-
Notifications
You must be signed in to change notification settings - Fork 210
[DOCS] Blocklist #1811
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Blocklist #1811
Changes from 14 commits
e9a8a41
a60fb61
5e60a82
c999291
e51c2c8
f22830f
104b80b
f04cc52
1cb29e9
0e9ef08
4736009
9d90323
97d5d9a
f32efe2
a101dc0
e1f5936
80e01ca
0a5c004
d7dcac4
591c89d
5953ab7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,82 @@ | ||||||||||
| [[blocklist]] | ||||||||||
| [chapter] | ||||||||||
| = Blocklist | ||||||||||
|
|
||||||||||
| coming[8.2.0] | ||||||||||
|
|
||||||||||
| The blocklist allows you to prevent specified applications from running if you're certain they should never run in a host environment, extending the list of processes that {endpoint-sec} considers malicious. This is especially useful to ensure that known malicious processes aren't accidentally executed by an end user. | ||||||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure if the last sentence (the one I made suggestions on) is necessary, I think folks are pretty clear on the value of blocklisting and it extends beyond adding guardrails for users/insiders.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I get what you mean, but I also like having a little extra explanation for the feature beyond the boilerplate description. @caitlinbetz, any thoughts? Or other use case info you think would be helpful here? This combines @benironside's edits and other tweaks for consistency with similar wording:
Suggested change
joepeeples marked this conversation as resolved.
Outdated
|
||||||||||
|
|
||||||||||
| [NOTE] | ||||||||||
| ===== | ||||||||||
| In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {endpoint-sec} integration policy in the <<malware-protection, Malware protection settings>>. This setting is enabled by default. | ||||||||||
|
|
||||||||||
| You must have the built-in `superuser` role to access the blocklist. For more information, refer to {ref}/built-in-users.html[Built-in users]. | ||||||||||
|
Comment on lines
+11
to
+13
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We talked about the possibility of putting the "block box" (can't think of the official term). Here's the syntax again just in case you want to try it.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since most of the pages for endpoint management are so similar, I'd like to make this update in a separate issue that includes adding the prerequisites box consistently across all the pages. I was already thinking of creating this issue for general consistency fixes, so I think the prereqs box would fall nicely into that issue's scope. |
||||||||||
| ===== | ||||||||||
|
|
||||||||||
| By default, a blocklist entry is recognized globally across all hosts running {endpoint-sec}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {endpoint-sec} integration policies, which blocks the process only on hosts assigned to that policy. | ||||||||||
|
|
||||||||||
| . Go to **Manage** -> **Blocklist**. | ||||||||||
|
|
||||||||||
| . Click **Add blocklist entry**. The **Add blocklist** flyout appears. | ||||||||||
|
|
||||||||||
| . Fill in these fields in the **Details** section: | ||||||||||
| .. `Name`: Enter a name to identify the application in the blocklist. | ||||||||||
| .. `Description`: Enter a description to provide more information on the blocklist entry (optional). | ||||||||||
|
|
||||||||||
| . In the **Conditions** section, enter the following information about the application you want to block: | ||||||||||
| .. `Select operating system`: Select the appropriate operating system from the drop-down. | ||||||||||
| .. `Field`: Select a field to identify the application being blocked: | ||||||||||
| * `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. | ||||||||||
| * `Path`: The full file path of the application's executable. | ||||||||||
| * `Signature`: (Windows only) The name of the application's digital signer. | ||||||||||
| + | ||||||||||
| TIP: To find the signer's name for an application, go to *Kibana* -> *Discover* and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`). | ||||||||||
|
|
||||||||||
| .. `Operator`: The operator is `is one of` and cannot be modified. | ||||||||||
|
|
||||||||||
| .. `Value`: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press **Return**. | ||||||||||
| + | ||||||||||
| NOTE: Hash values must be valid to add them to the blocklist. | ||||||||||
|
|
||||||||||
| . Select an option in the *Assignment* section to assign the blocklist entry to a specific integration policy: | ||||||||||
| + | ||||||||||
| * `Global`: Assign the blocklist entry to all {endpoint-sec} integration policies. | ||||||||||
| * `Per Policy`: Assign the blocklist entry to one or more specific {endpoint-sec} integration policies. Select each policy where you want the blocklist entry to apply. | ||||||||||
| + | ||||||||||
| NOTE: You can also select the `Per Policy` option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy. | ||||||||||
|
|
||||||||||
| . Click **Add blocklist**. The new entry is added to the **Blocklist** page. | ||||||||||
|
|
||||||||||
| . When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the {endpoint-sec} integration policies that you just assigned: | ||||||||||
| .. Go to **Manage** -> **Policies**, then click on an integration policy. | ||||||||||
| .. On the **Policy settings** tab, make sure that the **Malware protections enabled** and **Blocklist enabled** toggles are switched on. Both settings are enabled by default. | ||||||||||
|
joepeeples marked this conversation as resolved.
Outdated
|
||||||||||
|
|
||||||||||
| [discrete] | ||||||||||
| [[manage-blocklist]] | ||||||||||
| == View and manage the blocklist | ||||||||||
|
|
||||||||||
| The *Blocklist* page displays all the blocklist entries that have been added to the {security-app}. To refine the list, use the search bar to search by name, description, or field value. | ||||||||||
|
|
||||||||||
| [role="screenshot"] | ||||||||||
| image::images/blocklist.png[] | ||||||||||
|
|
||||||||||
| [discrete] | ||||||||||
| [[edit-blocklist-entry]] | ||||||||||
| === Edit a blocklist entry | ||||||||||
| You can individually modify each blocklist entry. With a Platinum or Enterprise subscription, you can also change the policies applied to a blocklist entry. | ||||||||||
|
joepeeples marked this conversation as resolved.
Outdated
|
||||||||||
|
|
||||||||||
| To edit a blocklist entry: | ||||||||||
|
|
||||||||||
| . Click the actions button (*...*) for the blocklist entry you want to edit, then select *Edit blocklist*. | ||||||||||
| . Modify details as needed. | ||||||||||
| . Click *Save*. | ||||||||||
|
|
||||||||||
| [discrete] | ||||||||||
| [[delete-blocklist-entry]] | ||||||||||
| === Delete a blocklist entry | ||||||||||
| You can delete a blocklist entry, which removes it entirely from all {endpoint-sec} policies. | ||||||||||
|
joepeeples marked this conversation as resolved.
Outdated
|
||||||||||
|
|
||||||||||
| To delete a blocklist entry: | ||||||||||
|
|
||||||||||
| . Click the actions button (*...*) for the blocklist entry you want to delete, then select *Delete blocklist*. | ||||||||||
| . On the dialog that opens, verify that you are removing the correct blocklist entry, then click *Delete*. A confirmation message is displayed. | ||||||||||
|
joepeeples marked this conversation as resolved.
Outdated
|
||||||||||
Uh oh!
There was an error while loading. Please reload this page.