Configure self-healing rollback for Windows endpoints

Revert file changes on the Windows endpoints.

Elastic Defend's self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert).

This can help contain the impact of malicious activity, as Elastic Defend not only stops the activity but also erases any attack artifacts deployed prior to detection.

Self-healing rollback requires the Endpoint Protection Complete project feature and is only supported for Windows endpoints.


This feature can cause permanent data loss since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but may also include incidental actions that aren't directly related to the threat.

Also, rollback is triggered by every Elastic Defend prevention alert, so you should tune your system to eliminate false positives before enabling this feature.

  1. In the Elastic Security app, go to AssetsPolicies, then select the integration policy you want to configure.
  2. Scroll down to the bottom of the policy and click Show advanced settings.
  3. Enter true for the setting windows.advanced.alerts.rollback.self_healing.enabled.
  4. Click Save.

On this page