Merge branch 'main' into 11-reqs-revise-custom-roles

elastic · Sep 20, 2024 · 7168226 · 7168226
2 parents 39c3dde + 247c6f4
commit 7168226
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/docs/management/admin/blocklist.asciidoc b/docs/management/admin/blocklist.asciidoc
@@ -33,7 +33,7 @@ By default, a blocklist entry is recognized globally across all hosts running {e
 +
 TIP: To find the signer's name for an application, go to *Kibana* -> *Discover* and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`).
 
-.. `Operator`: The operator is `is one of` and cannot be modified.
+.. `Operator`: For hash and path conditions, the operator is `is one of` and can't be modified. For signature conditions, choose `is one of` to enter multiple values or `is` for one value.
 
 .. `Value`: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press **Return**.
 +

diff --git a/docs/management/api/blocklist-api.asciidoc b/docs/management/api/blocklist-api.asciidoc
@@ -525,8 +525,8 @@ Process signature is supported for Windows xref:exception-{endpoint-artifact-api
 * `entries`: An array with 1 `entry` item.
 * `entries[0]` : The entry defining the signature to be matched upon:
 ** `field`: Must be set to `subject_name`.
-** `value` : An array of signature names to match on.
-** `type` : Must be set to `match_any`.
+** `value` : To match multiple signatures, specify an array of signature names. To match a single signature, specify the signature name as a string.
+** `type` : To match multiple signatures, set to `match_any`. To match a single signature, set to `match`.
 ** `operator` : Must be set to `included`.
 
 [source,json]

diff --git a/docs/serverless/edr-manage/blocklist.mdx b/docs/serverless/edr-manage/blocklist.mdx
@@ -44,7 +44,7 @@ By default, a blocklist entry is recognized globally across all hosts running ((
             To find the signer's name for an application, go to **Discover** and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`).
             </DocCallOut>
 
-    1. `Operator`: The operator is `is one of` and cannot be modified.
+    1. `Operator`: For hash and path conditions, the operator is `is one of` and can't be modified. For signature conditions, choose `is one of` to enter multiple values or `is` for one value.
 
     1. `Value`: Enter the hash value, file path, or signer name. To enter multiple values (such as a list of known malicious hash values), you can enter each value individually or paste a comma-delimited list, then press **Return**.