[Elastic Defend] Add windows.ransomware.dump_process for endpoint advanced policy setting (#212439)

## Summary This PR exposes `windows.ransomware.dump_process` as an advanced policy option for Elastic Defend. If enabled, this option will make the endpoint generate a memory dump of the ransomware process before killing it, assisting the ransomware investigation process. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 09:48:58 -04:00 · 2025-03-03 16:57:20 -08:00 · 2025-03-03 16:57:20 -08:00 · e9813b8c72
commit e9813b8c72
parent ec127e271c
1 changed files with 11 additions and 0 deletions
--- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
+++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@ -908,6 +908,17 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
      }
    ),
  },
+  {
+    key: 'windows.advanced.ransomware.dump_process',
+    first_supported_version: '8.11',
+    documentation: i18n.translate(
+      'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.ransomware.dump_process',
+      {
+        defaultMessage:
+          "A value of 'false' disables the generation of a memory dump of the Ransomware process. This is ignored if the canary protection is off. Default: true.",
+      }
+    ),
+  },
  {
    key: 'windows.advanced.memory_protection.shellcode',
    first_supported_version: '7.15',