Endpoint protection rules

Endpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by Elastic Endpoint, the installed component that performs Elastic Defend’s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different Elastic Defend protection features.

When endpoint protection rules are triggered, Elastic Endpoint alerts are displayed as detection alerts in the Elastic Security app. The detection alert name is taken from the Elastic Endpoint alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following Elastic Endpoint alerts are displayed as detection alerts:

The Endpoint Security rule automatically creates an alert from all incoming Elastic Endpoint alerts.

The following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of Elastic Defend’s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.

To use these rules, you need to manually enable them from the Rules page in the Elastic Security app. Follow the instructions for installing and enabling Elastic prebuilt rules.

All endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing Elastic Endpoint exceptions continue to apply.