Skip to content

[DOCS] Endpoint self-healing rollback #2267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joepeeples merged 6 commits into from
Aug 23, 2022
Merged

[DOCS] Endpoint self-healing rollback #2267

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9361f36
First draft
joepeeples Aug 8, 2022
6786c9d
Edits
joepeeples Aug 8, 2022
9a46890
Apply suggestions from review
joepeeples Aug 16, 2022
3d1a08f
Apply suggestions from code review
joepeeples Aug 20, 2022
4bb8ea0
Merge branch 'main' into issue-2233-self-healing-endpoint
joepeeples Aug 23, 2022
3376e6e
Update docs/getting-started/self-healing-rollback.asciidoc
joepeeples Aug 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions docs/getting-started/configure-integration-policy.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,13 +166,16 @@ image::images/register-as-antivirus.png[Detail of Register as antivirus option.]
[[adv-policy-settings]]
== Advanced policy settings (optional)

Users with unique configuration and security requirements can select **Show Advanced Settings**
Users with unique configuration and security requirements can select **Show advanced settings**
to configure the policy to support advanced use cases. Hover over each setting to view its description.

In this section, you can <<endpoint-diagnostic-data, turn off {endpoint-cloud-sec} diagnostic data>>.

NOTE: Advanced settings are not recommended for most users.

This section includes:

* <<endpoint-diagnostic-data>>
* <<self-healing-rollback>>

[discrete]
[[save-policy]]
== Save the general policy settings
Expand Down
1 change: 1 addition & 0 deletions docs/getting-started/index.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ include::install-endpoint.asciidoc[leveloffset=+1]
include::install-elastic-endpoint.asciidoc[leveloffset=+1]
include::configure-integration-policy.asciidoc[leveloffset=+1]
include::endpoint-diagnostic-data.asciidoc[leveloffset=+2]
include::self-healing-rollback.asciidoc[leveloffset=+2]
include::threat-intel-integrations.asciidoc[leveloffset=+1]
include::advanced-setting.asciidoc[leveloffset=+1]
include::uninstall-endpoint.asciidoc[leveloffset=+1]
20 changes: 20 additions & 0 deletions docs/getting-started/self-healing-rollback.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
[[self-healing-rollback]]
= Configure self-healing rollback for Windows endpoints

{endpoint-cloud-sec}'s self-healing feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. All activity on the host reverts to its state five minutes before the prevention alert.
Copy link
Contributor

@jmikell821 jmikell821 Aug 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question about terminology: is this an Endpoint Security feature, an Endpoint and Cloud Security feature (which is basically the integration, right?) or a policy configuration? I want to make sure we aren't confusing the terms, so just checking for clarification, thanks! cc: @ferullo @joe-desimone

Copy link
Contributor Author

@joepeeples joepeeples Aug 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think "Endpoint and Cloud Security feature" is appropriate here, because it's part of that integration and this sentence is talking about what the feature is and does, not how it's configured. After the rename of the integration, there isn't really anything called "Endpoint Security" anymore. @ferullo @joe-desimone thoughts?

Copy link
Collaborator

@ferullo ferullo Aug 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think Endpoint and Cloud Security is appropriate here.


This can help contain the impact of malicious activity, as {endpoint-cloud-sec} not only stops the activity but also erases any attack artifacts deployed prior to detection.
Copy link
Contributor

@jmikell821 jmikell821 Aug 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question about terminology. Isn't Elastic Endpoint doing the stopping of malicious activity? 🤔

Copy link
Contributor Author

@joepeeples joepeeples Aug 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Elastic Endpoint" seems to me more like an internal piece of technology than something a customer directly experiences. I was using the integration name here to more generally say that the product or the integration stops and rolls back the attack. But @ferullo @joe-desimone etc please let us know what you think.

Copy link
Collaborator

@ferullo ferullo Aug 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the integration name seems correct here.


Self-healing rollback is a https://www.elastic.co/pricing[Platinum or Enterprise subscription] feature, and it's only supported for Windows endpoints.

[CAUTION]
====
This feature can cause data loss, since it reverts _all_ recent changes on the host, not just changes directly related to a threat.

Also, rollback is triggered by _every_ {endpoint-cloud-sec} prevention alert, so you should tune your system to eliminate false positives before enabling this feature.
====

. In the {security-app}, go to *Manage* -> *Policies*, then select the integration policy you want to configure.
. Scroll down to the bottom of the policy and click *Show advanced settings*.
. Enter `true` for the setting `windows.advanced.alerts.rollback.self_healing.enabled`.
. Click *Save*.
2 changes: 1 addition & 1 deletion docs/management/admin/admin-pg-ov.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ NOTE: Users must have permission to read/write to {fleet} APIs to make changes t
[role="screenshot"]
image::images/integration-pg.png[Integration page]

Users who have unique configuration and security requirements can select **Show Advanced Settings** to configure the policy to support advanced use cases. Hover over each setting to view its description.
Users who have unique configuration and security requirements can select **Show advanced settings** to configure the policy to support advanced use cases. Hover over each setting to view its description.

NOTE: Advanced settings are not recommended for most users.

Expand Down