Skip to content

[Security] Advanced mode for trusted applications #2676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 26, 2025
Merged

[Security] Advanced mode for trusted applications #2676

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4804e4
[Security] Advanced mode for trusted applications
natasha-moore-elastic Aug 22, 2025
6bf2af6
Merge branch 'main' into issue-1520-adv-t-a
natasha-moore-elastic Aug 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 41 additions & 7 deletions solutions/security/manage-elastic-defend/trusted-applications.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,20 @@ To add a trusted application:

1. Find **Trusted applications** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
2. Click **Add trusted application**.
3. Fill in the following fields in the **Add trusted application** flyout:
3. Fill in these fields in the **Details** section:

* `Name your trusted application`: Enter a name for the trusted application.
* `Description`(Optional): Enter a description for the trusted application.
* `Select operating system`: Select the appropriate operating system from the drop-down.
* `Field`: Select a field to identify the trusted application:
1. `Name`: Enter a name for the trusted application.
2. `Description` (Optional): Enter a description for the trusted application.
4. Select an option in the **Conditions** section:

:::::{tab-set}

::::{tab-item} Basic

Define conditions based on the application's hash, executable path, or signer.

1. `Select operating system`: Select the appropriate operating system from the drop-down.
2. `Field`: Select a field to identify the trusted application:

* `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application’s executable.
* `Path`: The full file path of the application’s executable.
Expand All @@ -52,17 +60,43 @@ To add a trusted application:
To find the signer’s name for an application, go to **Discover** and query the process name of the application’s executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer’s name (for example, `McAfee, Inc.`).
::::

* `Operator`: Select an operator to define the condition:
3. `Operator`: Select an operator to define the condition:

* `is`: Must be *exactly* equal to `Value`; wildcards are not supported. This operator is required for the `Hash` and `Signature` field types.
* `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This option is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters).

* `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**.
4. `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**.

::::{note}
You can only add a single field type value per trusted application. For example, if you try to add two `Path` values, you’ll get an error message. Also, an application’s hash value must be valid to add it as a trusted application. In addition, to minimize visibility gaps in the {{security-app}}, be as specific as possible in your entries. For example, combine `Signature` information with a known `Path`.
::::

::::

::::{tab-item} Advanced

{applies_to}`stack: ga 9.2`

Define more complex conditions, such as trusting specific file paths or remote IP addresses.

1. `Select operating system`: Select the appropriate operating system from the drop-down.
2. `Field`: Select a field to identify the trusted application.
3. `Operator`: Select an operator to define the condition:
* `is`
* `is not`
* `is one of`
* `is not one of`
* `matches` | `does not match`: Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters).

::::{important}
Using wildcards can impact performance. To create a more efficient trusted application using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
::::

4. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**.
5. To define multiple conditions, click `AND` and configure a new condition. You can also add nested conditions by selecting `Add nested condition`.

:::::

4. Select an option in the **Assignment** section to assign the trusted application to a specific integration policy:

* `Global`: Assign the trusted application to all integration policies for {{elastic-defend}}.
Expand Down
Loading