elastic · joepeeples · Aug 23, 2022 · Aug 10, 2022 · Aug 10, 2022 · Aug 10, 2022
@@ -75,6 +75,7 @@ From the Alerts table or the alert details flyout, you can:
 * <<add-exception-from-alerts>>
 * <<endpoint-rule-exceptions,Add an endpoint exception from an alert>>
 * <<host-isolation-ov,Isolate an alert's host>>
+* <<response-actions,Perform response actions on an alert's host>> (Alert details flyout only)
 * <<alerts-run-osquery, Run Osquery against an alert>>
 * <<signals-to-timelines>>
 * <<visual-event-analyzer,Visually analyze an alert's process relationships>>

@@ -14,7 +14,12 @@ You must have the built-in `superuser` role to access this feature. For more inf
 [discrete]
 == Endpoints list
 
-The *Endpoints* list displays all hosts running {elastic-sec} and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top. The Endpoints list provides the following data:
+The *Endpoints* list displays all hosts running {elastic-sec} and their relevant integration details. Endpoints appear in chronological order, with newly added endpoints at the top. 
+
+[role="screenshot"]
+image::images/endpoints-pg.png[Endpoints page]
+
+The Endpoints list provides the following data:
 
 * *Endpoint*: The system hostname. Click the link to view host details in a flyout.
 
@@ -32,43 +37,44 @@ The *Endpoints* list displays all hosts running {elastic-sec} and their relevant
 +
 NOTE: {agent} statuses in {fleet} correspond to the agent statuses in the {security-app}.
 
-* *Policy:* The name of the associated policy when the agent was installed. Click the link to view the Integration policy page.
-
-* *Policy Status:* Lists whether the policy application was a success or failure. Click the link to view response details in a flyout.
+* *Policy*: The name of the associated policy when the agent was installed. Click the link to view the Integration policy page.
 
-* *OS:* The associated operating system.
+* *Policy status*: Lists whether the policy application was a success or failure. Click the link to view response details in a flyout.
 
-* *IP address:* All IP addresses associated with the hostname.
+* *OS*: The host's operating system.
 
-* *Version:* The {stack} version currently running.
+* *IP address*: All IP addresses associated with the hostname.
 
-* *Last active:* A date and timestamp of the last time the agent was active.
+* *Version*: The {stack} version currently running.
 
-* *Actions:* Select the context menu (*...*) to do the following:
+* *Last active*: A date and timestamp of the last time the {agent} was active.
 
-** *Isolate host:* <<host-isolation-ov, Isolate the host>> from your network, blocking communication until the host is released.
+* *Actions*: Select the context menu (*...*) to do the following:
 
-** *View host details:* View host details on the *Hosts* page in the {security-app}.
+** *Isolate host*: <<host-isolation-ov, Isolate the host>> from your network, blocking communication until the host is released.
 
-** *View agent policy:* View the policy in {fleet}.
+** *Respond*: Open the <<response-actions,response console>> to perform response actions directly on the host.
 
-** *View agent details:* View agent details and activity logs in {fleet}.
+** *View actions log*: View a history of response actions performed on the host.
 
-** *Reassign agent policy:* Change the {fleet-guide}/agent-policy.html#apply-a-policy[agent policy] assigned to the host in {fleet}.
+** *View host details*: View host details on the *Hosts* page in the {security-app}.
 
+** *View agent policy*: View the agent policy in {fleet}.
 
-[role="screenshot"]
-image::images/endpoints-pg.png[Admin page]
+** *View agent details*: View {agent} details and activity logs in {fleet}.
 
+** *Reassign agent policy*: Change the {fleet-guide}/agent-policy.html#apply-a-policy[agent policy] assigned to the host in {fleet}.
 
-*Endpoint details*
+[discrete]
+=== Endpoint details
 
 Click any link in the *Endpoint* column to display host details in a flyout. You can also use the *Take Action* menu button to perform the same actions as those listed in the Actions context menu, such as isolating the host, viewing host details, and viewing or reassigning the agent policy. 
 
