EDR - Endpoint Detection & Response
Overview
The Elastic Agent is a computer service that empowers and enables groups to send data to our Elastic stack, our Security Information and Event Management (SIEM), and the Security Operations team to secure and protect those hosts with the “Defend” integration. Defend enables Elastic to function as an EDR (Endpoint Detection and Response) for hosts. System and Information Integrity (SI-3) requires the use of software to safeguard devices. Elastic Defend is that software.
For installation instructions, see Elastic Installation Guide.
Expected Binaries
A successful install of the Elastic Agent should end up with with several different binaries running on the host. Those binaries are:
- elastic-agent.exe
- elastic-endpoint.exe
- agentbeat.exe
- osquery-extension.exe
- osqueryd.exe
Other operating systems should have the same or similarly named processes (without the file extension).
Elastic Defend Resource Usage
The Elastic Agent is the backbone of Elastic Defend, our advanced Endpoint Detection and Response (EDR) solution. Elastic Defend continuously monitors your system for critical threats, including:
- Malware
- Ransomware
- Memory-based threats
- Malicious behavior
By actively analyzing these risks, Elastic Defend keeps your host secure. To monitor a host for those kinds of threats, Elastic Defend may use system resources. Resource usage may increase or momentarily spike during heavy load, scanning, or active threat detection tasks, to maintain effective protection.
Expected Resource Utilization
These ballparks are for the elastic-endpoint process. These estimates are going to vary based on the operating system, configuration, and workload. Deviations from these ballparks are not a concern unless there is a significant and persistent deviation.
RAM
- RAM usage in the ballpark of 200-300 MB is normal and expected.
- This may increase during intensive tasks like active scanning or threat detection.
CPU
- As an average, expect a ballpark of around 5% CPU (total) use.
- This may increase during intensive tasks like active scanning or threat detection.
Process Termination
Sometimes there may be enough of a reason for Elastic to outright kill a process. This should be extremely rare. Alerts generated by the product are primarily reviewed by the System (TAMUS), which creates exceptions for legitimate activity.
If you believe a process was incorrectly terminated, please use the appropriate contact method below:
- For devices on the TAMUS Elastic stack: Please submit a ticket through the TAMUS ticket queue.
- For devices on the legacy TAMU Elastic stack: You can reach out to
security@tamu.edu- Also reach out to the System to get the information needed to move over.
When reporting an issue, please include the hostname, timeframe, and the name of the process that was terminated.
Supported Operating Systems and Processor Architectures
Elastic Agent support and Elastic Defend support statuses can be found at Support Matrix | Elastic. There are some limitations with supported devices. Primarily:
- Elastic Agent is not supported on 32-bit operating systems.
Appropriate Use
A host that has the Elastic Agent installed on it and enrolled to a Defend enabled agent policy will end up with Elastic Defend running on it. Elastic Defend will end up being universally installed for hosts that can accommodate it unless there is CISO approved exception.
Additional Information
For all new requests, including access to installers or other questions, please submit a ticket through the TAMUS service portal: Texas A&M System Cybersecurity - Jira Service Management
For questions you may contact endpoint-security@tamu.edu. Concerns with Stack controlled endpoints should be addressed with the System.