- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Endpoint protection rules
editEndpoint protection rules
editEndpoint protection rules are prebuilt rules designed to help you manage and respond to alerts generated by Elastic Endpoint, the installed component that performs Elastic Defend’s threat monitoring and prevention. These rules include the Endpoint Security rule as well as additional detection and prevention rules for different Elastic Defend protection features.
To receive Elastic Endpoint alerts, you must install Elastic Agent and the Elastic Defend integration on your hosts (refer to Install Elastic Defend).
When endpoint protection rules are triggered, Elastic Endpoint alerts are displayed as detection alerts in the Elastic Security app. The detection alert name is taken from the Elastic Endpoint alert message and overwrites the prebuilt rule name in the Alerts table. For example, for malware protection, the following Elastic Endpoint alerts are displayed as detection alerts:
- Malware Prevention Alert
- Malware Detection Alert
Endpoint Security rule
editThe Endpoint Security rule automatically creates an alert from all incoming Elastic Endpoint alerts.
When you install Elastic prebuilt rules, the Endpoint Security rule that is enabled by default.
Feature-specific protection rules
editThe following endpoint protection rules give you more granular control over how you handle the generated alerts. These rules are tailored for each of Elastic Defend’s endpoint protection features—malware, ransomware, memory threats, and malicious behavior. Enabling these rules allows you to configure more specific actions based on the protection feature and whether the malicious activity was prevented or detected.
- Behavior - Detected - Elastic Defend
- Behavior - Prevented - Endpoint Defend
- Malicious File - Detected - Elastic Defend
- Malicious File - Prevented - Elastic Defend
- Memory Signature - Detected - Elastic Defend
- Memory Signature - Prevented - Elastic Defend
- Ransomware - Detected - Elastic Defend
- Ransomware - Prevented - Elastic Defend
If you choose to use the feature-specific protection rules, we recommend that you disable the Endpoint Security rule, as using both will result in duplicate alerts.
To use these rules, you need to manually enable them from the Rules page in the Elastic Security app. Follow the instructions for installing and enabling Elastic prebuilt rules.
Endpoint security exception handling
editAll endpoint protection rules share a common exception list called the Endpoint Security Exception List. This ensures that if you switch between using the Endpoint Security rule and the feature-specific protection rules, your existing Elastic Endpoint exceptions continue to apply.
On this page