Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Blocklist #1811

Merged
merged 21 commits into from
Apr 12, 2022
Merged

[DOCS] Blocklist #1811

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
e9a8a41
Create new Blocklist page
joepeeples Apr 4, 2022
a60fb61
Add Blocklist page to TOC
joepeeples Apr 4, 2022
5e60a82
Add new Blocklist section on UI overview page for
joepeeples Apr 4, 2022
c999291
Correction
joepeeples Apr 4, 2022
e51c2c8
Align description on UI overview page
joepeeples Apr 4, 2022
f22830f
Update config integration policy page, image
joepeeples Apr 5, 2022
104b80b
Add info about int policy to blocklist page
joepeeples Apr 5, 2022
f04cc52
Add Blocklist to UI list
joepeeples Apr 5, 2022
1cb29e9
Adds prelim "coming" tag, some corrections
joepeeples Apr 6, 2022
0e9ef08
Correction
joepeeples Apr 6, 2022
4736009
Add info about multiple values, lists
joepeeples Apr 6, 2022
9d90323
another. correction.
joepeeples Apr 6, 2022
97d5d9a
Apply first round of feedback
joepeeples Apr 7, 2022
f32efe2
Apply a few more feedback edits
joepeeples Apr 7, 2022
a101dc0
Update docs/management/admin/blocklist.asciidoc
joepeeples Apr 7, 2022
e1f5936
Update docs/management/admin/blocklist.asciidoc
joepeeples Apr 7, 2022
80e01ca
Apply suggestions from Janeen's review
joepeeples Apr 11, 2022
0a5c004
Rename actions menu (prev button)
joepeeples Apr 11, 2022
d7dcac4
Update docs/management/admin/blocklist.asciidoc
joepeeples Apr 11, 2022
591c89d
Update docs/getting-started/configure-integration-policy.asciidoc
joepeeples Apr 11, 2022
5953ab7
Merge branch 'main' into issue-1783-blocklist
joepeeples Apr 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion docs/getting-started/configure-integration-policy.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ To configure the integration policy:
* <<adv-policy-settings>>
* <<save-policy>>

4. Click the **Trusted applications**, **Event filters**, and **Host isolation exceptions** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to <<trusted-apps-ov>>, <<event-filters>>, and <<host-isolation-exceptions>>). On these tabs, you can:
4. Click the **Trusted applications**, **Event filters**, **Host isolation exceptions**, and **Blocklist** tabs to review the endpoint policy artifacts assigned to this integration policy (for more information, refer to <<trusted-apps-ov>>, <<event-filters>>, <<host-isolation-exceptions>>, and <<blocklist>>). On these tabs, you can:
* Expand and view an artifact — Click the arrow next to its name.
* View an artifact's details — Click the actions button (**...**), then select **View full details**.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved
* Unassign an artifact (Platinum or Enterprise subscription) — Click the actions button (**...**), then select **Remove from policy**. This does not delete the artifact; this just unassigns it from the current policy.
Expand All @@ -42,6 +42,8 @@ Malware protection levels are:
+
TIP: Platinum and Enterprise customers can customize these notifications using the `Elastic Security {action} {filename}` syntax.

Malware protection also allows you to implement a blocklist to prevent specified applications from running on hosts, extending the list of processes that {endpoint-sec} considers malicious. Use the **Blocklist enabled** toggle to enable or disable this feature for all hosts associated with the integration policy. To configure the blocklist, refer to <<blocklist>>.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

[role="screenshot"]
image::images/install-endpoint/malware-protection.png[Detail of malware protection section.]

Expand Down
Binary file modified docs/getting-started/images/install-endpoint/malware-protection.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
10 changes: 10 additions & 0 deletions docs/getting-started/security-ui.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ The {security-app} contains the following pages that enable analysts to view, an
* Trusted applications
* Event filters
* Host isolation exceptions
* Blocklist

Pages are grouped into four main sections within the navigation pane -- Detect, Explore, Investigate, and Manage. Each section supports a different part of your workflow and describes actions you can perform in the {security-app}.

Expand Down Expand Up @@ -191,6 +192,15 @@ The Host isolation exceptions page allows you to specify IP addresses that allow
[role="screenshot"]
image::management/admin/images/host-isolation-exceptions-ui.png[Shows the Host isolation exceptions page]

[float]
[[blocklist-page]]
=== Blocklist page

The Blocklist page allows you to prevent specified applications from running on hosts, extending the list of processes that {endpoint-sec} considers malicious. Refer to <<blocklist, Blocklist>> for more information.

[role="screenshot"]
image::management/admin/images/blocklist.png[Blocklist page]

[discrete]
[[timeline-accessibility-features]]
== Accessibility features
Expand Down
82 changes: 82 additions & 0 deletions docs/management/admin/blocklist.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
[[blocklist]]
[chapter]
= Blocklist

coming[8.2.0]

The blocklist allows you to prevent specified applications from running if you're certain they should never run in a host environment, extending the list of processes that {endpoint-sec} considers malicious. This is especially useful to ensure that known malicious processes aren't accidentally executed by an end user.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The blocklist allows you to prevent specified applications from running if you're certain they should never run in a host environment, extending the list of processes that {endpoint-sec} considers malicious. This is especially useful to ensure that known malicious processes aren't accidentally executed by an end user.
The blocklist allows you to prevent specified applications from running if you're certain they should never run in a host environment, extending the list of processes that {endpoint-sec} considers malicious. This is especially useful for ensuring that known malicious processes aren't accidentally executed by end users.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if the last sentence (the one I made suggestions on) is necessary, I think folks are pretty clear on the value of blocklisting and it extends beyond adding guardrails for users/insiders.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get what you mean, but I also like having a little extra explanation for the feature beyond the boilerplate description. @caitlinbetz, any thoughts? Or other use case info you think would be helpful here?

