Skip to content

Trusted applications: behavioral detection behavior#5090

Open
benironside wants to merge 6 commits intomainfrom
4842-trusted-processes
Open

Trusted applications: behavioral detection behavior#5090
benironside wants to merge 6 commits intomainfrom
4842-trusted-processes

Conversation

@benironside
Copy link
Contributor

@benironside benironside commented Feb 10, 2026
edited
Loading

Summary

Fixes #4842 — in v9.2+ and serverless, behavioral detections no longer apply to trusted applications. This improves performance.

This PR updates two pages related to this functionality.

  • @gabriellandau, please review both pages for accuracy and clarity!
  • Docs reviewers, please let me know if you think the content in the {applies-switch} component needs a heading, or if it works as-is.

Thanks!

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • No

@github-actions
Copy link
Contributor

github-actions bot commented Feb 10, 2026
edited
Loading

Vale Linting Results

Summary: 1 suggestion found

💡 Suggestions (1)
File Line Rule Message
solutions/security/manage-elastic-defend/trusted-applications.md 32 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 10, 2026
edited
Loading

🔍 Preview links for changed docs

@benironside benironside self-assigned this Feb 10, 2026
@benironside benironside marked this pull request as ready for review February 10, 2026 23:16
@benironside benironside requested a review from a team as a code owner February 10, 2026 23:16
gabriellandau
gabriellandau reviewed Feb 11, 2026
View reviewed changes
solutions/security/manage-elastic-defend/trusted-applications.md Outdated
Comment on lines 40 to 41
:::{applies-item} { stack: ga 9.2+, serverless: ga }
Trusted applications are not monitored for malicious behavior, which improves performance.
Copy link
Contributor

@gabriellandau gabriellandau Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We changed this in 9.2.5, but 9.2.4 still uses the old behavior. Can we clarify this?

Copy link
Contributor Author

@benironside benironside Feb 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We normally document the latest minor version, with the assumption that if people are on a given minor version, they're probably on the latest patch. Does that work in this case?

Copy link
Contributor

@gabriellandau gabriellandau Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We normally document the latest minor version, with the assumption that if people are on a given minor version, they're probably on the latest patch.

Is that documented anywhere for users? A user on 9.2.4 going to the 9.2 docs could easily think that the documented behavior applies to them.

benironside
benironside commented Feb 17, 2026
View reviewed changes
@benironside benironside enabled auto-merge (squash) February 17, 2026 23:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gabriellandau gabriellandau gabriellandau left review comments

@mdbirnstiehl mdbirnstiehl mdbirnstiehl approved these changes

Assignees

@benironside benironside

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update Defend TrustedApps Docs for New Process Event Behavior

3 participants

@benironside @gabriellandau @mdbirnstiehl