- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Automated response actions
editAutomated response actions
editAdd Elastic Defend’s response actions to detection rules to automatically perform actions on an affected host when an event meets the rule’s criteria. Use these actions to support your response to detected threats and suspicious events.
Requirements
- Automated response actions require the Endpoint Protection Complete project feature.
- Hosts must have Elastic Agent installed with the Elastic Defend integration.
- Your user role must have the ability to create detection rules and the privilege to perform specific response actions (for example, custom roles require the Host Isolation privilege to isolate hosts).
To add automated response actions to a new or existing rule:
-
Do one of the following:
- New rule: On the last step of rule creation, go to the Response Actions section and select Elastic Defend.
- Existing rule: Edit the rule’s settings, then go to the Actions tab. In the tab, select Elastic Defend under the Response Actions section.
-
Select an option in the Response action field:
- Isolate: Isolate the host, blocking communication with other hosts on the network.
- Kill process: Terminate a process on the host.
-
Suspend process: Temporarily suspend a process on the host.
Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.
-
For process actions, specify how to identify the process you want to terminate or suspend:
- Turn on the toggle to use the alert’s process.pid value as the identifier.
- To use a different alert field value to identify the process, turn off the toggle and enter the Custom field name.
- Enter a comment describing why you’re performing the action on the host (optional).
- To finish adding the response action, click Create & enable rule (for a new rule) or Save changes (for existing rules).
Was this helpful?
Thank you for your feedback.