Loading

Automatic troubleshooting

Serverless Security Stack GA 9.2.0

Automatic troubleshooting helps you identify and resolve issues that could prevent Elastic Defend from working as intended. This feature provides actionable insights into the following common problem areas:

  • Stack 9.2.0 Serverless Policy responses: Detect warnings or failures in Elastic Defend’s integration policies.
  • Third-party antivirus (AV) software: Identify installed third-party antivirus (AV) products that may conflict with Elastic Defend.

With these checks, you can resolve configuration errors, address incompatibilities, and ensure that your hosts remain protected.

Requirements

To use this feature, you need:

  • In serverless, a project with the Security Analytics Complete feature tier.
  • The Automatic Troubleshooting: Read or Automatic Troubleshooting: All security sub-feature privilege.
    Note

    In Elastic Stack 9.0.0, this privilege is called Endpoint Insights.

  • A working LLM connector for AI Assistant.

Serverless Stack 9.2.0

Elastic Defend's integration policy statuses indicate whether protections are applied successfully to your hosts. Warnings or failures in these policies can weaken your security posture. Automatic troubleshooting helps you detect any issues and suggests remediation steps.

Requirements

To use this functionality, you need to enable AI Assistant Knowledge Base.

  1. Find Endpoints in the navigation menu or use the global search field.
  2. Click on an endpoint to open its details flyout.
  3. Under Automatic Troubleshooting, select an LLM connector, or add a new one.
  4. If you don't already have AI Assistant Knowledge Base enabled, click Setup Knowledge Base.
  5. Once Knowledge Base is enabled, click Scan. After a brief processing period, any detected warnings or failures in policy responses will appear under Insights.

After a scan has completed, automatic troubleshooting suggests recommended next steps for each policy issue. These may include adjusting specific Elastic Defend policy settings or reviewing conflicting host configurations. Where available, click Learn more to the right of a result to open Elastic documentation, which provides more context and guidance for resolving the issue.

Third-party antivirus software installed on your hosts can interfere with Elastic Defend. To mitigate issues with running third-party AV alongside Elastic Defend, you first have to identify which AV is present.

After you’ve installed Elastic Defend on one or more hosts, you can use automatic troubleshooting to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, automatic troubleshooting can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected.

  1. Find Endpoints in the navigation menu or use the global search field.
  2. Click on an endpoint to open its details flyout.
  3. Under Automatic Troubleshooting, select an LLM connector, or add a new one.
  4. Click Scan. After a brief processing period, any detected AV products will appear under Insights.

After a scan has completed, you can click the Create trusted app button to the right of a result to quickly add the associated AV program to Elastic Defend's trusted applications list. If the button is not clickable, you don’t have the required privilege.

Important

If you plan to use Elastic Defend alongside third-party AV software, we recommend you that you both allowlist Elastic Endpoint in your AV and make the AV a trusted application.