- Elastic Cloud Serverless
- Elasticsearch
- Get started
- Connect to your endpoint
- Client libraries
- Get started with the Elasticsearch Go client
- Get started with the Java client
- Get started with the serverless .NET client
- Get started with the serverless Node.js client
- Get started with the serverless PHP client
- Get started with the Elasticsearch Python client
- Get started with the serverless Ruby client
- REST APIs
- Developer tools
- Ingest your data
- Search your data
- Explore your data
- Playground
- Serverless differences
- Elasticsearch billing dimensions
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Limitations
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Elastic Endpoint command reference
editElastic Endpoint command reference
editThis page lists the commands for management and troubleshooting of Elastic Endpoint, the installed component that performs Elastic Defend’s threat monitoring and prevention.
-
Elastic Endpoint is not added to the
PATH
system variable, so you must prepend the commands with the full OS-dependent path:-
On Windows:
"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"
-
On macOS:
/Library/Elastic/Endpoint/elastic-endpoint
-
On Linux:
/opt/Elastic/Endpoint/elastic-endpoint
-
On Windows:
-
You must run the commands with elevated privileges—using
sudo
to run as the root user on Linux and macOS, or running as Administrator on Windows.
The following Elastic Endpoint commands are available:
Each of the commands accepts the following logging options:
-
--log [stdout,stderr,debugview,file]
-
--log-level [error,info,debug]
elastic-endpoint diagnostics
editGather diagnostics information from Elastic Endpoint. This command produces an archive that contains:
-
version.txt
: Version information -
elastic-endpoint.yaml
: Current policy -
metrics.json
: Metrics document -
policy_response.json
: Last policy response -
system_info.txt
: System information -
analysis.txt
: Diagnostic analysis report -
logs
directory: Copy of Elastic Endpoint log files
Example
editelastic-endpoint diagnostics
elastic-endpoint help
editShow help for the available commands.
Example
editelastic-endpoint help
elastic-endpoint inspect
editShow the current Elastic Endpoint configuration.
Example
editelastic-endpoint inspect
elastic-endpoint install
editInstall Elastic Endpoint as a system service.
We do not recommend installing Elastic Endpoint using this command. Elastic Endpoint is managed by Elastic Agent and cannot function as a standalone service. Therefore, there is no separate installation package for Elastic Endpoint, and it should not be installed independently.
Options
edit-
--resources <string>
-
Specify a resources
.zip
file to be used during the installation. This option is required. -
--upgrade
- Upgrade the existing installation.
Example
editelastic-endpoint install --upgrade --resources endpoint-security-resources.zip
elastic-endpoint memorydump
editSave a memory dump of the Elastic Endpoint service.
Options
edit-
--compress
- Compress the saved memory dump.
-
--timeout <duration>
- Specify the memory collection timeout, in seconds; the default is 60 seconds.
Example
editelastic-endpoint memorydump --timeout 120
elastic-endpoint run
editRun elastic-endpoint
as a foreground process if no other instance is already running.
Example
editelastic-endpoint run
elastic-endpoint send
editSend the requested document to the Elastic Stack.
Subcommands
edit-
metadata
- Send an off-schedule metrics document to the Elastic Stack.
Example
editelastic-endpoint send metadata
elastic-endpoint status
editRetrieve the current status of the running Elastic Endpoint service. The command also returns the last known status of Elastic Agent.
Options
edit-
--output
-
Control the level of detail and formatting of the information. Valid values are:
-
human
: Returns limited information when Elastic Endpoint’s status isHealthy
. If any policy actions weren’t successfully applied, the relevant details are displayed. -
full
: Always returns the full status information. -
json
: Always returns the full status information.
-
Example
editelastic-endpoint status --output json
elastic-endpoint test
editPerform the requested test.
Subcommands
edit-
output
- Test whether Elastic Endpoint can connect to remote resources.
