-
Notifications
You must be signed in to change notification settings - Fork 201
Endpoint Insights feature — Serverless #6480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
100afe1
Endpoint Insights feature — Serverless
benironside e89abe3
updates image size
benironside 3624d60
incorporates reviews
benironside aa5f97c
Incorporates Nat's review
benironside 03f8619
Update identify-third-party-AV-products.asciidoc
benironside File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
40 changes: 40 additions & 0 deletions
40
docs/serverless/edr-manage/identify-third-party-AV-products.asciidoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| [[identify-third-party-av-products]] | ||
| = Identify antivirus software on your hosts | ||
|
|
||
| .Technical preview | ||
| [IMPORTANT] | ||
| ==== | ||
| This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features. | ||
| ==== | ||
|
|
||
| Third-party antivirus (AV) software installed on your hosts can interfere with {elastic-defend}. To mitigate issues with running third-party AV alongside {elastic-defend}, you first have to identify which AV is present. | ||
|
|
||
| After you've installed {elastic-defend} on one or more hosts, you can use **Endpoint Insights** to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, Endpoint Insights can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. | ||
|
|
||
| .Requirements | ||
| [sidebar] | ||
| -- | ||
| To use this feature, you need: | ||
|
|
||
| * A Security Analytics Complete https://www.elastic.co/pricing/serverless-security[subscription]. | ||
| * The *Endpoint Insights: Read* or *Endpoint Insights: All* security sub-feature privilege. | ||
| * A working <<security-llm-connector-guides,LLM connector>> for AI Assistant. | ||
| -- | ||
|
|
||
| [discrete] | ||
| == Scan your hosts for AV software | ||
|
|
||
| 1. Find **Endpoints** in the navigation menu or use the global search field. | ||
| 2. Click on an endpoint to open its details flyout, then under *Endpoint Insights*, click **Endpoint Insights scan**. | ||
| 3. Select an LLM connector, or <<security-llm-connector-guides,add>> a new one. | ||
| 4. Click *Scan*. After a brief processing period, any detected AV products will appear under *Insights*. | ||
|
|
||
| image::images/endpoint-insights-results.png[Endpoint Insights results with the "Create trusted app" button highlighted] | ||
benironside marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| [discrete] | ||
| == Resolve incompatibilities | ||
|
|
||
| After a scan has completed, you can click the *Create trusted app* button to the right of a result to quickly add the associated AV program to {elastic-defend}'s trusted applications list. If the button is not clickable, you don't have the <<security-trusted-applications,required privilege>>. | ||
|
|
||
| IMPORTANT: If you plan to use {elastic-defend} alongside third-party AV software, we recommend you that you both <<security-allowlist-endpoint, allowlist {elastic-endpoint} in your AV>> and <<security-trusted-applications,make the AV a trusted application>>. | ||
benironside marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.