Endpoint response actions

edit

Endpoint response actions

edit

The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint’s response actions history for reference.

Response actions are supported on all endpoint platforms (Linux, macOS, and Windows).

Requirements

  • Response actions and the response console UI require the Endpoint Protection Complete project feature.
  • Endpoints must have Elastic Agent version 8.4 or higher installed with the Elastic Defend integration to receive response actions.
  • Some response actions require either a predefined Security user role or a custom role with a specific feature privilege, indicated below. These are required to perform actions both in the response console and in other areas of the Elastic Security app (such as isolating a host from a detection alert).
  • Users must have the appropriate user role privileges for at least one response action to access the response console.
Response console UI

Launch the response console from any of the following places in Elastic Security:

  • Endpoints page → Actions menu (Actions menu icon) → Respond
  • Endpoint details flyout → Take actionRespond
  • Alert details flyout → Take actionRespond
  • Host details page → Respond

To perform an action on the endpoint, enter a response action command in the input area at the bottom of the console, then press Return. Output from the action is displayed in the console.

If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history.

Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running.

Activity in the response console is persistent, so you can navigate away from the page and any pending actions you’ve submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the response actions history.

Once you submit a response action, you can’t cancel it, even if the action is pending for an offline host.

Response action commands

edit

The following response action commands are available in the response console.

isolate
edit

Isolate the host, blocking communication with other hosts on the network.

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: Host isolation

Example: isolate --comment "Isolate host related to detection alerts"

release
edit

Release an isolated host, allowing it to communicate with the network again.

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: Host isolation

Example: release --comment "Release host, everything looks OK"

status
edit

Show information about the host’s status, including: Elastic Agent status and version, the Elastic Defend integration’s policy status, and when the host was last active.

processes
edit

Show a list of all processes running on the host. This action may take a minute or so to complete.

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: Process Operations

Use this command to get current PID or entity ID values, which are required for other response actions such as kill-process and suspend-process.

Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.

Running this command on third-party-protected hosts might return the process list in a different format. Refer to Third-party response actions for more information.

kill-process
edit

Terminate a process. You must include one of the following parameters to identify the process to terminate:

  • --pid : A process ID (PID) representing the process to terminate.
  • --entityId : An entity ID representing the process to terminate.

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: Process Operations

Example: kill-process --pid 123 --comment "Terminate suspicious process"

For SentinelOne-enrolled hosts, you must use the parameter --processName to identify the process to terminate. --pid and --entityId are not supported.

Example: kill-process --processName cat --comment "Terminate suspicious process"

suspend-process
edit

Suspend a process. You must include one of the following parameters to identify the process to suspend:

  • --pid : A process ID (PID) representing the process to suspend.
  • --entityId : An entity ID representing the process to suspend.

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: Process Operations

Example: suspend-process --pid 123 --comment "Suspend suspicious process"

get-file
edit

Retrieve a file from a host. Files are downloaded in a password-protected .zip archive to prevent the file from running. Use password elastic to open the .zip in a safe environment.

Files retrieved from third-party-protected hosts require a different password. Refer to Third-party response actions for your system’s password.

You must include the following parameter to specify the file’s location on the host:

  • --path : The file’s full path (including the file name).

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: File Operations

Example: get-file --path "/full/path/to/file.txt" --comment "Possible malware"

You can use the Osquery manager integration to query a host’s operating system and gain insight into its files and directories, then use get-file to retrieve specific files.

When Elastic Defend prevents file activity due to malware prevention, the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with get-file, copy the path from the alert’s Quarantined file path field (file.Ext.quarantine_path), which appears under Highlighted fields in the alert details flyout. Then paste the value into the --path parameter.

execute
edit

Run a shell command on the host. The command’s output and any errors appear in the response console, up to 2000 characters. The complete output (stdout and stderr) are also saved to a downloadable .zip archive (password: elastic). Use these parameters:

  • --command : (Required) A shell command to run on the host. The command must be supported by bash for Linux and macOS hosts, and cmd.exe for Windows.

    • Multiple consecutive dashes in the value must be escaped; single dashes do not need to be escaped. For example, to represent a directory named /opt/directory--name, use the following: /opt/directory--name.
    • You can use quotation marks without escaping. For example: execute --command "cd "C:\Program Files\directory""
  • --timeout : (Optional) How long the host should wait for the command to complete. Use h for hours, m for minutes, s for seconds (for example, 2s is two seconds). If no timeout is specified, it defaults to four hours.

Predefined role: SOC manager or Endpoint operations analyst

Custom role privilege: Execute Operations

Example: execute --command "ls -al" --timeout 2s --comment "Get list of all files"

This response action runs commands on the host using the same user account running the Elastic Defend integration, which normally has full control over the system. Be careful with any commands that could cause irrevocable changes.

upload
edit

Upload a file to the host. The file is saved to the location on the host where Elastic Endpoint is installed. After you run the command, the full path is returned in the console for reference. Use these parameters:

  • --file : (Required) The file to send to the host. As soon as you type this parameter, a popup appears — select it to navigate to the file, or drag and drop the file onto the popup.
  • --overwrite : (Optional) Overwrite the file on the host if it already exists.

Predefined role: Tier 3 analyst, SOC manager, or Endpoint operations analyst

Custom role privilege: File Operations

Example: upload --file --comment "Upload remediation script"

You can follow this with the execute response action to upload and run scripts for mitigation or other purposes.

The default file size maximum is 25 MB, configurable in kibana.yml with the xpack.securitySolution.maxUploadResponseActionFileBytes setting. You must enter the value in bytes (the maximum is 104857600 bytes, or 100 MB).

scan
edit

Scan a specific file or directory on the host for malware. This uses the malware protection settings (such as Detect or Prevent options, or enabling the blocklist) as configured in the host’s associated Elastic Defend integration policy. Use these parameters:

  • --path : (Required) The absolute path to a file or directory to be scanned.

Predefined role: Tier 3 Analyst, SOC Manager, or Endpoint Operations Analyst

Custom role privilege: Scan Operations

Example: scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"

Scanning can take longer for directories containing a lot of files.

Supporting commands and parameters

edit
--comment
edit

Add to a command to include a comment explaining or describing the action. Comments are included in the response actions history.

--help
edit

Add to a command to get help for that command.

Example: isolate --help

clear
edit

Clear all output from the response console.

help
edit

List supported commands in the console output area.

You can also get a list of commands in the Help panel, which stays on the screen independently of the output area.

Help panel

edit

Click Help Help in the upper-right to open the Help panel, which lists available response action commands and parameters as a reference.

This panel displays only the response actions that you have the user role privileges to perform.

Help panel

You can use this panel to build commands with less typing. Click the add icon (Add) to add a command to the input area, enter any additional parameters or a comment, then press Return to run the command.

If the endpoint is running an older version of Elastic Agent, some response actions may not be supported, as indicated by an informational icon and tooltip. Upgrade Elastic Agent on the endpoint to be able to use the latest response actions.

Unsupported response action with tooltip

Response actions history

edit

Click Response actions history to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to Response actions history for more details.

Response actions history with a few past actions