Elastic Endpoint command reference

edit

This page lists the commands for management and troubleshooting of Elastic Endpoint, the installed component that performs Elastic Defend’s threat monitoring and prevention.

  • Elastic Endpoint is not added to the PATH system variable, so you must prepend the commands with the full OS-dependent path:

    • On Windows: "C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"
    • On macOS: /Library/Elastic/Endpoint/elastic-endpoint
    • On Linux: /opt/Elastic/Endpoint/elastic-endpoint
  • You must run the commands with elevated privileges—using sudo to run as the root user on Linux and macOS, or running as Administrator on Windows.

The following Elastic Endpoint commands are available:

Each of the commands accepts the following logging options:

  • --log [stdout,stderr,debugview,file]
  • --log-level [error,info,debug]

elastic-endpoint diagnostics

edit

Gather diagnostics information from Elastic Endpoint. This command produces an archive that contains:

  • version.txt: Version information
  • elastic-endpoint.yaml: Current policy
  • metrics.json: Metrics document
  • policy_response.json: Last policy response
  • system_info.txt: System information
  • analysis.txt: Diagnostic analysis report
  • logs directory: Copy of Elastic Endpoint log files

Example

edit
elastic-endpoint diagnostics

elastic-endpoint help

edit

Show help for the available commands.

Example

edit
elastic-endpoint help

elastic-endpoint install

edit

Install Elastic Endpoint as a system service.

We do not recommend installing Elastic Endpoint using this command. Elastic Endpoint is managed by Elastic Agent and cannot function as a standalone service. Therefore, there is no separate installation package for Elastic Endpoint, and it should not be installed independently.

Options

edit
--resources <string>
Specify a resources .zip file to be used during the installation. This option is required.
--upgrade
Upgrade the existing installation.

Example

edit
elastic-endpoint install --upgrade --resources endpoint-security-resources.zip

elastic-endpoint memorydump

edit

Save a memory dump of the Elastic Endpoint service.

Options

edit
--compress
Compress the saved memory dump.
--timeout <duration>
Specify the memory collection timeout, in seconds; the default is 60 seconds.

Example

edit
elastic-endpoint memorydump --timeout 120

elastic-endpoint run

edit

Run elastic-endpoint as a foreground process if no other instance is already running.

Example

edit
elastic-endpoint run

elastic-endpoint send

edit

Send the requested document to the Elastic Stack.

Subcommands

edit
metadata
Send an off-schedule metrics document to the Elastic Stack.

Example

edit
elastic-endpoint send metadata

elastic-endpoint test

edit

Perform the requested test.

Subcommands

edit
output
Test whether Elastic Endpoint can connect to remote resources.

Example

edit
elastic-endpoint test output

Example output

edit
Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml]

Using proxy:

Elasticsearch server: https://example.elastic.co:443
        Status: Success

Global artifact server: https://artifacts.security.elastic.co
        Status: Success

Fleet server: https://fleet.example.elastic.co:443
        Status: Success

elastic-endpoint top

edit

Show a breakdown of the executables that triggered Elastic Endpoint CPU usage within the last interval. This displays which Elastic Endpoint features are resource-intensive for a particular executable.

The meaning and output of this command are similar, but not identical, to the POSIX top command. The elastic-endpoint top command aggregates multiple processes by executable. The utilization values aren’t measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the Elastic Defend policy and exception lists in your deployment.

Options

edit
--interval <duration>
Specify the data collection interval, in seconds; the default is 5 seconds.
--limit <number>
Specify the number of updates to collect; by default, data is collected until interrupted by Ctrl+C.
--normalized
Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU systems.

Example

edit
elastic-endpoint top --interval 10 --limit 5

Example output

edit
| PROCESS                                            | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE   | LIB | MEM SCAN | MLWR  | NET | PROC | RANSOM | REG |
=============================================================================================================================================================
| MSBuild.exe                                        |  3146.0 | 0.0 |  0.8 |       0.7 | 0.0 | 2330.9 | 0.0 |    226.2 | 586.9 | 0.0 |  0.0 |    0.4 | 0.0 |
| Microsoft.Management.Services.IntuneWindowsAgen... |    30.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.2 |     29.8 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| svchost.exe                                        |    27.3 | 0.0 |  0.1 |       0.1 | 0.0 |    0.4 | 0.2 |      0.0 |  26.6 | 0.0 |  0.0 |    0.0 | 0.0 |
| LenovoVantage-(LenovoServiceBridgeAddin).exe       |     0.1 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.1 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| Lenovo.Modern.ImController.PluginHost.Device.exe   |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| msedgewebview2.exe                                 |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| msedge.exe                                         |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| powershell.exe                                     |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| WmiPrvSE.exe                                       |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| Lenovo.Modern.ImController.PluginHost.Device.exe   |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| Slack.exe                                          |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| uhssvc.exe                                         |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| explorer.exe                                       |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| taskhostw.exe                                      |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| Widgets.exe                                        |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| elastic-endpoint.exe                               |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |
| sppsvc.exe                                         |     0.0 | 0.0 |  0.0 |       0.0 | 0.0 |    0.0 | 0.0 |      0.0 |   0.0 | 0.0 |  0.0 |    0.0 | 0.0 |

Endpoint service (16 CPU): 113.0% out of 1600%

Collecting data.  Press Ctrl-C to cancel
Column abbreviations
edit
  • API: Event Tracing for Windows (ETW) API events
  • AUTH: Authentication events
  • BHVR: Malicious behavior protection
  • CRED: Credential access events
  • DIAG BHVR: Diagnostic malicious behavior protection
  • DNS: DNS events
  • FILE: File events
  • LIB: Library load events
  • MEM SCAN: Memory scanning
  • MLWR: Malware protection
  • NET: Network events
  • PROC: Process events
  • PROC INJ: Process injection
  • RANSOM: Ransomware protection
  • REG: Registry events

elastic-endpoint uninstall

edit

Uninstall Elastic Endpoint.

Elastic Endpoint is managed by Elastic Agent. To remove Elastic Endpoint from the target machine permanently, remove the Elastic Defend integration from the Fleet policy. The elastic-agent uninstall command also uninstalls Elastic Endpoint; therefore, in practice, the elastic-endpoint uninstall command is used only to troubleshoot broken installations.

Options

edit
--uninstall-token <string>
Provide the uninstall token. The token is required if agent tamper protection is enabled.

Example

edit
elastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012

elastic-endpoint version

edit

Show the version of Elastic Endpoint.

Example

edit
elastic-endpoint version