Skip to content

Elastic Defend advanced settings #1445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

natasha-moore-elastic
Copy link
Contributor

@natasha-moore-elastic natasha-moore-elastic commented May 21, 2025

Resolves elastic/security-docs#2234 by documenting the Elastic Defend policy advanced settings in the Reference section.
The setting descriptions consist of the Kibana tooltip text (in italics) and, for most settings, an additional description. The Kibana tooltip text was kept because some settings don't have an additional description.

Preview: Elastic Defend advanced settings

@ferullo
Copy link

ferullo commented May 29, 2025

Thanks. I'll review this as soon as I can. @joe-desimone @gabriellandau @magermark @nfritts you may want to review also and/or mention this to others.


*A value of `false` disables cloud lookup for alerts. Default: `true`.*

Before blocking or alerting on malware files, {{elastic-endpoint}} reaches out to an Elastic cloud service ([https://cloud.security.elastic.co](https://cloud.security.elastic.co)) to see if the alert is a known false positive. Use this setting to disable this feature. Enabling or disabling this feature doesn't affect malware prevention's efficacy.
Copy link

@joe-desimone joe-desimone May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before blocking or alerting on malware files, {{elastic-endpoint}} reaches out to an Elastic cloud service ([https://cloud.security.elastic.co](https://cloud.security.elastic.co)) to see if the alert is a known false positive. Use this setting to disable this feature. Disabling this feature may result in higher false positive rates.


*A value of `false` disables malicious sample collection for alerts. Default: `true`.*

To help improve future malware detection, Elastic collects samples of unknown malware files for {{ecloud}} users by default. Use this setting to disable the sample collection.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To improve the efficacy of malware and reputation protections, Elastic collects samples of unknown malware files. Use this setting to disable the sample collection.

@AsuNa-jp
Copy link

AsuNa-jp commented May 30, 2025

Hi @natasha-moore-elastic @ferullo
Today I've opened the following advanced policy draft PR for 8.19/9.1 feature.
Should I add the advanced policy from the draft PR to this PR as well, or would it be better to request everyone’s review first?

@ferullo
Copy link

ferullo commented May 30, 2025

I noticed the in-app help text is included along with additional information (which mirrors the format of the source Google doc). I wonder, now that this online documentation is being added, do we want to shorten the in-app text and provide a link to this page? Or merge the two types of documentation for each option here and then have the in-app text mirror that revised text? Something else? Just leave it as is?

I'm up for doing a pass at updating this or the in-app text if you'd like to do any of those things. Otherwise I'm also happy to review this as it is.

cc @roxana-gheorghe

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Experience Issues owned by the Experience Docs Team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[DOCS] Document endpoint policy advanced settings
4 participants