[REQUEST]: Add note to endpoint docs clarifying how Defend protection works #1326
Description
Description
We continuously see in support cases where customers have a misunderstanding of how Endpoint solution works vs classic Antivirus program.
Here was a thread about this and a very good answer in my opinion from Joe:
https://elastic.slack.com/archives/CEV9CFY8H/p1745238832190549?thread_ts=1745226563.493329&cid=CEV9CFY8H
Elastic Defend has many layers of protections that work in tandem to detect and eliminate threats. Some layers, like malware protection, operate before execution as soon as a threat is introduced to the file system. However, most layers operate after the threat is launched or executed. This includes malicious behavior protection and memory protection. In a realistic attack scenario where a user clicks on this threat, Elastic Defend would comprehensively detect and stop the attack in its tracks.
We'd like to document this somewhere so that we can refer customers to it. Perhaps as an addition to a page like this:
https://www.elastic.co/docs/solutions/security/configure-elastic-defend/elastic-defend-requirements
or
https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend (where most protections are documented today)
Resources
related thread: https://elastic.slack.com/archives/CEV9CFY8H/p1745226563493329
Which documentation set does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
N/A
What release is this request related to?
N/A
Collaboration model
Other (please describe below)
Point of contact.
Main contact: @caitlinbetz
Stakeholders:
@111andre111 @joe-desimone