integration, you must enroll agents in the relevant policy using {fleet}. - -[IMPORTANT] -==== -Before you add an {agent}, a {fleet-server} must be running. Refer to {fleet-guide}/add-a-fleet-server.html[Add a {fleet-server}]. - -{elastic-defend} cannot be integrated with an {agent} in standalone mode. -==== - -[discrete] -[[enroll-agent]] -=== Add the {agent} - -. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to **Assets** → **{fleet}** → **Agents** → **Add agent**. -+ -[role="screenshot"] -image::images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.] -. Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. -+ -The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {elastic-defend}). -+ -[role="screenshot"] -image:images/install-endpoint/-getting-started-install-endpoint-endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with {elastic-defend} integration highlighted.] -. Ensure that the **Enroll in {fleet}** option is selected. {elastic-defend} cannot be integrated with {agent} in standalone mode. -. Select the appropriate platform or operating system for the host, then copy the provided commands. -. On the host, open a command-line interface and navigate to the directory where you want to install {agent}. Paste and run the commands from {fleet} to download, extract, enroll, and start {agent}. -. (Optional) Return to the **Add agent** flyout in {fleet}, and observe the **Confirm agent enrollment** and **Confirm incoming data** steps automatically checking the host connection. It may take a few minutes for data to arrive in {es}. -. After you have enrolled the {agent} on your host, you can click **View enrolled agents** to access the list of agents enrolled in {fleet}. Otherwise, select **Close**. -+ -The host will now appear on the **Endpoints** page in the {security-app}. It may take another minute or two for endpoint data to appear in {elastic-sec}. -. For macOS, continue with <> to grant {elastic-endpoint} the required permissions.