From 72a1fafc78d782bd5bb4c3b556a2eedacebd865f Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 3 Oct 2025 15:35:53 +0100 Subject: [PATCH 1/5] [Security] Automatic troubleshooting updates --- .../automatic-troubleshooting.md | 76 +++++++++++++++++++ .../identify-antivirus-software-on-hosts.md | 51 ------------- solutions/toc.yml | 2 +- 3 files changed, 77 insertions(+), 52 deletions(-) create mode 100644 solutions/security/manage-elastic-defend/automatic-troubleshooting.md delete mode 100644 solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md diff --git a/solutions/security/manage-elastic-defend/automatic-troubleshooting.md b/solutions/security/manage-elastic-defend/automatic-troubleshooting.md new file mode 100644 index 0000000000..b42e58303d --- /dev/null +++ b/solutions/security/manage-elastic-defend/automatic-troubleshooting.md @@ -0,0 +1,76 @@ +--- +mapped_pages: + - https://www.elastic.co/guide/en/serverless/current/identify-third-party-av-products.html +applies_to: + stack: ga 9.2, preview 9.0 + serverless: + security: ga +products: + - id: security + - id: cloud-serverless +--- + +# Automatic troubleshooting + +Automatic troubleshooting helps you identify and resolve issues that could prevent {{elastic-defend}} from working as intended. This feature provides actionable insights into the following common problem areas: + +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Policy responses**: Detect warnings or failures in {{elastic-defend}}’s integration policies. +* **Third-party antivirus (AV) software**: Identify installed third-party antivirus (AV) products that may conflict with {{elastic-defend}}. + +With these checks, you can resolve configuration errors, address incompatibilities, and ensure that your hosts remain protected. + +::::{admonition} Requirements +To use this feature, you need: + +* In serverless, a project with the Security Analytics Complete [feature tier](https://www.elastic.co/pricing/serverless-security). +* The **Automatic Troubleshooting: Read** or **Automatic Troubleshooting: All** security [sub-feature privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). + :::{note} + In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. + ::: +* A working [LLM connector](../ai/set-up-connectors-for-large-language-models-llm.md) for AI Assistant. +:::: + +## Troubleshoot policy issues +```yaml {applies_to} +stack: ga 9.2 +serverless: ga +``` + +{{elastic-defend}}'s integration policy statuses indicate whether protections are applied successfully to your hosts. Warnings or failures in these policies can weaken your security posture. Automatic troubleshooting helps you detect any issues and suggests remediation steps. + +::::{admonition} Requirements +To use this functionality, you need to enable [AI Assistant Knowledge Base](/solutions/security/ai/ai-assistant-knowledge-base.md). +:::: + +### Scan your hosts for policy issues + +1. Find **Endpoints** in the navigation menu or use the global search field. +2. Click on an endpoint to open its details flyout. +3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one. +4. If you don't already have AI Assistant Knowledge Base enabled, click **Setup Knowledge Base**. +5. Once Knowledge Base is enabled, click **Scan**. After a brief processing period, any detected warnings or failures in policy responses will appear under **Insights**. + +### Resolve policy issues + +After a scan has completed, automatic troubleshooting suggests recommended next steps for each policy issue. These may include adjusting specific {{elastic-defend}} policy settings or reviewing conflicting host configurations. Click **Learn more** to the right of a result to open Elastic documentation, which provides more context and guidance for resolving the issue. + +## Identify antivirus software on your hosts [identify-third-party-av-products] + +Third-party antivirus software installed on your hosts can interfere with {{elastic-defend}}. To mitigate issues with running third-party AV alongside {{elastic-defend}}, you first have to identify which AV is present. + +After you’ve installed {{elastic-defend}} on one or more hosts, you can use automatic troubleshooting to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, automatic troubleshooting can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. + +### Scan your hosts for AV software [_scan_your_hosts_for_av_software] + +1. Find **Endpoints** in the navigation menu or use the global search field. +2. Click on an endpoint to open its details flyout. +3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one. +4. Click **Scan**. After a brief processing period, any detected AV products will appear under **Insights**. + +### Resolve incompatibilities [_resolve_incompatibilities] + +After a scan has completed, you can click the **Create trusted app** button to the right of a result to quickly add the associated AV program to {{elastic-defend}}'s trusted applications list. If the button is not clickable, you don’t have the [required privilege](trusted-applications.md). + +::::{important} +If you plan to use {{elastic-defend}} alongside third-party AV software, we recommend you that you both [allowlist {{elastic-endpoint}} in your AV](allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) and [make the AV a trusted application](trusted-applications.md). +:::: diff --git a/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md b/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md deleted file mode 100644 index 6f5420ebbd..0000000000 --- a/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/serverless/current/identify-third-party-av-products.html -applies_to: - stack: preview 9.0 - serverless: - security: preview -products: - - id: cloud-serverless ---- - -# Identify antivirus software on your hosts [identify-third-party-av-products] - -::::{admonition} Technical preview -:class: important - -This feature is in technical preview. It may change in the future, and you should exercise caution when using it in production environments. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of GA features. -:::: - - -Third-party antivirus (AV) software installed on your hosts can interfere with {{elastic-defend}}. To mitigate issues with running third-party AV alongside {{elastic-defend}}, you first have to identify which AV is present. - -After you’ve installed {{elastic-defend}} on one or more hosts, you can use *Automatic Troubleshooting* to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, Automatic Troubleshooting can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. - -::::{admonition} Requirements -To use this feature, you need: - -* In serverless, a project with the Security Analytics Complete [feature tier](https://www.elastic.co/pricing/serverless-security). -* The **Automatic Troubleshooting: Read** or **Automatic Troubleshooting: All** security [sub-feature privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). - :::{note} - In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. - ::: -* A working [LLM connector](../ai/set-up-connectors-for-large-language-models-llm.md) for AI Assistant. -:::: - - -## Scan your hosts for AV software [_scan_your_hosts_for_av_software] - -1. Find **Endpoints** in the navigation menu or use the global search field. -2. Click on an endpoint to open its details flyout. -3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one. -4. Click **Scan**. After a brief processing period, any detected AV products will appear under **Insights**. - - -## Resolve incompatibilities [_resolve_incompatibilities] - -After a scan has completed, you can click the **Create trusted app** button to the right of a result to quickly add the associated AV program to {{elastic-defend}}'s trusted applications list. If the button is not clickable, you don’t have the [required privilege](trusted-applications.md). - -::::{important} -If you plan to use {{elastic-defend}} alongside third-party AV software, we recommend you that you both [allowlist {{elastic-endpoint}} in your AV](allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) and [make the AV a trusted application](trusted-applications.md). -:::: diff --git a/solutions/toc.yml b/solutions/toc.yml index 7c3c9ad6af..6d8f21cda9 100644 --- a/solutions/toc.yml +++ b/solutions/toc.yml @@ -626,7 +626,7 @@ toc: - file: security/manage-elastic-defend/optimize-elastic-defend.md - file: security/manage-elastic-defend/event-capture-elastic-defend.md - file: security/manage-elastic-defend/endpoint-protection-rules.md - - file: security/manage-elastic-defend/identify-antivirus-software-on-hosts.md + - file: security/manage-elastic-defend/automatic-troubleshooting.md - file: security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md - file: security/manage-elastic-defend/elastic-endpoint-self-protection-features.md - file: security/endpoint-response-actions.md From 373b600a5718b5a1f9f522c5c54e36acb13e82bc Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 3 Oct 2025 15:45:39 +0100 Subject: [PATCH 2/5] replace links --- solutions/security/ai/use-cases.md | 4 +++- .../elastic-defend-feature-privileges.md | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/solutions/security/ai/use-cases.md b/solutions/security/ai/use-cases.md index e62a95e730..1acbcaf832 100644 --- a/solutions/security/ai/use-cases.md +++ b/solutions/security/ai/use-cases.md @@ -27,6 +27,8 @@ In addition to AI Assistant and Attack Discovery, {{elastic-sec}} provides sever * [Automatic Import](/solutions/security/get-started/automatic-import.md): Helps you quickly parse, ingest, and create [ECS mappings](https://www.elastic.co/elasticsearch/common-schema) for data from sources that don’t yet have prebuilt Elastic integrations. This can accelerate your migration to {{elastic-sec}}, and help you quickly add new data sources to an existing SIEM solution in {{elastic-sec}}. * [Automatic Migration](/solutions/security/get-started/automatic-migration.md): Helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({{esql}}). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch. -* [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md): Helps you quickly check whether your endpoints have third-party AV software installed by analyzing file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. +* [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/automatic-troubleshooting.md): Helps you quickly check whether your endpoints have third-party AV software installed by analyzing file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. + + {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Helps you detect any issues in {{elastic-defend}} integration policies and suggests remediation steps. diff --git a/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md b/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md index 5e070776cd..36133e813c 100644 --- a/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md +++ b/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md @@ -38,7 +38,7 @@ For each of the following sub-feature privileges, select the type of access you | | | | --- | --- | | **Endpoint List** | Access the [Endpoints](/solutions/security/manage-elastic-defend/endpoints.md) page, which lists all hosts running {{elastic-defend}}, and associated integration details. | -| **Automatic Troubleshooting** |Access [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md) to check if your hosts have third-party AV software installed.

