Manage Elastic Defend

After deploying Elastic Defend, you can manage your protected endpoints, tune policies, and create exceptions to reduce false positives — all from within Elastic Security. These management tools give you centralized control over endpoint protection across your environment.

Elastic Security provides dedicated pages for each management area. Find them in the navigation menu or by using the global search field. Use them to monitor endpoint health, adjust protection policies, and define exceptions that keep Elastic Defend running smoothly alongside your existing software and workflows.

The Endpoints page shows every host running Elastic Defend, including its status, policy assignment, and operating system. Use it to verify that endpoints are healthy, check which policy each host is using, and drill into individual endpoint details.

The Policies page lists all Elastic Defend integration policies. From here, you can open a policy to adjust its protection levels, event collection settings, and advanced options.

Exceptions and filters let you tailor Elastic Defend behavior to your environment, reducing noise without weakening protection.

• Trusted applications: Exclude known-good applications (such as other security tools) from Elastic Defend monitoring to prevent performance issues and incompatibilities.
• Trusted devices: Allow specific external storage devices to connect to protected hosts, overriding device control settings.
• Event filters: Prevent high-volume or low-value endpoint events from being stored in Elasticsearch, reducing storage costs.
• Host isolation exceptions: Allow isolated hosts to communicate with specific IP addresses while remaining blocked from the rest of the network.
• Blocklist: Prevent specified applications from running on protected hosts, extending Elastic Defend's list of known-malicious processes.
• Elastic Endpoint exceptions: Reduce false positives from endpoint protection rules by preventing Elastic Endpoint from generating alerts.

Elastic Defend includes built-in protection features and prebuilt detection rules that help secure your endpoints and prevent tampering.

• Endpoint protection rules: Prebuilt detection rules that help you manage and respond to alerts generated by Elastic Endpoint, including rules for malware, ransomware, memory threats, and malicious behavior.
• Elastic Endpoint self-protection: Built-in tamper protection that prevents users and attackers from interfering with Elastic Endpoint functionality.
• Allowlist Elastic Endpoint in third-party antivirus apps: Add Elastic Endpoint's digital signatures and file paths to your antivirus software's allowlist to prevent conflicts.

Use these tools to diagnose issues, reduce resource usage, and understand how Elastic Defend collects event data.

• Optimize Elastic Defend: Resolve performance issues like excessive CPU usage, high storage consumption, or software incompatibilities by tuning endpoint artifacts and exceptions.
• Automatic troubleshooting: Identify and resolve common issues that could prevent Elastic Defend from working as intended, including policy response errors and third-party antivirus conflicts.
• Event capture and Elastic Defend: Understand how Elastic Defend collects, aggregates, and deduplicates system event data to balance threat detection with storage and performance overhead.
• Troubleshoot Elastic Defend: Resolve common issues such as Elastic Agent connectivity problems, policy failures, and malware prevention errors.

• Configure endpoint protection with Elastic Defend: Install Elastic Defend and set up integration policies.
• Endpoint response actions: Isolate hosts, run commands, and take other response actions on protected endpoints.