elastic · natasha-moore-elastic · Oct 3, 2025 · Oct 3, 2025 · Oct 6, 2025 · Oct 6, 2025
@@ -503,6 +503,8 @@ redirects:
   'explore-analyze/query-filter/languages/sql-client-apps-tableau-desktop.md': 'elasticsearch://reference/query-languages/sql/sql-client-apps-tableau-desktop.md'
   'explore-analyze/query-filter/languages/sql-client-apps-tableau-server.md': 'elasticsearch://reference/query-languages/sql/sql-client-apps-tableau-server.md'
 
+# Related to https://github.com/elastic/docs-content/pull/3318
+  'solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md': 'solutions/security/manage-elastic-defend/automatic-troubleshooting.md'
 
 
 

@@ -27,6 +27,8 @@ In addition to AI Assistant and Attack Discovery, {{elastic-sec}} provides sever
 
 * [Automatic Import](/solutions/security/get-started/automatic-import.md): Helps you quickly parse, ingest, and create [ECS mappings](https://www.elastic.co/elasticsearch/common-schema) for data from sources that don’t yet have prebuilt Elastic integrations. This can accelerate your migration to {{elastic-sec}}, and help you quickly add new data sources to an existing SIEM solution in {{elastic-sec}}.
 * [Automatic Migration](/solutions/security/get-started/automatic-migration.md): Helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({{esql}}). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch.
-* [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md): Helps you quickly check whether your endpoints have third-party AV software installed by analyzing file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected.
+* [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/automatic-troubleshooting.md): Helps you quickly check whether your endpoints have third-party AV software installed by analyzing file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected.
+
+  {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` Helps you detect any issues in {{elastic-defend}} integration policies and  suggests remediation steps.
 
 
@@ -38,7 +38,7 @@ For each of the following sub-feature privileges, select the type of access you
 |     |     |
 | --- | --- |
 | **Endpoint List** | Access the [Endpoints](/solutions/security/manage-elastic-defend/endpoints.md) page, which lists all hosts running {{elastic-defend}}, and associated integration details. |
-| **Automatic Troubleshooting** |Access [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md) to check if your hosts have third-party AV software installed.<br><br>**Note:** In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. |
+| **Automatic Troubleshooting** |Access [Automatic Troubleshooting](/solutions/security/manage-elastic-defend/automatic-troubleshooting.md) to check if your hosts have third-party AV software installed.<br><br>**Note:** In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**. |
 | **Global Artifact Management** {applies_to}`stack: ga 9.1` | Manage global assignment of endpoint artifacts (e.g., trusted applications, event filters) across all spaces and policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management. |
 | **Trusted Applications** | Access the [Trusted applications](/solutions/security/manage-elastic-defend/trusted-applications.md) page to remediate conflicts with other software, such as antivirus or endpoint security applications. |
 | **Host Isolation Exceptions** | Access the [Host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md) page to add specific IP addresses that isolated hosts can still communicate with. |

