« Endpoint response actions Isolate a host »
Elastic Docs Serverless Elastic Security serverless Endpoint response actions

Automated response actions

edit

Automated response actions

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Add Elastic Defend’s response actions to detection rules to automatically perform actions on an affected host when an event meets the rule’s criteria. Use these actions to support your response to detected threats and suspicious events.

Requirements

  • Automated response actions require the Endpoint Protection Complete project feature.
  • Hosts must have Elastic Agent installed with the Elastic Defend integration.
  • Your user role must have the ability to create detection rules and the privilege to perform specific response actions (for example, custom roles require the Host Isolation privilege to isolate hosts).
  • You can only add automated response actions to custom query, event correlation (EQL), new terms, and ES|QL type rules.

To add automated response actions to a new or existing rule:

  1. Do one of the following:

    • New rule: On the last step of rule creation, go to the Response Actions section and select Elastic Defend.
    • Existing rule: Edit the rule’s settings, then go to the Actions tab. In the tab, select Elastic Defend under the Response Actions section.

  2. Select an option in the Response action field:

    • Isolate: Isolate the host, blocking communication with other hosts on the network.
    • Kill process: Terminate a process on the host.

    • Suspend process: Temporarily suspend a process on the host.

      Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.

  3. For process actions, specify how to identify the process you want to terminate or suspend:

    • Turn on the toggle to use the alert’s process.pid value as the identifier.
    • To use a different alert field value to identify the process, turn off the toggle and enter the Custom field name.
  4. Enter a comment describing why you’re performing the action on the host (optional).
  5. To finish adding the response action, click Create & enable rule (for a new rule) or Save changes (for existing rules).
« Endpoint response actions Isolate a host »