-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathadmin-page-ov.html
398 lines (377 loc) · 23.7 KB
/
admin-page-ov.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8">
<title>Endpoints | Elastic Security Solution [8.18] | Elastic</title>
<meta class="elastic" name="content" content="Endpoints | Elastic Security Solution [8.18]">
<link rel="home" href="index.html" title="Elastic Security Solution [8.18]"/>
<link rel="up" href="sec-manage-intro.html" title="Manage Elastic Defend"/>
<link rel="prev" href="sec-manage-intro.html" title="Manage Elastic Defend"/>
<link rel="next" href="policies-page-ov.html" title="Policies"/>
<meta class="elastic" name="product_version" content="8.18"/>
<meta class="elastic" name="product_name" content="Security"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Security/Guide/8.18"/>
<meta name="DC.subject" content="Security"/>
<meta name="DC.identifier" content="8.18"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="https://cdn.optimizely.com/js/18132920325.js"></script>
<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="/manifest.json">
<meta name="apple-mobile-web-app-title" content="Elastic">
<meta name="application-name" content="Elastic">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/mstile-144x144.png">
<meta name="theme-color" content="#ffffff">
<meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
<meta name="yandex-verification" content="d8a47e95d0972434" />
<meta name="localized" content="true" />
<meta name="st:robots" content="follow,index" />
<meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
<meta property="og:image:width" content="500" />
<meta property="og:image:height" content="172" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
<link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
<link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
<!-- Give IE8 a fighting chance -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
</head>
<!--© 2015-2025 Elasticsearch B.V. -->
<!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
<!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->
<body>
<!-- Google Tag Manager -->
<script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
<!-- End Google Tag Manager -->
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-12395217-16');
</script>
<!-- Google Tag Manager for GA4 -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager for GA4-->
<div id='elastic-nav' style="display:none;"></div>
<script src='https://www.elastic.co/elastic-nav.js'></script>
<div class="main-container">
<section id="content" >
<div class="content-wrapper">
<section id="guide" lang="en">
<div class="container-fluid">
<div class="row pb-3">
<div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
<!-- The TOC is appended here -->
</div>
<div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
<!-- start body -->
<div class="navheader">
<span class="prev">
<a href="sec-manage-intro.html">« Manage Elastic Defend</a>
</span>
<span class="next">
<a href="policies-page-ov.html">Policies »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Elastic Security Solution [8.18]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="sec-manage-intro.html">Manage Elastic Defend</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Endpoints</h1><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
A newer version is available. Check out the <a href="https://www.elastic.co/docs/solutions/security/manage-elastic-defend/endpoints">latest documentation</a>.
</div>
<div class="chapter">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="admin-page-ov"></a>Endpoints</h2><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
</div></div></div>
<p>The Endpoints page allows administrators to view and manage endpoints that are running the <a class="xref" href="install-endpoint.html" title="Install the Elastic Defend integration">Elastic Defend integration</a>.</p>
<div class="sidebar">
<div class="titlepage"><div><div>
<p class="title"><strong>Requirements</strong></p>
</div></div></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Fleet must be enabled in a Kibana space for administrative actions to function correctly.
</li>
<li class="listitem">
You must have the <span class="strong strong"><strong>Endpoint List</strong></span> <a class="xref" href="endpoint-management-req.html" title="Elastic Defend feature privileges">privilege</a> to access this feature.
</li>
</ul>
</div>
</div>
<div class="position-relative"><h3><a id="endpoints-list-ov"></a>Endpoints list</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
<p>The <span class="strong strong"><strong>Endpoints</strong></span> list displays all hosts running Elastic Defend and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/endpoints-pg.png" alt="Endpoints page">
</div>
</div>
<p>The Endpoints list provides the following data:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Endpoint</strong></span>: The system hostname. Click the link to display <a class="xref" href="admin-page-ov.html#endpoint-details" title="Endpoint details">endpoint details</a> in a flyout.
</li>
<li class="listitem">
<p><span class="strong strong"><strong>Agent Status</strong></span>: The current status of the Elastic Agent, which is one of the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">Healthy</code>: The agent is online and communicating with Kibana.
</li>
<li class="listitem">
<code class="literal">Unenrolling</code>: The agent is currently unenrolling and will soon be removed from Fleet. Afterward, the endpoint will also uninstall.