@@ -0,0 +1,76 @@
+---
+mapped_pages:
+  - https://www.elastic.co/guide/en/serverless/current/identify-third-party-av-products.html
+applies_to:
+  stack: ga 9.2, preview 9.0
+  serverless:
+    security: ga
+products:
+  - id: security
+  - id: cloud-serverless
+---
+
+# Automatic troubleshooting
+
+Automatic troubleshooting helps you identify and resolve issues that could prevent {{elastic-defend}} from working as intended. This feature provides actionable insights into the following common problem areas:
+
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Policy responses**: Detect warnings or failures in {{elastic-defend}}’s integration policies.
+* **Third-party antivirus (AV) software**: Identify installed third-party antivirus (AV) products that may conflict with {{elastic-defend}}.
+
+With these checks, you can resolve configuration errors, address incompatibilities, and ensure that your hosts remain protected.
+
+::::{admonition} Requirements
+To use this feature, you need:
+
+* In serverless, a project with the Security Analytics Complete [feature tier](https://www.elastic.co/pricing/serverless-security).
+* The **Automatic Troubleshooting: Read** or **Automatic Troubleshooting: All** security [sub-feature privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md).
+   :::{note}
+   In {{stack}} 9.0.0, this privilege is called **Endpoint Insights**.
+   :::
+* A working [LLM connector](../ai/set-up-connectors-for-large-language-models-llm.md) for AI Assistant.
+::::
+
+## Troubleshoot policy issues
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+{{elastic-defend}}'s integration policy statuses indicate whether protections are applied successfully to your hosts. Warnings or failures in these policies can weaken your security posture. Automatic troubleshooting helps you detect any issues and suggests remediation steps.
+
+::::{admonition} Requirements
+To use this functionality, you need to enable [AI Assistant Knowledge Base](/solutions/security/ai/ai-assistant-knowledge-base.md).
+::::
+
+### Scan your hosts for policy issues 
+
+1. Find **Endpoints** in the navigation menu or use the global search field.  
+2. Click on an endpoint to open its details flyout.  
+3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one.
+4. If you don't already have AI Assistant Knowledge Base enabled, click **Setup Knowledge Base**. 
+5. Once Knowledge Base is enabled, click **Scan**. After a brief processing period, any detected warnings or failures in policy responses will appear under **Insights**.  
+
+### Resolve policy issues 
+
+After a scan has completed, automatic troubleshooting suggests recommended next steps for each policy issue. These may include adjusting specific {{elastic-defend}} policy settings or reviewing conflicting host configurations. Click **Learn more** to the right of a result to open Elastic documentation, which provides more context and guidance for resolving the issue.
+
+## Identify antivirus software on your hosts [identify-third-party-av-products]
+
+Third-party antivirus software installed on your hosts can interfere with {{elastic-defend}}. To mitigate issues with running third-party AV alongside {{elastic-defend}}, you first have to identify which AV is present.
+
+After you’ve installed {{elastic-defend}} on one or more hosts, you can use automatic troubleshooting to check whether your endpoints have third-party AV software installed. Using the same kinds of large language model (LLM) connectors as Elastic AI Assistant, automatic troubleshooting can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected.
+
+### Scan your hosts for AV software [_scan_your_hosts_for_av_software]
+
+1. Find **Endpoints** in the navigation menu or use the global search field.
+2. Click on an endpoint to open its details flyout.
+3. Under **Automatic Troubleshooting**, select an LLM connector, or [add](../ai/set-up-connectors-for-large-language-models-llm.md) a new one.
+4. Click **Scan**. After a brief processing period, any detected AV products will appear under **Insights**.
+
+### Resolve incompatibilities [_resolve_incompatibilities]
+
+After a scan has completed, you can click the **Create trusted app** button to the right of a result to quickly add the associated AV program to {{elastic-defend}}'s trusted applications list. If the button is not clickable, you don’t have the [required privilege](trusted-applications.md).
+
+::::{important}
+If you plan to use {{elastic-defend}} alongside third-party AV software, we recommend you that you both [allowlist {{elastic-endpoint}} in your AV](allowlist-elastic-endpoint-in-third-party-antivirus-apps.md) and [make the AV a trusted application](trusted-applications.md).
+::::
@@ -626,7 +626,7 @@ toc:
           - file: security/manage-elastic-defend/optimize-elastic-defend.md
           - file: security/manage-elastic-defend/event-capture-elastic-defend.md
           - file: security/manage-elastic-defend/endpoint-protection-rules.md
-          - file: security/manage-elastic-defend/identify-antivirus-software-on-hosts.md
+          - file: security/manage-elastic-defend/automatic-troubleshooting.md
           - file: security/manage-elastic-defend/allowlist-elastic-endpoint-in-third-party-antivirus-apps.md
           - file: security/manage-elastic-defend/elastic-endpoint-self-protection-features.md
       - file: security/endpoint-response-actions.md