Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endpoint data volume reduction mechanisms [ESS] #5881

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Endpoint data volume reduction mechanisms [ESS] #5881

wants to merge 1 commit into from

Conversation

joepeeples
Copy link
Contributor

@joepeeples joepeeples commented Oct 2, 2024
edited
Loading

Contributes to #5771. Currently ESS-only while drafting, but might eventually bundle in serverless.

🚧 Work in progress -- don't review yet 🚧

Preview

@joepeeples joepeeples added Team: Endpoint Endpoint related issues Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management Feature: Elastic Defend Docset: ESS Issues that apply to docs in the Stack release v8.15.0 v8.16.0 labels Oct 2, 2024
@joepeeples joepeeples self-assigned this Oct 2, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 2, 2024

A documentation preview will be available soon.

Request a new doc build by commenting
  • Rebuild this PR: run docs-build
  • Rebuild this PR and all Elastic docs: run docs-build rebuild

run docs-build is much faster than run docs-build rebuild. A rebuild should only be needed in rare situations.

If your PR continues to fail for an unknown reason, the doc build pipeline may be broken. Elastic employees can check the pipeline status here.

@joepeeples joepeeples changed the title Endpoint data volume reduction mechanisms Endpoint data volume reduction mechanisms [ESS] Oct 2, 2024
@joepeeples joepeeples mentioned this pull request Oct 2, 2024
Open
ferullo
ferullo reviewed Nov 12, 2024
View reviewed changes
docs/getting-started/endpoint-data-volume.asciidoc

added:[8.16] {elastic-endpoint} does not report MD5 and SHA-1 hashes in event data by default. These will still be reported if any <<trusted-apps-ov,trusted applications>>, <<blocklist,blocklist entries>>, <<event-filters,event filters>>, or <<detections-ui-exceptions,rule exceptions>> require them. To include these hashes in all event data, use these advanced settings:

`[linux|mac|windows].advanced.alerts.hash.md5`:: Enter `true` to compute and include MD5 hashes for processes and libraries in events. Default: `false`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
`[linux|mac|windows].advanced.alerts.hash.md5`:: Enter `true` to compute and include MD5 hashes for processes and libraries in events. Default: `false`
`[linux|mac|windows].advanced.alerts.hash.md5`:: Enter `true` to compute and include MD5 hashes for processes and libraries in alerts. Default: `false`

docs/getting-started/endpoint-data-volume.asciidoc

`[linux|mac|windows].advanced.alerts.hash.md5`:: Enter `true` to compute and include MD5 hashes for processes and libraries in events. Default: `false`

`[linux|mac|windows].advanced.alerts.hash.sha1`:: Enter `true` to compute and include SHA-1 hashes for processes and libraries in events. Default: `false`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also include

Suggested change
`[linux|mac|windows].advanced.alerts.hash.sha1`:: Enter `true` to compute and include SHA-1 hashes for processes and libraries in events. Default: `false`
`[linux|mac|windows].advanced.alerts.hash.sha1`:: Enter `true` to compute and include SHA-1 hashes for processes and libraries in alerts. Default: `false`

docs/getting-started/endpoint-data-volume.asciidoc
== MD5 and SHA-1 hashes

added:[8.16] {elastic-endpoint} does not report MD5 and SHA-1 hashes in event data by default. These will still be reported if any <<trusted-apps-ov,trusted applications>>, <<blocklist,blocklist entries>>, <<event-filters,event filters>>, or <<detections-ui-exceptions,rule exceptions>> require them. To include these hashes in all event data, use these advanced settings:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also include these two:

  • [linux|mac|windows].advanced.events.hash.md5: Enter true to compute and include MD5 hashes for processes and libraries in events. Default: false
  • [linux|mac|windows].advanced.events.hash.sha1: Enter true to compute and include SHA-1 hashes for processes and libraries in events. Default: false

@natasha-moore-elastic natasha-moore-elastic added the blocked An issue that's currently blocked because it’s pending info or action from stakeholders. label Nov 14, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Nov 19, 2024

This pull request is now in conflicts. Could you fix it @joepeeples? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 5771-defend-data-volume upstream/5771-defend-data-volume
git merge upstream/main
git push upstream 5771-defend-data-volume

@joepeeples joepeeples removed their assignment Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ferullo ferullo ferullo left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@natasha-moore-elastic natasha-moore-elastic

Labels
blocked An issue that's currently blocked because it’s pending info or action from stakeholders. Docset: ESS Issues that apply to docs in the Stack release Feature: Elastic Defend Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management Team: Endpoint Endpoint related issues v8.15.0 v8.16.0 v8.17.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joepeeples @ferullo @natasha-moore-elastic