Configure self-healing rollback for Windows endpoints

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Elastic Defend’s self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert).

This can help contain the impact of malicious activity, as Elastic Defend not only stops the activity but also erases any attack artifacts deployed prior to detection.

Self-healing rollback requires the Endpoint Protection Complete project feature and is only supported for Windows endpoints.

This feature can cause permanent data loss since it overwrites recent changes and deletes recently added files on the host. Self-healing rollback targets the changes related to a detected threat, but may also include incidental actions that aren’t directly related to the threat.

Also, rollback is triggered by every Elastic Defend prevention alert, so you should tune your system to eliminate false positives before enabling this feature.

  1. In the Elastic Security app, go to AssetsPolicies, then select the integration policy you want to configure.
  2. Scroll down to the bottom of the policy and click Show advanced settings.
  3. Enter true for the setting windows.advanced.alerts.rollback.self_healing.enabled.
  4. Click Save.