Ransomware protection[DOCS]

Description

OLM team issue: https://github.com/elastic/security-team/issues/515

Behavioral ransomware prevention on the Elastic Agent detects and stops ransomware attacks on Windows systems by analyzing data from low-level system processes, and is effective across an array of widespread ransomware families — including those targeting the system’s master boot record.

Ransomware protection for Windows can be toggled on or off via the Endpoint integration policy. Users can set the protection level to Detect or Prevent. Default configuration is Prevent ON, Notify User ON. User notification can be customized in the same way as the Malware notification. This is a licensed feature - available for Platinum licenses and above (Platinum, Enterprise).

Acceptance Test Criteria

Ransomware is a paid feature and will enabled when the user has a (Platinum+) license.
Ransomware is disabled with the user has anything below a Platinum license (Basic, Gold).
- if a user (under a basic/gold license) creates a new Policy, Ransomware will not display
if a user (under a platinum/enterprise license) creates a new Policy, Ransomware should be ON (Prevent, Notification ON) by default
Existing Ransomware configurations should be disabled when the license downgrades to Basic/Gold and sent down to the Endpoint, similar to existing Malware notification implementation
If a user environment is upgraded to Platinum, Ransomware will be OFF by default for existing policies

Notes

Ransomware view - Platinum, Enterprise

Ransomware view - Basic, Gold

elastic / security-docs