Install and configure the Elastic Defend integrationedit

Like other Elastic integrations, Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.

Before you beginedit

If you’re using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to requirements for Elastic Endpoint if you’re installing the Elastic Endpoint or requirements for the Endgame sensor for more information.

Add the Elastic Defend integrationedit

  1. Go to the Integrations page, which you can access in several ways:

    • In Kibana: ManagementIntegrations
    • In the Elastic Security app: Get startedAdd security integrations
    Search result for "Elastic Defend" on the Integrations page.
  2. Search for and select Elastic Defend, then select Add Elastic Defend. The integration configuration page appears.

    If this is the first integration you’ve installed and the Ready to add your first integration? page appears instead, select Add integration only (skip agent installation) to proceed. You can install Elastic Agent after setting up the Elastic Defend integration.

    Add Elastic Defend integration page
  3. Configure the Elastic Defend integration with an Integration name and optional Description.
  4. Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
  5. Select a configuration preset. Each preset comes with different default settings for Elastic Agent — you can further customize these later by configuring the Elastic Defend integration policy.

    Traditional Endpoint presets

    All traditional endpoint presets except Data Collection have these preventions enabled by default: malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events:

    • Data Collection: All events; no preventions
    • Next-Generation Antivirus (NGAV): Process events; all preventions
    • Essential EDR (Endpoint Detection & Response): Process, Network, File events; all preventions
    • Complete EDR (Endpoint Detection & Response): All events; all preventions

    Cloud Workloads presets

    Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, session data collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events.

    • All events: Includes data from automated sessions.
    • Interactive only: Filters out data from non-interactive sessions by creating an event filter.
  6. Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.
  7. When you’re ready, click Save and continue.
  8. To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.

Configure and enroll the Elastic Agentedit

To enable the Elastic Defend integration, you must enroll agents in the relevant policy using Fleet.

Before you add an Elastic Agent, a Fleet Server must be running. Refer to Add a Fleet Server.

Elastic Defend cannot be integrated with an Elastic Agent in standalone mode.

Important information about Fleet Serveredit

If you are running an Elastic Stack version earlier than 7.13.0, you can skip this section.

If you have upgraded to an Elastic Stack version that includes Fleet Server 7.13.0 or newer, you will need to redeploy your agents. Review the following scenarios to ensure you take the appropriate steps.

  • If you redeploy the Elastic Agent to the same machine through the Fleet application after you upgrade, a new agent will appear.
  • If you want to remove the Elastic Agent entirely without transitioning to the Fleet Server, then you will need to manually uninstall the Elastic Agent on the machine. This will also uninstall the endpoint. Refer to Uninstall Elastic Agent.
  • In the rare event that the Elastic Agent fails to uninstall, you might need to manually uninstall the endpoint. Refer to Uninstall an endpoint at the end of this topic.

Add the Elastic Agentedit

  1. Go to FleetAgentsAdd agent.

    Add agent flyout on the Fleet page.
  2. Select an agent policy for the Elastic Agent. You can select an existing policy, or select Create new agent policy to create a new one. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.

    The selected agent policy should include Elastic Defend.

    Add agent flyout with Elastic Defend integration highlighted.
  3. Ensure that the Enroll in Fleet option is selected. Elastic Defend cannot be integrated with Elastic Agent in standalone mode.
  4. Select the appropriate platform or operating system for the host, then copy the provided commands.
  5. On the host, open a command-line interface and navigate to the directory where you want to install Elastic Agent. Paste and run the commands from Fleet to download, extract, enroll, and start Elastic Agent.
  6. (Optional) Return to the Add agent flyout in Fleet, and observe the Confirm agent enrollment and Confirm incoming data steps automatically checking the host connection. It may take a few minutes for data to arrive in Elasticsearch.
  7. After you have enrolled the Elastic Agent on your host, you can click View enrolled agents to access the list of agents enrolled in Fleet. Otherwise, select Close.

    The host will now appear on the Endpoints page in the Elastic Security app. It may take another minute or two for endpoint data to appear in Elastic Security.

  8. For macOS, continue with these instructions to grant Elastic Endpoint the required permissions.