Endpoints

edit

The Endpoints page allows admins to view and manage endpoints that are running the Endpoint and Cloud Security integration.

Fleet must be enabled in a Kibana space for administrative actions to function correctly.

You must have the built-in superuser role to access this feature. For more information, refer to Built-in users.

Endpoints list

edit

The Endpoints list displays all hosts running Elastic Security and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top. The Endpoints list provides the following data:

  • Endpoint: The system hostname. Click the link to view host details in a flyout.
  • Agent Status: The current status of the Elastic Agent, which is one of the following:

    • Healthy: The agent is online and communicating with Kibana.
    • Unenrolling: The agent is currently unenrolling and will soon be removed from Fleet. Afterward, the endpoint will also uninstall.
    • Unhealthy: The agent is online but requires attention from an admin because it’s reporting a process being unhealthy. An unhealthy status could also mean an upgrade failed and was rolled back to its previous version.
    • Updating: The agent is online and is updating the agent policy or binary, or is enrolling or unenrolling.
    • Offline: The agent is still enrolled but may be on a machine that is shut down or currently does not have internet access. In this state, the agent is no longer communicating with Kibana at a regular interval.

      Elastic Agent statuses in Fleet correspond to the agent statuses in the Elastic Security app.

  • Policy: The name of the associated policy when the agent was installed. Click the link to view the Integration policy page.
  • Policy Status: Lists whether the policy application was a success or failure. Click the link to view response details in a flyout.
  • OS: The associated operating system.
  • IP address: All IP addresses associated with the hostname.
  • Version: The Elastic Stack version currently running.
  • Last active: A date and timestamp of the last time the agent was active.
  • Actions: Select the context menu (…​) to do the following:

    • Isolate host: Isolate the host from your network, blocking communication until the host is released.
    • View host details: View host details on the Hosts page in the Elastic Security app.
    • View agent policy: View the policy in Fleet.
    • View agent details: View agent details and activity logs in Fleet.
    • Reassign agent policy: Change the agent policy assigned to the host in Fleet.
Admin page

Endpoint details

Click any link in the Endpoint column to display host details in a flyout. You can also use the Take Action menu button to perform the same actions as those listed in the Actions context menu, such as isolating the host, viewing host details, and viewing or reassigning the agent policy.

Admin page

Integration policy details

To view the integration policy page, click the link in the Policy column. If you are viewing host details, you can also click the Policy link on the flyout.

On this page, you can view and configure endpoint protection and event collection settings. In the upper-right corner are Key Performance Indicators (KPIs) that provide current endpoint status. If you need to update the policy, make changes as appropriate, then click the Save button to apply the new changes.

Users must have permission to read/write to Fleet APIs to make changes to the configuration.

Integration page

Users who have unique configuration and security requirements can select Show Advanced Settings to configure the policy to support advanced use cases. Hover over each setting to view its description.

Advanced settings are not recommended for most users.

Integration page

Policy status

The status of the policy application appears in the Status column and displays one of the following possibilities:

  • Success: The policy was applied successfully.
  • Warning or Partially Applied: The policy is pending application, or the policy was not applied in its entirety.

In some cases, some actions taken on the endpoint may fail during the policy application but are not recognized as a critical failure - meaning there may be a failure, but the endpoints are still protected. In this case, the policy status will display as "Partially Applied."

  • Failure: The policy did not apply correctly. As such, endpoints are not protected.
  • Unknown: The user interface is waiting for the API response to return, or, in rare cases, the API returns an undefined error or value.

To view policy status details, click the link and review the data in the flyout that displays.

Config status details

Expand each section and subsection to view individual responses from the agent.

If you need help troubleshooting a configuration failure, see the Fleet troubleshooting topic.

Filter endpoints

edit

To filter the Endpoints list, use the search bar to enter a query using Kibana Query Language (KQL). To refresh the search results, click Refresh.

filter endpoints

The date and time picker on the right side of the page allows you to set a time interval to automatically refresh the Endpoints list — for example, to check if new endpoints were added or deleted.