Endpoint Insights feature — Serverless

benironside · benironside · commit 100afe1fbd8c · 2025-01-24T14:53:49.000-08:00
diff --git a/docs/serverless/edr-manage/identify-third-party-AV-products.asciidoc b/docs/serverless/edr-manage/identify-third-party-AV-products.asciidoc
@@ -0,0 +1,34 @@
+[[identify-third-party-av-products]]
+= Use Endpoint Insights to find incompatible AV products on your hosts
+
+
+Third-party antivirus (AV) software installed on your hosts can interfere with {elastic-defend}. Issues with running third-party AV alongside {elastic-defend} can be mitigated, but first you have to identify which AV is present. 
+
+After you've installed {elastic-defend} on one or more hosts,  you can use **Endpoint Insights** to check whether your endpoints have third-party AV software installed. Using the same kinds of LLM connectors as Elastic AI Assistant, Endpoint Insights can analyze file event logs from your hosts to determine whether antivirus software is present. From there, you can address any incompatibilities to make sure your endpoints are protected.
+
+.Requirements
+[sidebar]
+--
+To use this feature, you need:
+
+* A Security Analytics Complete https://www.elastic.co/pricing/serverless-security[subscription].
+* The *Endpoint Insights: Read* or *Endpoint Insights: All* security sub-feature privilege.
+* A working <<security-llm-connector-guides,LLM connector>> for AI Assistant.
+--
+
+[discrete]
+== Start using Endpoint Insights
+
+* Find **Endpoints** in the navigation menu or use the global search field. 
+* Click on an endpoint to open its details flyout, then under *Endpoint Insights*, click **Endpoint Insights scan**.
+* Select an LLM connector, or <<security-llm-connector-guides,add>> a new one. 
+* Click *Scan*. After a brief processing period, any detected AV products will appear under *Insights*. 
+
+image::images/endpoint-insights-results.png[Endpoint Insights results with the "Create trusted app" button highlighted,60%]
+
+[discrete]
+== Resolve incompatibilities
+
+After a scan has completed, you can click the *Create trusted app* button to the right of a result to quickly add the associated AV program to {elastic-defend}'s trusted applications list.
+
+To resolve incompatibilities between {elastic-defend} and third-party AV software, we recommend you either uninstall the AV software, or <<security-allowlist-endpoint, allowlist {elastic-endpoint} in your AV>> and <<security-trusted-applications,make the AV a trusted application>>. 
diff --git a/docs/serverless/edr-manage/images/endpoint-insights-results.png b/docs/serverless/edr-manage/images/endpoint-insights-results.png
diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc
@@ -71,6 +71,7 @@ include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
 include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-protection-rules.asciidoc[leveloffset=+3]
+include::./edr-manage/identify-third-party-AV-products.asciidoc[leveloffset=+3]
 include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
 include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]
