Skip to content

[8.16] [EDR Workflows] Update description on data reduction advanced options (#213970)#214228

Merged
gergoabraham merged 1 commit intoelastic:8.16from
gergoabraham:backport/8.16/pr-213970
Mar 13, 2025
Merged

[8.16] [EDR Workflows] Update description on data reduction advanced options (#213970)#214228
gergoabraham merged 1 commit intoelastic:8.16from
gergoabraham:backport/8.16/pr-213970

Conversation

@gergoabraham
Copy link
Contributor

@gergoabraham gergoabraham commented Mar 12, 2025
edited
Loading

Backport

Important

This is only a partial backport: only description refinements are backported for 15 advanced options:

  • (win|mac|linux).advanced.events.hash.(md5|sha1|sha256)
    Compute and include (MD5|SHA-1|SHA-256) hashes for processes and libraries in events? This will increase CPU usage and event sizes. If any user event filter or trustlists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.
  • (win|mac|linux).advanced.alerts.hash.(md5|sha1)
    Compute and include (MD5|SHA-1) hashes for processes and libraries in alerts? This will increase CPU usage and alert sizes. If any user exceptionlist, trustlist, or blocklists reference this hash type, Endpoint will ignore this setting and automatically enable this hash type.

This will backport the following commits from main to 8.16:

Questions ?

Please refer to the Backport tool documentation

@gergoabraham
[EDR Workflows] Update description on data reduction advanced options (
a54cec6 
…elastic#213970)

## Summary

- refines description for
- 9 `(win|mac|linux).advanced.events.hash.(md5|sha1|sha256)`:
9e7bbcf
> Compute and include (MD5|SHA-1|SHA-256) hashes for processes and
libraries in events? This will increase CPU usage and event sizes. If
any user event filter or trustlists reference this hash type, Endpoint
will ignore this setting and automatically enable this hash type.
- 6 `(win|mac|linux).advanced.alerts.hash.(md5|sha1)`:
8fc0f51
> Compute and include (MD5|SHA-1) hashes for processes and libraries in
alerts? This will increase CPU usage and alert sizes. If any user
exceptionlist, trustlist, or blocklists reference this hash type,
Endpoint will ignore this setting and automatically enable this hash
type.
- provides a 'history' for default behavior changes (e.g. `<=8.17
default: true, >=8.18 default: false`) for
- 12 `(win|mac|linux).advanced.(events|alerts).hash.(md5|sha1)`:
05b0ebe
  (note that events sha256 is not changed)
    >  <=8.17 default: true, >=8.18 default: false
- 3 `(win|mac|linux).advanced.events.aggregate_process`:
5984d8e
    > <=8.17 default: false, >=8.18 default: true
- 3 `(win|mac|linux).advanced.events.set_extended_host_information`:
5da25a3
    >  <=8.17 default: true, >=8.18 default: false

> [!IMPORTANT]
> The plan is to backport this PR to all open branches:
> - `8.18`/`8.x`/`9.0`/`main` will contain all modifications,
> - but `8.16`/`8.17` manual backports will only contain the description
refinement

### Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)

(cherry picked from commit ad3b7fc)

# Conflicts:
#	x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@gergoabraham gergoabraham added the backport This PR is a backport of another PR label Mar 12, 2025
@gergoabraham gergoabraham enabled auto-merge (squash) March 12, 2025 16:26
@gergoabraham gergoabraham mentioned this pull request Mar 12, 2025
Merged
1 task
@gergoabraham gergoabraham requested review from a team, parkiino and pzl and removed request for a team March 12, 2025 16:34
@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 12, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] FTR Configs #26 / Observability AI Assistant Functional tests feature_controls/settings_security.spec.ts ai assistant management privileges all privileges allows updating of an advanced setting

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 8.5MB 8.5MB +1.4KB

@gergoabraham gergoabraham merged commit d648da2 into elastic:8.16 Mar 13, 2025
11 checks passed
@gergoabraham gergoabraham deleted the backport/8.16/pr-213970 branch October 16, 2025 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joeypoon joeypoon joeypoon approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

@pzl pzl Awaiting requested review from pzl pzl was automatically assigned from elastic/security-defend-workflows

@parkiino parkiino Awaiting requested review from parkiino parkiino was automatically assigned from elastic/security-defend-workflows

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gergoabraham @elasticmachine @joeypoon