Ransomware protection


What is "Anti-Ransomware Elastic-Do-Not-Touch" appearing on the folders machines

Hi Charles those folders are used by the Elastic Defend Ransomware Canaries Detection :

When ransomware protection is enabled, canary files placed in targeted locations on your hosts provide an early warning system for potential ransomware activity. When a canary file is modified, Elastic Defend immediately generates a ransomware alert. If prevent ransomware is active, Elastic Defend terminates the process that modified the file.

they will appear to the user if the Show hidden items is enabled :

Hi @Samir_Bousseaden Thanks just what i have thought... is it possible to hide this from the users??

it's possible to do that locally or via GPO, example of how to disable showing hidden files via GPO Using Group Policy to Disable Show Hidden Files and locally Show hidden files - Microsoft Support

1 Like

Thank you!!. i thought there's a way you can do it via the console under Policy Configs

1 Like

@Samir_Bousseaden i know this is Separate discussion just wanted to ask if there's possible to run a query that can only show me XDR alerts from the alerts tab console ?

If I understood correctly you can use this search event.dataset :"endpoint.alerts" , if you want only alerts for specific features like ransomware you can add event.code:ransomware or event.code:behavior for behavior or event.code:malicious_file for malware alerts or event.code:shellcode_thread for shellcode related alerts :