 [role="screenshot"]
 image::images/host-flyout.png[Admin page,width=75%]
 
-*Integration policy details*
+[discrete]
+=== Integration policy details
 
 To view the integration policy page, click the link in the *Policy* column. If you are viewing host details, you can also click the *Policy* link on the flyout.
 
@@ -86,7 +92,8 @@ NOTE: Advanced settings are not recommended for most users.
 [role="screenshot"]
 image::images/advanced-settings.png[Integration page]
 
-*Policy status*
+[discrete]
+=== Policy status
 
 The status of the policy application appears in the *Status* column and displays one of the following possibilities:
 

@@ -13,41 +13,59 @@ Host isolation is a https://www.elastic.co/pricing[Platinum or Enterprise subscr
 For {stack} version >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions:
 
 * CentOS/RHEL 8
+* Debian 11
 * Ubuntu 18.04
 * Ubuntu 20.04
+* Ubuntu 22.04
 * AWS Linux 2
 
 To isolate and release hosts in any operating system, you must have the built-in `superuser` role. For more information, refer to {ref}/built-in-users.html[Built-in users].
 =========================
 
 [role="screenshot"]
-image::images/isolated-host.png[Shows a host that's been isolated]
+image::images/isolated-host.png[Endpoint page highlighting a host that's been isolated]
 
-You can isolate a host from an alert attached to a case or from the Endpoints list. Once a host is successfully isolated, an `Isolated` status displays next to the `Agent status` field, which you can view on the alert details flyout or Endpoints list table.
+You can isolate a host from an alert attached to a case, from the Endpoints page, or (with an Enterprise subscription) from the endpoint response console. Once a host is successfully isolated, an `Isolated` status displays next to the `Agent status` field, which you can view on the alert details flyout or Endpoints list table.
 
-TIP: If the request fails, verify that the agent and your endpoint are both online before trying again.
+TIP: If the request fails, verify that the {agent} and your endpoint are both online before trying again.
 
-All actions executed on a host are tracked in the host’s activity log, which you can access from the Endpoints page. See <<view-host-isolation-details, View host isolation details>> for more information.
+All actions executed on a host are tracked in the host’s actions log, which you can access from the Endpoints page. See <<view-host-isolation-details, View host isolation history>> for more information.
 
 [discrete]
 [[isolate-a-host]]
 == Isolate a host
 
-To isolate a host from a case alert:
-
+.Isolate a host from a case alert
+[%collapsible]
+====
 . Go to *Cases*, then select the appropriate case to view the case activity. Ensure you are viewing a case with at least one alert attached to it.
 . Find the appropriate alert, then click the *Show alert details* button (*>*). The alert details flyout opens.
 . Click *Take action -> Isolate host*.
 . Enter a comment describing why you’re isolating the host (optional).
 . Click *Confirm*.
+====
 
-To isolate a host from an endpoint:
-
+.Isolate a host from an endpoint
+[%collapsible]
+====
 . Go to *Manage -> Endpoints*, then either:
     * Select the appropriate endpoint in the *Endpoint* column, and click *Take action -> Isolate host* in the endpoint details flyout.
     * Click the *Actions* menu (*...*) on the appropriate endpoint, then select *Isolate host*.
 . Enter a comment describing why you’re isolating the host (optional).
 . Click *Confirm*.
+====
+
+.Isolate a host from the response console
+[%collapsible]
+====
+NOTE: The response console is an https://www.elastic.co/pricing[Enterprise subscription] feature.
+
+. Open the response console for the endpoint (*Manage* -> *Endpoints* -> *Actions* menu (*...*) -> *Respond*).
+. Enter the `isolate` command and an optional comment in the input area, for example:
++
+`isolate --comment "Isolate this host"`
+. Press *Return*.
+====
 