This combines @benironside's edits and other tweaks for consistency with similar wording:

Suggested change
The blocklist allows you to prevent specified applications from running if you're certain they should never run in a host environment, extending the list of processes that {endpoint-sec} considers malicious. This is especially useful to ensure that known malicious processes aren't accidentally executed by an end user.
The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {endpoint-sec} considers malicious. This is especially useful for ensuring that known malicious processes aren't accidentally executed by end users.

joepeeples marked this conversation as resolved.
Show resolved Hide resolved

[NOTE]
=====
In addition to configuring specific entries on the **Blocklist** page, you must also ensure that the blocklist is enabled on the {endpoint-sec} integration policy in the <<malware-protection, Malware protection settings>>. This setting is enabled by default.

You must have the built-in `superuser` role to access the blocklist. For more information, refer to {ref}/built-in-users.html[Built-in users].
Comment on lines +11 to +13
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We talked about the possibility of putting the "block box" (can't think of the official term). Here's the syntax again just in case you want to try it.

.Title
*****
Text text 

* Bullet
* Bullet

Text text text 

*****

Copy link
Contributor Author

@joepeeples joepeeples Apr 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since most of the pages for endpoint management are so similar, I'd like to make this update in a separate issue that includes adding the prerequisites box consistently across all the pages. I was already thinking of creating this issue for general consistency fixes, so I think the prereqs box would fall nicely into that issue's scope.

=====

By default, a blocklist entry is recognized globally across all hosts running {endpoint-sec}. If you have a https://www.elastic.co/pricing[Platinum or Enterprise subscription], you can also assign a blocklist entry to specific {endpoint-sec} integration policies, which blocks the process only on hosts assigned to that policy.

. Go to **Manage** -> **Blocklist**.

. Click **Add blocklist entry**. The **Add blocklist** flyout appears.

. Fill in these fields in the **Details** section:
.. `Name`: Enter a name to identify the application in the blocklist.
.. `Description`: Enter a description to provide more information on the blocklist entry (optional).

. In the **Conditions** section, enter the following information about the application you want to block:
.. `Select operating system`: Select the appropriate operating system from the drop-down.
.. `Field`: Select a field to identify the application being blocked:
* `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable.
* `Path`: The full file path of the application's executable.
* `Signature`: (Windows only) The name of the application's digital signer.
+
TIP: To find the signer's name for an application, go to *Kibana* -> *Discover* and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`).

.. `Operator`: The operator is `is one of` and cannot be modified.

.. `Value`: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press **Return**.
+
NOTE: Hash values must be valid to add them to the blocklist.

. Select an option in the *Assignment* section to assign the blocklist entry to a specific integration policy:
+
* `Global`: Assign the blocklist entry to all {endpoint-sec} integration policies.
* `Per Policy`: Assign the blocklist entry to one or more specific {endpoint-sec} integration policies. Select each policy where you want the blocklist entry to apply.
+
NOTE: You can also select the `Per Policy` option without immediately assigning a policy to the blocklist entry. For example, you could do this to create and review your blocklist configurations before putting them into action with a policy.

. Click **Add blocklist**. The new entry is added to the **Blocklist** page.

. When you're done adding entries to the blocklist, ensure that the blocklist is enabled for the {endpoint-sec} integration policies that you just assigned:
.. Go to **Manage** -> **Policies**, then click on an integration policy.
.. On the **Policy settings** tab, make sure that the **Malware protections enabled** and **Blocklist enabled** toggles are switched on. Both settings are enabled by default.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

[discrete]
[[manage-blocklist]]
== View and manage the blocklist

The *Blocklist* page displays all the blocklist entries that have been added to the {security-app}. To refine the list, use the search bar to search by name, description, or field value.

[role="screenshot"]
image::images/blocklist.png[]

[discrete]
[[edit-blocklist-entry]]
=== Edit a blocklist entry
You can individually modify each blocklist entry. With a Platinum or Enterprise subscription, you can also change the policies applied to a blocklist entry.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

To edit a blocklist entry:

. Click the actions button (*...*​) for the blocklist entry you want to edit, then select *Edit blocklist*.
. Modify details as needed.
. Click *Save*.

[discrete]
[[delete-blocklist-entry]]
=== Delete a blocklist entry
You can delete a blocklist entry, which removes it entirely from all {endpoint-sec} policies.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

To delete a blocklist entry:

. Click the actions button (*...*) for the blocklist entry you want to delete, then select *Delete blocklist*.
. On the dialog that opens, verify that you are removing the correct blocklist entry, then click *Delete*. A confirmation message is displayed.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved
Binary file added docs/management/admin/images/blocklist.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions docs/management/manage-intro.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,4 @@ include::{security-docs-root}/docs/management/admin/host-isolation-ov.asciidoc[l
include::{security-docs-root}/docs/management/admin/trusted-apps.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/event-filters.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/host-isolation-exceptions.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/blocklist.asciidoc[leveloffset=+1]