</li>
<li class="listitem">
<code class="literal">Unhealthy</code>: The agent is online but requires attention from an administrator because it’s reporting a problem with a process. An unhealthy status could mean an upgrade failed and was rolled back to its previous version, or an integration might be missing prerequisites or additional configuration. Refer to <a class="xref" href="ts-management.html#ts-unhealthy-agent" title="Unhealthy Elastic Agent status">Endpoint management troubleshooting</a> for more on resolving an unhealthy agent status.
</li>
<li class="listitem">
<code class="literal">Updating</code>: The agent is online and is updating the agent policy or binary, or is enrolling or unenrolling.
</li>
<li class="listitem">
<p><code class="literal">Offline</code>: The agent is still enrolled but may be on a machine that is shut down or currently does not have internet access. In this state, the agent is no longer communicating with Kibana at a regular interval.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Elastic Agent statuses in Fleet correspond to the agent statuses in the Elastic Security app.</p>
</div>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
<span class="strong strong"><strong>Policy:</strong></span> The name of the associated integration policy when the agent was installed. Click the link to display the <a class="xref" href="admin-page-ov.html#integration-policy-details" title="Integration policy details">integration policy details</a> page.
</li>
<li class="listitem">
<span class="strong strong"><strong>Policy status:</strong></span> Indicates whether the integration policy was successfully applied. Click the link to view <a class="xref" href="admin-page-ov.html#policy-status" title="Policy status">policy status</a> response details in a flyout.
</li>
<li class="listitem">
<span class="strong strong"><strong>OS</strong></span>: The host’s operating system.
</li>
<li class="listitem">
<span class="strong strong"><strong>IP address</strong></span>: All IP addresses associated with the hostname.
</li>
<li class="listitem">
<span class="strong strong"><strong>Version</strong></span>: The Elastic Stack version currently running.
</li>
<li class="listitem">
<span class="strong strong"><strong>Last active</strong></span>: A date and timestamp of the last time the Elastic Agent was active.
</li>
<li class="listitem">
<p><span class="strong strong"><strong>Actions</strong></span>: Select the context menu (<span class="strong strong"><strong>…​</strong></span>) to do the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Isolate host</strong></span>: <a class="xref" href="host-isolation-ov.html" title="Isolate a host">Isolate the host</a> from your network, blocking communication until the host is released.
</li>
<li class="listitem">
<span class="strong strong"><strong>Respond</strong></span>: Open the <a class="xref" href="response-actions.html" title="Endpoint response actions">response console</a> to perform response actions directly on the host.
</li>
<li class="listitem">
<span class="strong strong"><strong>View response actions history</strong></span>: View a <a class="xref" href="admin-page-ov.html#response-action-history-tab" title="Response actions history">history of response actions</a> performed on the host.
</li>
<li class="listitem">
<span class="strong strong"><strong>View host details</strong></span>: View host details on the <span class="strong strong"><strong>Hosts</strong></span> page in the Elastic Security app.
</li>
<li class="listitem">
<span class="strong strong"><strong>View agent policy</strong></span>: View the agent policy in Fleet.
</li>
<li class="listitem">
<span class="strong strong"><strong>View agent details</strong></span>: View Elastic Agent details and activity logs in Fleet.
</li>
<li class="listitem">
<span class="strong strong"><strong>Reassign agent policy</strong></span>: Change the <a href="/guide/en/fleet/8.18/agent-policy.html#apply-a-policy" class="ulink" target="_top">agent policy</a> assigned to the host in Fleet.
</li>
</ul>
</div>
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="endpoint-details"></a>Endpoint details</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
<p>Click any link in the <span class="strong strong"><strong>Endpoint</strong></span> column to display host details in a flyout. You can also use the <span class="strong strong"><strong>Take Action</strong></span> menu button to perform the same actions as those listed in the Actions context menu, such as isolating the host, viewing host details, and viewing or reassigning the agent policy.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/host-flyout.png" alt="Endpoint details flyout" width="75%">
</div>
</div>
<div class="position-relative"><h4><a id="response-action-history-tab"></a>Response actions history</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
<p>The endpoint details flyout also includes the <span class="strong strong"><strong>Response actions history</strong></span> tab, which provides a log of the <a class="xref" href="response-actions.html" title="Endpoint response actions">response actions</a> performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to <a class="xref" href="response-actions-history.html" title="Response actions history"><em>Response actions history</em></a> for more details.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/response-actions-history-endpoint-details.png" alt="Response actions history with a few past actions" width="75%">
</div>
</div>
<div class="position-relative"><h4><a id="integration-policy-details"></a>Integration policy details</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
<p>To view the integration policy page, click the link in the <span class="strong strong"><strong>Policy</strong></span> column. If you are viewing host details, you can also click the <span class="strong strong"><strong>Policy</strong></span> link on the flyout.</p>
<p>On this page, you can view and configure endpoint protection and event collection settings. In the upper-right corner are Key Performance Indicators (KPIs) that provide current endpoint status. If you need to update the policy, make changes as appropriate, then click the <span class="strong strong"><strong>Save</strong></span> button to apply the new changes.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Users must have permission to read/write to Fleet APIs to make changes to the configuration.</p>
</div>
</div>
<div class="imageblock screenshot">
<div class="content">
<img src="images/integration-pg.png" alt="Integration page">
</div>
</div>
<p>Users who have unique configuration and security requirements can select <span class="strong strong"><strong>Show advanced settings</strong></span> to configure the policy to support advanced use cases. Hover over each setting to view its description.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Advanced settings are not recommended for most users.</p>
</div>
</div>
<div class="imageblock screenshot">
<div class="content">
<img src="images/integration-advanced-settings.png" alt="Integration page">
</div>
</div>
<div class="position-relative"><h4><a id="policy-status"></a>Policy status</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
<p>The status of the integration policy appears in the <span class="strong strong"><strong>Policy status</strong></span> column and displays one of the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<code class="literal">Success</code>: The policy was applied successfully.