 After the host is successfully isolated, an *Isolated* status is added to the endpoint. Active end users receive a notification that the computer has been isolated from the network:
 
@@ -58,21 +76,37 @@ image::images/host-isolated-notif.png[Host isolated notification message,350]
 [[release-a-host]]
 == Release a host
 
-To release a host from a case alert:
-
+.Release a host from a case alert
+[%collapsible]
+====
 . Go to *Cases*, then click on the appropriate case to view the case activity its details.
 . Find the appropriate alert, then click the *Show alert details* button (*>*). The alert details flyout opens.
 . From the alert details flyout, click *Take action -> Release host*.
 . Enter a comment describing why you're releasing the host (optional).
 . Click *Confirm*.
+====
 
-To release a host from an endpoint:
-
+.Release a host from an endpoint
+[%collapsible]
+====
 . Go to *Manage -> Endpoints*, then either:
     * Select the appropriate endpoint in the *Endpoint* column, and click *Take action -> Release host* in the endpoint details flyout.
     * Click the *Actions* menu (*...*) on the appropriate endpoint, then select *Release host*.
 . Enter a comment describing why you're releasing the host (optional).
 . Click *Confirm*.
+====
+
+.Release a host from the response console
+[%collapsible]
+====
+NOTE: The response console is an https://www.elastic.co/pricing[Enterprise subscription] feature.
+
+. Open the response console for the endpoint (*Manage* -> *Endpoints* -> *Actions* menu (*...*) -> *Respond*).
+. Enter the `release` command and an optional comment in the input area, for example:
++
+`release --comment "Release this host"`
+. Press *Return*.
+====
 
 After the host is successfully released, the *Isolated* status is removed from the endpoint. Active end users receive a notification that the computer has been reconnected to the network:
 
@@ -81,15 +115,15 @@ image::images/host-released-notif.png[Host released notification message,350]
 
 [discrete]
 [[view-host-isolation-details]]
-== View host isolation details
+== View host isolation history
 
-The host activity log tracks all actions performed on the host, including comments added, who made the host isolation request and when, and when the host received the request to isolate.
+The actions log provides a history of response actions performed on a host, such as isolating the host or terminating a process. The log displays when each command was performed, the user who performed the action, any comments added to the action, and the action's current status. 
 
-To view the host’s isolation details:
+To view a host’s actions log:
 
 . Go to *Manage -> Endpoints*, then click the host's name in the *Endpoint* column. The endpoint details flyout opens.
-. Click *Activity Log* to view the endpoint's activity history.
-. Use the date and time picker to view endpoint activity within a specific date and time period.
+. Click *Actions Log*.
+. Use the date and time picker to display actions within a specific time period.
 
 [role="screenshot"]
-image::images/activity-log.png[Shows the activity log of an isolated host,75%]
+image::images/activity-log.png[Actions log with a few past actions,75%]
@@ -1,4 +1,124 @@
 [[response-actions]]
 = Endpoint response actions
 
