Endpoint 7.12.x migration to 7.13 Lesson learned with Fleet "On-Prim"

Hi @PublicName

We are playing around with that type of feature, although I'm not sure when it will be ready for release.

In the meantime, is elastic-endpoint.exe using more CPU than you'd like? If so we'd be happy to dig into it a bit. One common cause of high CPU is two antivirus products monitoring each other in an endless loop, although other applications can do things as well that put more stress on Endpoint than you'd like. Adding a Trusted Application in Security -> Administration often resolves that type of issue.

If the issue is with elastic-endpoint.exe there are two ways you can find what is causing it to use a lot of CPU. One is to look at the latest data_stream.dataset : endpoint.metrics document (found in a metrics-* data steam index) for the misbehaving Endpoint. In 7.13 we added Endpoint.metrics.system_impact details to this document, which is a list of programs on the computer that are causing Endpoint to do a lot of work. The week_ms value in each entry is the number of milliseconds spent over last week, the higher the value the more likely this is the cause of high CPU use for elastic-endpoint.exe.

Another option is to follow the guidance here (Endpoint agent consistent 90+% CPU for some PCs - #13 by Matt_Scherer) which outlines a way to create a Lens visualization to see what programs are causing Endpoint to produce the most data, which is likely to correspond with what is causing high Endpoint CPU.

Regardless of which route you take, its important to not create a Trusted Application for something like svchost.exe, which would create a large security blind spot in your network.