The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint’s actions log for reference.
Response actions are supported on all endpoint platforms (Linux, macOS, and Windows).
Response actions and the response console UI are Enterprise subscription features.
Endpoints must have Elastic Agent version 8.4 or higher installed with the Endpoint and Cloud Security integration to receive response actions.
Launch the response console from any of the following places in Elastic Security:
- Endpoints page → Actions menu (…) → Respond
- Endpoint details flyout → Take action → Respond
- Alert details flyout → Take action → Respond
To perform an action on the endpoint, enter a response action command in the input area at the bottom of the console, then press Return. Output from the action is displayed in the console.
If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the actions log.
Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running.
Activity in the response console is persistent, so you can navigate away from the page and any pending actions you’ve submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the actions log.
Once you submit a response action, you can’t cancel it, even if the action is pending for an offline host.
The following response action commands are available in the response console.
Isolate the host, blocking communication with other hosts on the network.
isolate --comment "Isolate host related to detection alerts"
Release an isolated host, allowing it to communicate with the network again.
release --comment "Release host, everything looks OK"
Show information about the host’s status, including: Elastic Agent status and version, the Endpoint and Cloud Security integration’s policy status, and when the host was last active.
Show a list of all processes running on the host. This action may take a minute or so to complete.
Use this command to get current PID or entity ID values, which are required for other response actions such as
Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.
Terminate a process. You must include one of the following parameters to identify the process to terminate:
--pid: A process ID (PID) representing the process to terminate.
--entityId: An entity ID representing the process to terminate.
kill-process --pid 123 --comment "Terminate suspicious process"
Suspend a process. You must include one of the following parameters to identify the process to suspend:
--pid: A process ID (PID) representing the process to suspend.
--entityId: An entity ID representing the process to suspend.
suspend-process --pid 123 --comment "Suspend suspicious process"
Add to a command to include a comment explaining or describing the action. Comments are included in the actions log.
Add to a command to get help for that command.
Clear all output from the response console.
Click Help in the upper-right to open the Help panel, which lists available response action commands and parameters as a reference.
You can use this panel to build commands with less typing. Click the add icon () to add a command to the input area, enter any additional parameters or a comment, then press Return to run the command.
Click Actions log to display a history of response actions performed on the host, such as isolating the host or terminating a process. The actions log includes when each command was performed, the user who performed the action, any comments added to the action, and the action’s current status.
- Click the expand arrow on the right to display more details about an action.
- Use the date and time picker to display actions within a specific time range.
You can also access the actions log from the Endpoints page (Manage → Endpoints → Endpoint name → Actions Log).