IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [7.15] Manage
« Host isolation Event filters »

Trusted applicationsedit

Users with superuser role can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use Elastic Security without compatibility or performance issues with other installed applications on your system. Trusted applications are applied only to hosts running Endpoint Security.

Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software. However, they create blindspots for Elastic Security. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted vendor’s process.

To add a trusted application:

  1. Go to ManageTrusted applications.
  2. Click Add trusted application.

  3. Fill in the following fields in the Add trusted application pane:

    • Name your trusted application: Enter a name for the trusted application.
    • Select operating system: Select the appropriate operating system from the drop-down.

    • Field: Select the appropriate field you want to use — Hash, Path, or (if you are adding a Windows trusted application) Signature.

      You can only add a single field type value per trusted application. For example, if you try to add two Path values, you’ll get an error message. Hash values must also be valid to add the trusted application. In addition, to minimize the gaps in visibility to the Security solution, be as specific as possible in your entries. For example, combine Signature information with known Paths.

    • Operator: Defaults to is ("equal to"). This cannot be changed.
    • Value: Enter the hash value or file path. To add an additional value, click AND.
    • Description(Optional): Enter a description for the trusted application.
  4. Click Add trusted application. The application appears in the Trusted applications list.

Trusted applications listedit

The Trusted applications list displays all the trusted applications that have been added to the Elastic Security app.

trusted apps list

Manage trusted applicationsedit

Filter trusted applicationsedit

To filter trusted applications by specific criteria, enter a simple search in the search bar. You can search the following attributes:

  • name
  • description
  • value
Remove a trusted applicationedit
  1. Find the appropriate application and click Remove.
  2. On the dialog that opens, verify that you are removing the correct application, then click Remove trusted application. A confirmation message is displayed.
remove app
« Host isolation Event filters »