Trusted applicationsedit

Users with the superuser role can add Windows, macOS, and Linux applications that should be trusted. By adding these trusted applications, you can use Elastic Security without compatibility or performance issues with other installed applications on your system. Trusted applications are applied only to hosts running Endpoint Security.

Trusted applications are designed to help mitigate performance issues and incompatibilities with other endpoint software. However, they create blindspots for Elastic Security. One avenue attackers use to exploit these blindspots is by DLL (Dynamic Link Library) side-loading, where they leverage processes signed by trusted vendors — such as antivirus software — to execute their malicious DLLs. Such activity appears to originate from the trusted vendor’s process.

By default, a trusted application is recognized globally across all hosts running Endpoint Security. If you have a Platinum or Enterprise subscription, you can also assign a trusted application to a specific Endpoint Security integration policy, enabling the application to be trusted by only the hosts assigned to that policy.

To add a trusted application:

  1. Go to ManageTrusted applications.
  2. Click Add trusted application.
  3. Fill in the following fields in the Add trusted application pane:

    • Name your trusted application: Enter a name for the trusted application.
    • Description(Optional): Enter a description for the trusted application.
    • Select operating system: Select the appropriate operating system from the drop-down.
    • Field: Select the appropriate field you want to use — Hash, Path, or (if you’re adding a trusted application on Windows) Signature.

      You can only add a single field type value per trusted application. For example, if you try to add two Path values, you’ll get an error message. Hash values must also be valid to add the trusted application. In addition, to minimize visibility gaps in the Elastic Security app, be as specific as possible in your entries. For example, combine Signature information with known Paths.

    • Operator: Select an operator to define the condition:

      • is: Must be exactly equal to Value. This operation is required for the Hash and Signature field types.
      • matches: Can include wildcards in Value, such as C:\path\*\app.exe. This option is only available for the Path field type. Available wildcards are ? (match one character) and * (match zero or more characters).
    • Value: Enter the hash value or file path. To add an additional value, click AND.
  4. Select an option in the Assignment section to assign the trusted application to a specific integration policy:

    • Global: Assign the trusted application to all integration policies for Endpoint Security.
    • Per Policy (Platinum or Enterprise subscription only): Assign the trusted application to one or more specific Endpoint Security integration policies. Select each policy in which you want the application to be trusted.

      You can also select the Per Policy option without assigning a policy to the trusted application at this time. For example, you could do this if you want to create and review your trusted application configurations before putting them into action with a policy.

  5. Click Add trusted application. The application is added to the Trusted applications list.

View and manage trusted applicationsedit

The Trusted applications list displays all the trusted applications that have been added to the Elastic Security app. To refine the Trusted applications list, enter a query in the search bar. You can search by name, description, or a field value.

trusted apps list

Edit a trusted applicationedit

You can change the configuration of each trusted application. If you have a Platinum or Enterprise subscription, you can also change the policy assigned to a trusted application.

To edit a trusted application:

  1. Click the actions button (…​​) for the trusted application you want to edit, then select Edit trusted application.
  2. Modify details as needed.
  3. Click Save.

Delete a trusted applicationedit

You can delete a trusted application, which removes it entirely from all Endpoint Security policies.

To delete a trusted application:

  1. Click the actions button (…​) for the trusted application you want to delete, then select Delete trusted application.
  2. On the dialog that opens, verify that you are removing the correct application, then click Delete. A confirmation message is displayed.