**Note:** In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. | +| **Automatic Troubleshooting** |Access [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/automatic-troubleshooting.md) to check if your hosts have third-party AV software installed.

**Note:** In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. | | **Global Artifact Management** {applies_to}`stack: ga 9.1` | Manage global assignment of endpoint artifacts (e.g., trusted applications, event filters) across all spaces and policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management. | | **Trusted Applications** | Access the [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md) page to remediate conflicts with other software, such as antivirus or endpoint security applications. | | **Host Isolation Exceptions** | Access the [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md) page to add specific IP addresses that isolated hosts can still communicate with. | From 22b5f14297b1cdce30d8871376f2e5121e87fa8a Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 6 Oct 2025 10:11:31 +0100 Subject: [PATCH 3/5] adds redirect --- redirects.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/redirects.yml b/redirects.yml index df7feba803..1796a0abe3 100644 --- a/redirects.yml +++ b/redirects.yml @@ -503,6 +503,8 @@ redirects: 'explore-analyze/query-filter/languages/sql-client-apps-tableau-desktop.md': 'elasticsearch://reference/query-languages/sql/sql-client-apps-tableau-desktop.md' 'explore-analyze/query-filter/languages/sql-client-apps-tableau-server.md': 'elasticsearch://reference/query-languages/sql/sql-client-apps-tableau-server.md' +# Related to https://github.com/elastic/docs-content/pull/3318 + 'solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md': 'solutions/security/manage-elastic-defend/automatic-troubleshooting.md' From 74c7dd8ea168e66b313416daaac8c57394188dc8 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 6 Oct 2025 10:59:21 +0100 Subject: [PATCH 4/5] address feedback --- .../security/manage-elastic-defend/automatic-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/manage-elastic-defend/automatic-troubleshooting.md b/solutions/security/manage-elastic-defend/automatic-troubleshooting.md index b42e58303d..0986f2c550 100644 --- a/solutions/security/manage-elastic-defend/automatic-troubleshooting.md +++ b/solutions/security/manage-elastic-defend/automatic-troubleshooting.md @@ -52,7 +52,7 @@ To use this functionality, you need to enable [AI Assistant Knowledge Base](/sol ### Resolve policy issues -After a scan has completed, automatic troubleshooting suggests recommended next steps for each policy issue. These may include adjusting specific {{elastic-defend}} policy settings or reviewing conflicting host configurations. Click **Learn more** to the right of a result to open Elastic documentation, which provides more context and guidance for resolving the issue. +After a scan has completed, automatic troubleshooting suggests recommended next steps for each policy issue. These may include adjusting specific {{elastic-defend}} policy settings or reviewing conflicting host configurations. Where available, click **Learn more** to the right of a result to open Elastic documentation, which provides more context and guidance for resolving the issue. ## Identify antivirus software on your hosts [identify-third-party-av-products] From fbea2f76d986d5eba0b38cf06aafbf2504773c92 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Mon, 6 Oct 2025 14:19:59 +0100 Subject: [PATCH 5/5] Update solutions/security/ai/use-cases.md Co-authored-by: florent-leborgne --- solutions/security/ai/use-cases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/ai/use-cases.md b/solutions/security/ai/use-cases.md index 1acbcaf832..dc44d1ef21 100644 --- a/solutions/security/ai/use-cases.md +++ b/solutions/security/ai/use-cases.md @@ -29,6 +29,6 @@ In addition to AI Assistant and Attack Discovery, {{elastic-sec}} provides sever * [Automatic Migration](/solutions/security/get-started/automatic-migration.md): Helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({{esql}}). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch. * [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/automatic-troubleshooting.md): Helps you quickly check whether your endpoints have third-party AV software installed by analyzing file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. - {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Helps you detect any issues in {{elastic-defend}} integration policies and suggests remediation steps. + {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Helps you detect any issues in {{elastic-defend}} integration policies and suggests remediation steps.