Configure and install Elastic Endpoint Integration (beta)edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Like other Elastic integrations, Elastic Endpoint Security can be integrated into the Elastic Agent through Fleet. Upon configuration, the integration allows the Elastic Agent to monitor for events on your host and send data to the Elastic Security app.

Configuring the Endpoint Integration on the Elastic Agent requires that the user have permission to use Fleet in Kibana.

Before you beginedit

Depending on the macOS version you’re using, macOS requires that you give full disk access to different kernels, system extensions, or files. Review Enable Full Disk Access for details.

Add Elastic Endpoint integrationedit

  1. In Kibana, select Security > Administration. If this is not your first time using Elastic Security, select Fleet > Integrations and search for "Elastic Endpoint Security".

    security integration
  2. On the Administration page of the Elastic Security app or the Elastic Endpoint Security integration page in Fleet, select Add Endpoint Security. The integration configuration page appears.
  3. Select a configuration for the Elastic Agent. You can use either the Default config, or add security integration to a custom or existing configuration. For more details on Elastic Agent configuration settings, see Configuration settings.
  4. Configure the Endpoint Security integration with a name and optional description. When the configuration is complete, select Save integration. Kibana redirects you back to the administration section of the Elastic Security app.

    add elastic endpoint security
  5. On the "Enable Elastic Endpoint Security" on your Agent’s page, select the name of your new integration. To enroll your agents with Endpoint Security, select Enroll Agent.
  6. Kibana redirects you back to Fleet to add the Elastic Agent to your host.

Configure and enroll Elastic Agentedit

When integrating with the Elastic Agent, Elastic Endpoint Security requires enrollment through Fleet to enable the integration.

Elastic Endpoint Security cannot be integrated with an Elastic Agent in Standalone mode.

  1. Go to Fleet. Select Overview > Add agent.

    add agent
  2. In the Add agent pane of the Configurations section, download the Elastic Agent on your host’s machine.
  3. After the download is complete, select an agent configuration. The selected integrations should include Elastic Endpoint Security.

    endpoint configuration
  4. After the Elastic Agent is installed on your host machine, open a command-line interface, and navigate to your Agent’s directory. Copy the commands from Fleet for your OS to enroll and run the Agent.

After you have enrolled the Elastic Agent on your host, select Continue. The host now appears in the Endpoints list, located on the Administration page in the Elastic Security app.

To unenroll an agent from your host, see Unenroll Elastic Agent.

Enable Elastic Endpoint kerneledit

When running the Elastic Agent with endpoint integrated on macOS 10.13, 10.14 and 10.15, you will be prompted to approve a kernel extension from "Endgame, Inc". To approve the extension:

Endgame Sensor users can approve the kernel the same way for the Elastic Endgame app.

  1. Select Open Security Preferences. The Security and Privacy window opens.

    system extension
  2. Select the Lock icon at the bottom left of the window to make changes to your security settings.

    unlock security panel
  3. Allow "Endgame, Inc" by selecting the Allow button.

    allow endgame

If the prompt does not appear because you’re using a version earlier than macOS Big Sur (11.0), enable the extension by doing the following:

  1. Open a Terminal application.
  2. Enter kextload /Library/Extension/kendpoint.kext. Prepend the command with sudo if necessary.
  3. To confirm the kernel extension has loaded, enter kextstat | grep co.elastic.kendpoint.
  4. You should receive an output similar to 149 0 0xffffff7f82e7b000 0x21000 0x21000 co.elastic.kendpoint (7.11.0) BD152A57-ABD3-370A-BBE8-D15A0FCBD19A <6 5 2 1>. If you receive this output, the kernel extension is enabled.

Configure an integration policy (optional)edit

After the Elastic Agent is installed successfully, malware prevention is automatically enabled on protected hosts. If needed, you can update the Integration Policy to configure malware protection, event collection, and antivirus settings to meet your company’s security needs.

To access the security integration policy:

  1. In the Elastic Security app, select the Administration tab to view the Endpoints list. Remember that you must have admin permissions in Kibana to access this page.
  2. From the Integration Policy column, select the Policy you want to configure. The Integration Policy page appears.

Malware protectionedit

By default, the Malware Protections Enabled toggle is on, with host notifications enabled or disabled based on the protection level. To disable malware protection, switch the toggle off. Malware protection levels are as follows:

  • Detect: Detects malware on the host and generates an alert. The agent will not block malware. You must pay attention to and analyze any malware alerts that are generated. Notifications do not appear by default. Select the Notify User option to enable them.
  • Prevent (Default): Detects malware on the host, blocks it from executing, and generates an alert. Notifications appear by default. Deselect the Notify User option to disable them.

    Platinum and enterprise users can customize these notifications using the Elastic Security {action} {filename} syntax.

Event Collectionedit

In the Settings section, review the events that collect data on each operating system. By default, all event data is collected. If you no longer want a specific event to collect data, deselect it.

malware protection

(Optional) Register as Windows 10 antivirusedit

If you download the Elastic Agent on Windows 10 or above, you can configure Elastic Security as your antivirus software by doing the following:

On the Integration Edit page, look for the Settings section and find Type: Register as antivirus. Toggle this option to enable.

register as antivirus

Save Integrationedit

  1. After you have customized your desired policy settings, click Save.
  2. On the dialog that appears, click Save and Deploy changes. If successful, a "Success" confirmation appears in the lower-right corner.

Verify Endpoint Enrollmentedit

After installing the Elastic Agent, there’s a lag time of several hours between when the Elastic Endpoint begins detecting and sending alerts to Kibana. To ensure that the installation of Elastic Endpoint on your host was successful, go to Administration > Endpoints. A message appears that says, "Endpoints are enrolling. View agents to track progress". Select View agents to check the status of your endpoint enrollment.

endpoints enrolling