</li>
<li class="listitem">
<p><code class="literal">Warning</code> or <code class="literal">Partially Applied</code>: The policy is pending application, or the policy was not applied in its entirety.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>In some cases, actions taken on the endpoint may fail during policy application, but these cases are not critical failures - meaning there may be a failure, but the endpoints are still protected. In this case, the policy status will display as "Partially Applied."</p>
</div>
</div>
</li>
<li class="listitem">
<code class="literal">Failure</code>: The policy did not apply correctly, and endpoints are not protected.
</li>
<li class="listitem">
<code class="literal">Unknown</code>: The user interface is waiting for the API response to return, or, in rare cases, the API returned an undefined error or value.
</li>
</ul>
</div>
<p>For more details on what’s causing a policy status, click the link in the <span class="strong strong"><strong>Policy status</strong></span> column and review the details flyout. Expand each section and subsection to display individual responses from the agent.</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you need help troubleshooting a configuration failure, refer to <a class="xref" href="ts-management.html#ts-unhealthy-agent" title="Unhealthy Elastic Agent status">Endpoint management troubleshooting</a> and <a href="/guide/en/fleet/8.18/fleet-troubleshooting.html" class="ulink" target="_top">Fleet troubleshooting</a>.</p>
</div>
</div>
<div class="imageblock screenshot">
<div class="content">
<img src="images/config-status.png" alt="Config status details" width="65%">
</div>
</div>
<div class="position-relative"><h4><a id="_filter_endpoints"></a>Filter endpoints</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/security-docs/edit/8.18/docs/management/admin/admin-pg-ov.asciidoc">edit</a></div>
<p>To filter the Endpoints list, use the search bar to enter a query using <span class="strong strong"><strong><a href="/guide/en/kibana/8.18/kuery-query.html" class="ulink" target="_top">Kibana Query Language (KQL)</a></strong></span>. To refresh the search results, click <span class="strong strong"><strong>Refresh</strong></span>.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/filter-endpoints.png" alt="filter endpoints">
</div>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>The date and time picker on the right side of the page allows you to set a time interval to automatically refresh the Endpoints list — for example, to check if new endpoints were added or deleted.</p>
</div>
</div>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="sec-manage-intro.html">« Manage Elastic Defend</a>
</span>
<span class="next">
<a href="policies-page-ov.html">Policies »</a>
</span>
</div>
<!-- end body -->
</div>
<div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
<div id="sticky_content">
<!-- The OTP is appended here -->
<div class="row">
<div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
<div class="col-12 col-md-8 col-lg-12">
<div id="rtpcontainer">
<div class="mktg-promo" id="most-popular">
<p class="aside-heading">Most Popular</p>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
<p class="mb-0">Get Started with Elasticsearch</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
<p class="mb-0">Intro to Kibana</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
<p class="mb-0">ELK for Logs & Metrics</p>
</a>
</div>
</div>
</div>
<!-- Feedback widget -->
<div id="feedbackWidgetContainer"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div id='elastic-footer'></div>
<script src='https://www.elastic.co/elastic-footer.js'></script>
<!-- Footer Section end-->
</section>
</div>
<!-- Feedback modal -->
<div id="feedbackModalContainer"></div>
<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs-v1.js"></script>
<script type="text/javascript">
window.initial_state = {}</script>
</body>
</html>