Configure and install Elastic Endpoint Integration (beta)edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Like other Elastic integrations, Endpoint Security can be integrated into the Elastic Agent through Fleet. Upon configuration, the integration allows the Elastic Agent to monitor for events on your host and send data to the Elastic Security app.

Configuring the Endpoint Integration on the Elastic Agent requires that the user have permission to use Fleet in Kibana.

Before you beginedit

Depending on the version of macOS you’re using, macOS requires that you give full disk access to different kernels, system extensions, or files. Review Enable Full Disk Access for details.

Add Elastic Endpoint integrationedit

  1. In Kibana, select Security > Administration. If this is not your first time using Elastic Security, select Fleet > Integrations and search for "Endpoint Security".

    security integration
  2. On the Administration page of the Elastic Security app or the Endpoint Security integration page in Fleet, select Add Endpoint Security. The integration configuration page appears.
  3. Select a configuration for the Elastic Agent. You can use either the Default config, or add security integration to a custom or existing configuration. For more details on Elastic Agent configuration settings, see Configuration settings.
  4. Configure the Endpoint Security integration with a name and optional description. When configuration is complete, select Save integration. Kibana redirects you back to the administration section of the Elastic Security app.

    add elastic endpoint security
  5. On the "Enable Endpoint Security" on your Agent’s page, select the name of your new integration. To enroll your agents with Endpoint Security, select Enroll Agent.
  6. Kibana redirects you back to Fleet to add the Elastic Agent to your host.

Configure and enroll Elastic Agentedit

When integrating with the Elastic Agent, Endpoint Security requires enrollment through Fleet to enable the integration.

Endpoint Security cannot be integrated with an Elastic Agent in Standalone mode.

  1. Go to Fleet. Select Overview > Add agent.

    add agent
  2. In the Add agent pane of the Configurations section, download the Elastic Agent on your host’s machine.
  3. After the download is complete, select an agent configuration. The selected integrations should include Endpoint Security.

    endpoint configuration
  4. After the Elastic Agent is installed on your host machine, open a command-line interface, and navigate to your Agent’s directory. Copy the commands from Fleet for your OS to enroll and run the Agent.

After you have enrolled the Elastic Agent on your host, select Continue. The host now appears in the Endpoints list, located on the Administration page in the Elastic Security app.

To unenroll an agent from your host, see Unenroll Elastic Agent.

Enable Elastic Endpoint kerneledit

When running the Elastic Agent with endpoint integrated on macOS 10.13, 10.14 and 10.15, you will be prompted to approve a kernel extension from "Endgame, Inc". To approve the extension:

Endgame Sensor users can approve the kernel the same way for the Elastic Endgame app.

  1. Select Open Security Preferences. The Security and Privacy window opens.

    system extension
  2. Select the Lock icon at the bottom left of the window to make changes to your security settings.

    unlock security panel
  3. Allow "Endgame, Inc" by selecting the Allow button.

    allow endgame

If the prompt does not appear because you’re using a version before macOS Big Sur (11.0), enable the extension by:

  1. Open a Terminal application.
  2. Enter kextload /Library/Extension/kendpoint.kext. Prepend the command with sudo if necessary.
  3. Confirm the kernel extension has loaded, enter kextstat | grep co.elastic.kendpoint.
  4. You should receive and output similar to 149 0 0xffffff7f82e7b000 0x21000 0x21000 co.elastic.kendpoint (7.9.0) BD152A57-ABD3-370A-BBE8-D15A0FCBD19A <6 5 2 1>.

Configure malware protection settingsedit

After you have installed the agent, malware prevention is automatically enabled on protected hosts. If needed, you can configure malware protection settings to meet your company’s security needs.

  1. In the security app, select the Administration tab to view the Endpoints list. Remember that you must have admin permissions in Kibana to access this page.
  2. From the Integration Policy column, select the Policy you want to configure. The Integration Policy page appears.
  3. By default, the Malware Protections Enabled toggle is on. To disable malware protection, switch the toggle off. Malware protection levels are as follows:

    • Detect: Detects malware on the host and generates an alert. The agent will not block malware. You must pay attention to and analyze any malware alerts that are generated.
    • Prevent (Default): Detects malware on the host, blocks it from executing, and generates an alert.
  4. Click Save to save changes to the Policy.
  5. On the dialog that appears, click Save and Deploy changes. If successful, a "Success" confirmation appears in the lower-right corner.
malware protection

Verify Endpoint Enrollmentedit

After installing the Elastic Agent, there’s a lag time of several hours between when the Elastic Endpoint begins detecting and sending alerts to {Kibana}. To ensure that the installation of Elastic Endpoint on your host was successful, go to Administration > Endpoints. A message appears that says, "Endpoints are enrolling. View agents to track progress".

endpoints enrolling