elasticmachine
commented
3 years ago Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)
Open kevinlog opened 3 years ago
elasticmachine
commented
3 years ago Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)
elasticmachine
commented
3 years ago Pinging @elastic/fleet (Team:Fleet)
kevinlog
commented
3 years ago FYI @jen-huang @ph @mostlyjason
This is following from earlier conversations surrounding Agent/Endpoint interactions for the Host Isolation feature.
@jen-huang As discussed elsewhere, my team can help with the UI portion. The Agent/Endpoint comms still needs to be implemented, however.
EricDavisX
commented
3 years ago Hi - I wanted to suggest that we confirm which user role is impacted by the lack of this support in Fleet UI, and how they are impacted (what can't that particular 'administrator of Agents' do or decide as quickly because of it). @kevinlog do you know or @bradenlpreston can comment?
Also, we could some small docs help in to suggest users check the Security App if they are ever in doubt of an Agent's connectivity (a troubleshooting step?) as a small bandaid for the short term.
bradenlpreston
commented
3 years ago @caitlinbetz - can comment.
caitlinbetz
commented
3 years ago @EricDavisX In terms of concrete roles, currently all users need the superuser role in order to access both fleet and the security-endpoints page. We hope to adjust this in the future for more granular control. Given the end-user impact of an isolated host, we feel like not reflecting any "isolated" status on the Agent gives an incomplete picture of the host/agent status. Agree that some docs-related help is a good interim solution.
EricDavisX
commented
3 years ago @caitlinbetz hi - I totally agree that it is needed, I feel pretty strongly, too. would love to see this get in :)
About the 'roles' I don't think I can cite it as eloquently, but I'm not sure I asked exactly the right question. I was asking about end user personas, like 'a tier 1 security analyst' or the equivalent in the Agent / Fleet administration side (I don't know those personas actually). I know that @mostlyjason will have a tab on those personas, but I'm not sure if we appreciate or know very well how the security user's actions on a host will impact the Agent (overall) and how that may or may not be needed to be seen on the Fleet page. While I'd like the feature, I'm looking for justification for the request, really, to make sure we have it prioritized.
Describe the feature: Fleet Agents using the Endpoint Integration will be able to be Isolated from their networks during Security triage workflows. As a result, it's important that Fleets users are aware that Agents are isolated because it can be disruptive to the the Host machine's users' workflows.
Describe a specific use case for the feature: When an Agent is isolated by a Security admin, Fleet users should also be aware so that they have a full picture of their networks.
Acceptance Criteria:
isolatedstatus via the Agents list APIisolatedstatus