-This page is a placeholder for future documentation.
+The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <<actions-log,actions log>> for reference.
+
+Response actions are supported on all endpoint platforms (Linux, macOS, and Windows).
+
+[NOTE]
+=====
+Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features.
+
+Endpoints must have {agent} version 8.4 or higher installed with the {endpoint-cloud-sec} integration to receive response actions.
+=====
+
+[role="screenshot"]
+image::images/response-console.png[Response console UI]
+
+Launch the response console from any of the following places in {elastic-sec}:
+
+* *Endpoints* page -> *Actions* menu (*...*) -> *Respond*
+* Endpoint details flyout -> *Take action* -> *Respond*
+* Alert details flyout -> *Take action* -> *Respond*
+
+To perform an action on the endpoint, enter a <<response-action-commands,response action command>> in the input area at the bottom of the console, then press *Return*. Output from the action is displayed in the console.
+
+If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the actions log.
+
+NOTE: Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. 
+
+Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <<actions-log,actions log>>.
+
+IMPORTANT: Once you submit a response action, you can't cancel it, even if the action is pending for an offline host.
+
+[[response-action-commands]]
+== Response action commands
+
+The following response action commands are available in the response console.
+
+=== `isolate`
+<<host-isolation-ov,Isolate the host>>, blocking communication with other hosts on the network.
+
+Example: `isolate --comment "Isolate host related to detection alerts"`
+
+=== `release`
+Release an isolated host, allowing it to communicate with the network again.
+
+Example: `release --comment "Release host, everything looks OK"`
+
+=== `status`
+Show information about the host's status, including: {agent} status and version, the {endpoint-cloud-sec} integration's policy status, and when the host was last active.
+
+=== `processes`
+Show a list of all processes running on the host. This action may take a minute or so to complete.
+
+[TIP]
+====
+Use this command to get current PID or entity ID values, which are required for other response actions such as `kill-process` and `suspend-process`.
+
+Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.
+====
+
+=== `kill-process`
+
+Terminate a process. You must include one of the following parameters to identify the process to terminate:
+
+* `--pid` : A process ID (PID) representing the process to terminate.
+* `--entityId` : An entity ID representing the process to terminate.
+
+Example: `kill-process --pid 123 --comment "Terminate suspicious process"`
+
+=== `suspend-process`
+
+Suspend a process. You must include one of the following parameters to identify the process to suspend:
+
+* `--pid` : A process ID (PID) representing the process to suspend.
+* `--entityId` : An entity ID representing the process to suspend.
+
+Example: `suspend-process --pid 123 --comment "Suspend suspicious process"`
+
+[[supporting-commands-parameters]]
+== Supporting commands and parameters
+
+=== `--comment`
+
+Add to a command to include a comment explaining or describing the action. Comments are included in the actions log.
+
+=== `--help`
+
+Add to a command to get help for that command.
+
+Example: `isolate --help`
+
+=== `clear`
+
+Clear all output from the response console.
+
+=== `help`
+
+List supported commands in the console output area.
+
+TIP: You can also get a list of commands in the <<help-panel,Help panel>>, which stays on the screen independently of the output area.
+
+[[help-panel]]
+== Help panel
+
+Click image:images/help-icon.png[Help icon,17,18] *Help* in the upper-right to open the *Help* panel, which lists available response action commands and parameters as a reference.
+
+You can use this panel to build commands with less typing. Click the add icon (image:images/add-command-icon.png[Add icon,17,17]) to add a command to the input area, enter any additional parameters or a comment, then press *Return* to run the command.
+
+[role="screenshot"]
+image::images/response-console-help-panel.png[Help panel,60%]
+
+[[actions-log]]
+== Actions log
+
+Click *Actions log* to display a history of response actions performed on the host, such as isolating the host or terminating a process. The actions log includes when each command was performed, the user who performed the action, any comments added to the action, and the action's current status. 
+
+* Click the expand arrow on the right to display more details about an action.
+* Use the date and time picker to display actions within a specific time range.
+
+TIP: You can also access the actions log from the Endpoints page (*Manage* -> *Endpoints* -> *_Endpoint name_* -> *Actions Log*).
+
+[role="screenshot"]
+image::images/response-console-actions-log.png[Actions log with a few past actions,75%]
@@ -1,6 +1,6 @@
 [[sec-manage-intro]]
 
-= Manage
+= Endpoint management
 
 The following section provides an overview of the management tools admins can use to manage endpoints, integration policies, trusted applications, event filters, host isolation exceptions, and blocked applications.
 

@@ -1,7 +1,7 @@
 [[ts-management]]
-== Management tools
+== Endpoint management
 
-This topic covers common troubleshooting issues when using {elastic-sec} <<sec-manage-intro, management tools>>.
+This topic covers common troubleshooting issues when using {elastic-sec} <<sec-manage-intro, endpoint management tools>>.
 
 [discrete]
 [[ts-endpoints]]