Configure self-healing rollback for Windows endpoints
editConfigure self-healing rollback for Windows endpoints
editEndpoint and Cloud Security’s self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert).
This can help contain the impact of malicious activity, as Endpoint and Cloud Security not only stops the activity but also erases any attack artifacts deployed prior to detection.
Self-healing rollback is a Platinum or Enterprise subscription feature and is only supported for Windows endpoints.
This feature can cause permanent data loss since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but may also include incidental actions that aren’t directly related to the threat.
Also, rollback is triggered by every Endpoint and Cloud Security prevention alert, so you should tune your system to eliminate false positives before enabling this feature.
- In the Elastic Security app, go to Manage → Policies, then select the integration policy you want to configure.
- Scroll down to the bottom of the policy and click Show advanced settings.
-
Enter
true
for the settingwindows.advanced.alerts.rollback.self_healing.enabled
. - Click Save.