Description
Description
We've added an "advanced mode" option for trusted applications. The default behavior will remain the same as it is currently, with the option for users to switch into an "advanced" option if they wish. The "advanced mode" allows users to create a filter on more than just hash/signer/executable path, providing the ability to define more complex rules (similar to alert exceptions and event filters) such as trusting specific file paths or remote IP addresses. It'll still be the case that Advanced Trusted Apps will prevent Endpoint from monitoring certain system activity (while Endpoint Exceptions will continue to monitor all activity but just not alert on certain things - no changes there).
Resources
Security team issue: https://github.com/elastic/security-team/issues/9267
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
*Edit: TBD, delayed from 9.1, targeting 9.2
Serverless release
TBD
Collaboration model
The documentation team
Point of contact.
Main contact: @caitlinbetz @dasansol92 @ferullo
Stakeholders: