Like other Elastic integrations, Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
Before you beginedit
If you’re using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to requirements for Elastic Endpoint if you’re installing the Elastic Endpoint or requirements for the Endgame sensor for more information.
Add the Elastic Defend integrationedit
Go to the Integrations page, which you can access in several ways:
- In Kibana: Management → Integrations
- In the Elastic Security app: Get started → Add security integrations
Search for and select Elastic Defend, then select Add Elastic Defend. The integration configuration page appears.
- Configure the Elastic Defend integration with an Integration name and optional Description.
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
Select a configuration preset. Each preset comes with different default settings for Elastic Agent — you can further customize these later. To learn more, refer to configure Elastic Defend integration policies.
Traditional Endpoint presets
All traditional endpoint presets have the following preventions enabled by default: machine learning malware, ransomware, memory threat, malicious behavior, and credential theft. Each preset collects the following events:
Next-Generation Antivirus (NGAV): Process
Essential EDR (Endpoint Detection & Response): Process, Network, File
Complete EDR (Endpoint Detection & Response): All
Cloud Workloads presets
Both cloud workload presets are intended for monitoring cloud-based Linux hosts. Therefore, session data collection, which enriches process events, is enabled by default. They both have all preventions disabled by default, and collect process, network, and file events.
All events: Includes data from automated sessions.
Interactive only: Filters out data from non-interactive sessions by creating an event filter.
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.
- When you’re ready, click Save and continue.
- To complete the integration, continue to the next section to install the Elastic Agent on your hosts.
Configure and enroll the Elastic Agentedit
To enable the Elastic Defend integration, you must enroll agents in the relevant policy using Fleet.
Before you add an Elastic Agent, a Fleet Server must be running. Refer to Add a Fleet Server.
Elastic Defend cannot be integrated with an Elastic Agent in standalone mode.
Important information about Fleet Serveredit
If you are running an Elastic Stack version earlier than 7.13.0, you can skip this section.
If you have upgraded to an Elastic Stack version that includes Fleet Server 7.13.0 or newer, you will need to redeploy your agents. Review the following scenarios to ensure you take the appropriate steps.
- If you redeploy the Elastic Agent to the same machine through the Fleet application after you upgrade, a new agent will appear.
- If you want to remove the Elastic Agent entirely without transitioning to the Fleet Server, then you will need to manually uninstall the Elastic Agent on the machine. This will also uninstall the endpoint. Refer to Uninstall Elastic Agent.
- In the rare event that the Elastic Agent fails to uninstall, you might need to manually uninstall the endpoint. Refer to Uninstall an endpoint at the end of this topic.
Add the Elastic Agentedit
Go to Fleet → Agents → Add agent.
Select an agent policy for the Elastic Agent. You can select an existing policy, or select Create new agent policy to create a new one. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.
The selected agent policy should include Elastic Defend.
- Ensure that the Enroll in Fleet option is selected. Elastic Defend cannot be integrated with Elastic Agent in standalone mode.
- Select the appropriate platform or operating system for the host, then copy the provided commands.
- On the host, open a command-line interface and navigate to the directory where you want to install Elastic Agent. Paste and run the commands from Fleet to download, extract, enroll, and start Elastic Agent.
- (Optional) Return to the Add agent flyout in Fleet, and observe the Confirm agent enrollment and Confirm incoming data steps automatically checking the host connection. It may take a few minutes for data to arrive in Elasticsearch.
After you have enrolled the Elastic Agent on your host, you can click View enrolled agents to access the list of agents enrolled in Fleet. Otherwise, select Close.
The host will now appear on the Endpoints page in the Elastic Security app. It may take another minute or two for endpoint data to appear in Elastic Security.
- For macOS, continue with these instructions to grant Elastic Endpoint the required permissions.