index
Overview
The Elastic Agent is a computer service that empowers and enables groups to send data to our Elastic stack, our Security Information and Event Management (SIEM), and the Security Operations team to secure and protect those hosts with the “Defend” integration. Defend enables Elastic to function as an EDR (Endpoint Detection and Response) for hosts. System and Information Integrity (SI-3) requires the use of software to safeguard devices. Elastic Defend is that software.
You can find the installation instructions here.
Expected Binaries
A successful install of the Elastic Agent should end up with (note: not right away) with several different binaries running on the host. Those binaries are:
- elastic-agent.exe
- elastic-endpoint.exe
- agentbeat.exe
- osquery-extension.exe
- osqueryd.exe
Other operating systems should have the same or similarly named processes (without the file extension).
Elastic Defend Resource Usage
The Elastic Agent is the backbone of Elastic Defend, our advanced Endpoint Detection and Response (EDR) solution. Elastic Defend continuously monitors your system for critical threats, including:
- Malware
- Ransomware
- Memory-based threats
- Malicious behavior
By actively analyzing these risks, Elastic Defend keeps your host secure. To monitor a host for those kinds of threats, Elastic Defend may use system resources. Resource usage may increase or momentarily spike during heavy load, scanning, or active threat detection tasks, to maintain effective protection.
Expected Resource Utilization
These ballparks are for the elastic-endpoint process. These estimates are going to vary based on the operating system, configuration, and workload. Deviations from these ballparks are not a concern unless there is a significant and persistent deviation.
RAM
- RAM usage in the ballpark of 200-300 MB is normal and expected.
- This may increase during intensive tasks like active scanning or threat detection.
CPU
- As an average, expect a ballpark of around 5% CPU (total) use.
- This may increase during intensive tasks like active scanning or threat detection.
Process Termination
Sometimes there may be enough of a reason for Elastic to outright kill a process. This should be extremely rare. Alerts generated by the product are primarily reviewed by the System (TAMUS). They are also proactively creating exceptions for activity. However, in the event that a process may be killed by Elastic, you can reach out to security@tamu.edu to evaluate and potentially create an exception.
Please include information like the hostname, timeframe, and process being killed.
For after hours business critical concerns in regards to Elastic killing a process, please reach out to Help Desk Central, and request to be directed to the IOC to have them page the Security Response Team.
Their number is (979) 845-8300.
Supported Operating Systems and Processor Architectures
Elastic publishes a table that details supported operating systems. You can find that information here. The most relevant sections are the Elastic Agent and Elastic Defend tables. There are some limitations with supported devices.
Chiefly among those (at time of this publication):
- Elastic Agent is not supported on 32-bit operating systems.
- Elastic Agent is not supported for Windows operating systems running on ARM processors.
- Continue to use CrowdStrike for these devices.
Appropriate Use
A host that has the Elastic Agent installed on it and enrolled to a Defend enabled agent policy will end up with Elastic Defend running on it. Elastic Defend will end up being universally installed for hosts that can accommodate it unless there is CISO approved exception.
Additional Information
Information technology professionals on campus may contact endpoint-security@tamu.edu to ask any questions, request additional information, or request access to the agent installers.