Example
editelastic-endpoint test output
Example output
editTesting output connections Using proxy: Elasticsearch server: https://example.elastic.co:443 Status: Success Global artifact server: https://artifacts.security.elastic.co Status: Success Fleet server: https://fleet.example.elastic.co:443 Status: Success
elastic-endpoint top
editShow a breakdown of the executables that triggered Elastic Endpoint CPU usage within the last interval. This displays which Elastic Endpoint features are resource-intensive for a particular executable.
The meaning and output of this command are similar, but not identical, to the POSIX top
command. The elastic-endpoint top
command aggregates multiple processes by executable. The utilization values aren’t measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the Elastic Defend policy and exception lists in your deployment.
Options
edit-
--interval <duration>
- Specify the data collection interval, in seconds; the default is 5 seconds.
-
--limit <number>
- Specify the number of updates to collect; by default, data is collected until interrupted by Ctrl+C.
-
--normalized
- Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU systems.
Example
editelastic-endpoint top --interval 10 --limit 5
Example output
edit| PROCESS | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE | LIB | MEM SCAN | MLWR | NET | PROC | RANSOM | REG | ============================================================================================================================================================= | MSBuild.exe | 3146.0 | 0.0 | 0.8 | 0.7 | 0.0 | 2330.9 | 0.0 | 226.2 | 586.9 | 0.0 | 0.0 | 0.4 | 0.0 | | Microsoft.Management.Services.IntuneWindowsAgen... | 30.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.2 | 29.8 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | svchost.exe | 27.3 | 0.0 | 0.1 | 0.1 | 0.0 | 0.4 | 0.2 | 0.0 | 26.6 | 0.0 | 0.0 | 0.0 | 0.0 | | LenovoVantage-(LenovoServiceBridgeAddin).exe | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | msedgewebview2.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | msedge.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | powershell.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | WmiPrvSE.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | Slack.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | uhssvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | explorer.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | taskhostw.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | Widgets.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | elastic-endpoint.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | | sppsvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | Endpoint service (16 CPU): 113.0% out of 1600% Collecting data. Press Ctrl-C to cancel
Column abbreviations
edit-
API
: Event Tracing for Windows (ETW) API events -
AUTH
: Authentication events -
BHVR
: Malicious behavior protection -
CRED
: Credential access events -
DIAG BHVR
: Diagnostic malicious behavior protection -
DNS
: DNS events -
FILE
: File events -
LIB
: Library load events -
MEM SCAN
: Memory scanning -
MLWR
: Malware protection -
NET
: Network events -
PROC
: Process events -
PROC INJ
: Process injection -
RANSOM
: Ransomware protection -
REG
: Registry events
elastic-endpoint uninstall
editUninstall Elastic Endpoint.
Elastic Endpoint is managed by Elastic Agent. To remove Elastic Endpoint from the target machine permanently, remove the Elastic Defend integration from the Fleet policy. The elastic-agent uninstall command also uninstalls Elastic Endpoint; therefore, in practice, the elastic-endpoint uninstall
command is used only to troubleshoot broken installations.
Options
edit-
--uninstall-token <string>
- Provide the uninstall token. The token is required if agent tamper protection is enabled.
Example
editelastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012
elastic-endpoint version
editShow the version of Elastic Endpoint.
Example
editelastic-endpoint version
On this page
- elastic-endpoint diagnostics
- Example
- elastic-endpoint help
- Example
- elastic-endpoint inspect
- Example
- elastic-endpoint install
- Options
- Example
- elastic-endpoint memorydump
- Options
- Example
- elastic-endpoint run
- Example
- elastic-endpoint send
- Subcommands
- Example
- elastic-endpoint status
- Options
- Example
- elastic-endpoint test
- Subcommands
- Example
- Example output
- elastic-endpoint top
- Options
- Example
- Example output
- Column abbreviations
- elastic-endpoint uninstall
- Options
- Example
- elastic-endpoint version
- Example