|
| 1 | +--- |
| 2 | +mapped_pages: |
| 3 | + - https://www.elastic.co/guide/en/serverless/current/identify-third-party-av-products.html |
| 4 | +applies_to: |
| 5 | + stack: ga 9.2, preview 9.0 |
| 6 | + serverless: |
| 7 | + security: ga |
| 8 | +products: |
| 9 | + - id: security |
| 10 | + - id: cloud-serverless |
| 11 | +--- |
| 12 | + |
| 13 | +# Automatic troubleshooting |
| 14 | + |
| 15 | +Automatic troubleshooting helps you identify and resolve issues that could prevent {{elastic-defend}} from working as intended. This feature provides actionable insights into the following common problem areas: |
| 16 | + |
| 17 | +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Policy responses**: Detect warnings or failures in {{elastic-defend}}’s integration policies. |
| 18 | +* **Third-party antivirus (AV) software**: Identify installed third-party antivirus (AV) products that may conflict with {{elastic-defend}}. |
| 19 | + |
| 20 | +With these checks, you can resolve configuration errors, address incompatibilities, and ensure that your hosts remain protected. |
| 21 | + |
| 22 | +::::{admonition} Requirements |
| 23 | +To use this feature, you need: |
| 24 | + |
| 25 | +* In serverless, a project with the Security Analytics Complete [feature tier](https://www.elastic.co/pricing/serverless-security). |
| 26 | +* The **Automatic Troubleshooting: Read** or **Automatic Troubleshooting: All** security [sub-feature privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). |
| 27 | + :::{note} |
| 28 | + In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. |
| 29 | + ::: |
| 30 | +* A working [LLM connector](../ai/set-up-connectors-for-large-language-models-llm.md) for AI Assistant. |
| 31 | +:::: |
| 32 | + |
| 33 | +## Troubleshoot policy issues |
| 34 | +```yaml {applies_to} |
| 35 | +stack: ga 9.2 |
| 36 | +serverless: ga |
| 37 | +``` |
| 38 | +
|
| 39 | +{{elastic-defend}}'s integration policy statuses indicate whether protections are applied successfully to your hosts. Warnings or failures in these policies can weaken your security posture. Automatic troubleshooting helps you detect any issues and suggests remediation steps. |
| 40 | +
|
| 41 | +::::{admonition} Requirements |
| 42 | +To use this functionality, you need to enable [AI Assistant Knowledge Base](/solutions/security/ai/ai-assistant-knowledge-base.md). |
| 43 | +:::: |
| 44 | +
|
| 45 | +### Scan your hosts for policy issues |
| 46 | +
|
| 47 | +1. Find **Endpoints** in the navigation menu or use the global search field. |
| 48 | +2. Click on an endpoint to open its details flyout. |
| 49 | +3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one. |
| 50 | +4. If you don't already have AI Assistant Knowledge Base enabled, click **Setup Knowledge Base**. |
| 51 | +5. Once Knowledge Base is enabled, click **Scan**. After a brief processing period, any detected warnings or failures in policy responses will appear under **Insights**. |
| 52 | +
|
| 53 | +### Resolve policy issues |
| 54 | +
|
| 55 | +After a scan has completed, automatic troubleshooting suggests recommended next steps for each policy issue. These may include adjusting specific {{elastic-defend}} policy settings or reviewing conflicting host configurations. Where available, click **Learn more** to the right of a result to open Elastic documentation, which provides more context and guidance for resolving the issue. |
| 56 | +
|
| 57 | +## Identify antivirus software on your hosts [identify-third-party-av-products] |
| 58 | +
|
| 59 | +Third-party antivirus software installed on your hosts can interfere with {{elastic-defend}}. To mitigate issues with running third-party AV alongside {{elastic-defend}}, you first have to identify which AV is present. |
| 60 | +
|
| 61 | +After you’ve installed {{elastic-defend}} on one or more hosts, you can use automatic troubleshooting to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, automatic troubleshooting can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected. |
| 62 | +
|
| 63 | +### Scan your hosts for AV software [_scan_your_hosts_for_av_software] |
| 64 | +
|
| 65 | +1. Find **Endpoints** in the navigation menu or use the global search field. |
| 66 | +2. Click on an endpoint to open its details flyout. |
| 67 | +3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one. |
| 68 | +4. Click **Scan**. After a brief processing period, any detected AV products will appear under **Insights**. |
| 69 | +
|
| 70 | +### Resolve incompatibilities [_resolve_incompatibilities] |
| 71 | +
|
| 72 | +After a scan has completed, you can click the **Create trusted app** button to the right of a result to quickly add the associated AV program to {{elastic-defend}}'s trusted applications list. If the button is not clickable, you don’t have the [required privilege](trusted-applications.md). |
| 73 | +
|
| 74 | +::::{important} |
| 75 | +If you plan to use {{elastic-defend}} alongside third-party AV software, we recommend you that you both [allowlist {{elastic-endpoint}} in your AV](allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) and [make the AV a trusted application](trusted-applications.md). |
| 76 | +:::: |
0 commit comments