Endpoint response actions
editEndpoint response actions
editThe response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint’s response actions history for reference.
Response actions are supported on all endpoint platforms (Linux, macOS, and Windows).
Launch the response console from any of the following places in Elastic Security:
- Endpoints page → Actions menu (…) → Respond
- Endpoint details flyout → Take action → Respond
- Alert details flyout → Take action → Respond
To perform an action on the endpoint, enter a response action command in the input area at the bottom of the console, then press Return. Output from the action is displayed in the console.
If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history.
Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running.
Activity in the response console is persistent, so you can navigate away from the page and any pending actions you’ve submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the response actions history.
Once you submit a response action, you can’t cancel it, even if the action is pending for an offline host.
Response action commands
editThe following response action commands are available in the response console.
isolate
editIsolate the host, blocking communication with other hosts on the network.
Required privilege: Host Isolation
Example: isolate --comment "Isolate host related to detection alerts"
release
editRelease an isolated host, allowing it to communicate with the network again.
Required privilege: Host Isolation
Example: release --comment "Release host, everything looks OK"
status
editShow information about the host’s status, including: Elastic Agent status and version, the Elastic Defend integration’s policy status, and when the host was last active.
processes
editShow a list of all processes running on the host. This action may take a minute or so to complete.
Required privilege: Process Operations
Use this command to get current PID or entity ID values, which are required for other response actions such as kill-process
and suspend-process
.
Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.
kill-process
editTerminate a process. You must include one of the following parameters to identify the process to terminate:
-
--pid
: A process ID (PID) representing the process to terminate. -
--entityId
: An entity ID representing the process to terminate.
Required privilege: Process Operations
Example: kill-process --pid 123 --comment "Terminate suspicious process"
suspend-process
editSuspend a process. You must include one of the following parameters to identify the process to suspend:
-
--pid
: A process ID (PID) representing the process to suspend. -
--entityId
: An entity ID representing the process to suspend.
Required privilege: Process Operations
Example: suspend-process --pid 123 --comment "Suspend suspicious process"
get-file
editRetrieve a file from a host. Files are downloaded in a password-protected .zip archive to prevent the file from running. Use passcode elastic
to open the .zip in a safe environment.
You must include the following parameter to specify the file’s location on the host:
-
--path
: The file’s full path (including the file name).
Required privilege: File Operations
Example: get-file --path "/full/path/to/file.txt" --comment "Possible malware"
You can use the Osquery manager integration to query a host’s operating system and gain insight into its files and directories, then use get-file
to retrieve specific files.
When Elastic Defend prevents file activity due to malware prevention, the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with get-file
, copy the path from the alert’s Quarantined file path field (file.Ext.quarantine_path
), which appears under Highlighted fields in the alert details flyout. Then paste the value into the --path
parameter.
Supporting commands and parameters
edit--comment
editAdd to a command to include a comment explaining or describing the action. Comments are included in the response actions history.
clear
editClear all output from the response console.
help
editList supported commands in the console output area.
You can also get a list of commands in the Help panel, which stays on the screen independently of the output area.
Help panel
editClick Help in the upper-right to open the Help panel, which lists available response action commands and parameters as a reference.
This panel displays only the response actions that the user has privileges to perform.
You can use this panel to build commands with less typing. Click the add icon () to add a command to the input area, enter any additional parameters or a comment, then press Return to run the command.
If the endpoint is running an older version of Elastic Agent, some response actions may not be supported, as indicated by an informational icon and tooltip. Upgrade Elastic Agent on the endpoint to be able to use the latest response actions.
Response actions history
editClick Response actions history to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to Response actions history for more details.