diff --git a/docs/management/admin/admin-pg-ov.asciidoc b/docs/management/admin/admin-pg-ov.asciidoc index 8c1f956c17..3aa98707d9 100644 --- a/docs/management/admin/admin-pg-ov.asciidoc +++ b/docs/management/admin/admin-pg-ov.asciidoc @@ -55,7 +55,7 @@ NOTE: {agent} statuses in {fleet} correspond to the agent statuses in the {secur ** *Respond*: Open the <> to perform response actions directly on the host. -** *View actions log*: View a history of response actions performed on the host. +** *View response actions history*: View a <> performed on the host. ** *View host details*: View host details on the *Hosts* page in the {security-app}. @@ -74,6 +74,15 @@ Click any link in the *Endpoint* column to display host details in a flyout. You [role="screenshot"] image::images/host-flyout.png[Endpoint details flyout,width=75%] +[discrete] +[[response-action-history-tab]] +=== Response actions history + +The endpoint details flyout also includes the *Response actions history* tab, which provides a log of the <> performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to <> for more details. + +[role="screenshot"] +image::images/response-actions-history-endpoint-details.png[Response actions history with a few past actions,75%] + [discrete] [[integration-policy-details]] === Integration policy details diff --git a/docs/management/admin/host-isolation-ov.asciidoc b/docs/management/admin/host-isolation-ov.asciidoc index c7dfd94004..c2a212633b 100644 --- a/docs/management/admin/host-isolation-ov.asciidoc +++ b/docs/management/admin/host-isolation-ov.asciidoc @@ -29,7 +29,7 @@ You can isolate a host from an alert attached to a case, from the Endpoints page TIP: If the request fails, verify that the {agent} and your endpoint are both online before trying again. -All actions executed on a host are tracked in the host’s actions log, which you can access from the Endpoints page. See <> for more information. +All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to <> for more information. [discrete] [[isolate-a-host]] @@ -117,13 +117,9 @@ image::images/host-released-notif.png[Host released notification message,350] [[view-host-isolation-details]] == View host isolation history -The actions log provides a history of response actions performed on a host, such as isolating the host or terminating a process. The log displays when each command was performed, the user who performed the action, any comments added to the action, and the action's current status. +To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host. -To view a host’s actions log: - -. Go to *Manage -> Endpoints*, then click the host's name in the *Endpoint* column. The endpoint details flyout opens. -. Click *Actions Log*. -. Use the date and time picker to display actions within a specific time period. +Go to *Manage* -> *Endpoints*, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <> for more details. [role="screenshot"] -image::images/activity-log.png[Actions log with a few past actions,75%] +image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%] diff --git a/docs/management/admin/images/activity-log.png b/docs/management/admin/images/activity-log.png deleted file mode 100755 index 8813c9d227..0000000000 Binary files a/docs/management/admin/images/activity-log.png and /dev/null differ diff --git a/docs/management/admin/images/response-actions-history-console.png b/docs/management/admin/images/response-actions-history-console.png new file mode 100644 index 0000000000..5f984f6d9d Binary files /dev/null and b/docs/management/admin/images/response-actions-history-console.png differ diff --git a/docs/management/admin/images/response-actions-history-endpoint-details.png b/docs/management/admin/images/response-actions-history-endpoint-details.png new file mode 100644 index 0000000000..b191f47647 Binary files /dev/null and b/docs/management/admin/images/response-actions-history-endpoint-details.png differ diff --git a/docs/management/admin/images/response-actions-history-page.png b/docs/management/admin/images/response-actions-history-page.png new file mode 100644 index 0000000000..c7bfb55d5a Binary files /dev/null and b/docs/management/admin/images/response-actions-history-page.png differ diff --git a/docs/management/admin/images/response-console-actions-log.png b/docs/management/admin/images/response-console-actions-log.png deleted file mode 100644 index fff8499ed5..0000000000 Binary files a/docs/management/admin/images/response-console-actions-log.png and /dev/null differ diff --git a/docs/management/admin/images/response-console-unsupported-command.png b/docs/management/admin/images/response-console-unsupported-command.png new file mode 100644 index 0000000000..302a24d267 Binary files /dev/null and b/docs/management/admin/images/response-console-unsupported-command.png differ diff --git a/docs/management/admin/images/response-console.png b/docs/management/admin/images/response-console.png index 491a71b57e..d346800c01 100644 Binary files a/docs/management/admin/images/response-console.png and b/docs/management/admin/images/response-console.png differ diff --git a/docs/management/admin/response-actions-history.asciidoc b/docs/management/admin/response-actions-history.asciidoc new file mode 100644 index 0000000000..2b74fc113f --- /dev/null +++ b/docs/management/admin/response-actions-history.asciidoc @@ -0,0 +1,23 @@ +[[response-actions-history]] += Response actions history + +{elastic-defend} keeps a log of the <> performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the {kib} user who requested the action, any comments added to the action, and the action's current status. + +To access the response actions history for all endpoints, go to *Manage* -> *Response actions history*. You can also access the response actions history for an individual endpoint from these areas: + +* *Endpoints* page: Click an endpoint's name to open the details flyout, then click the *Response actions history* tab. +* *Response console* page: Click the *Response actions history* button. + +All of these contexts contain the same information and features. The following image shows the *Response actions history* page for all endpoints: + +[role="screenshot"] +image::images/response-actions-history-page.png[Response actions history page UI] + +To filter and expand the information in the response actions history: + +* Enter a user name or comma-separated list of user names in the search field to display actions requested by those users. +* Use the *Hosts* menu to display actions performed on specific endpoints. (This menu is only available on the *Response actions history* page for all endpoints.) +* Use the *Actions* menu to display specific actions types. +* Use the *Statuses* menu to display actions with a specific status. +* Use the date and time picker to display actions within a specific time range. +* Click the expand arrow on the right to display more details about an action. diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 3c54b1d781..4295c32bb7 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -1,16 +1,19 @@ [[response-actions]] = Endpoint response actions -The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <> for reference. +The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <> for reference. Response actions are supported on all endpoint platforms (Linux, macOS, and Windows). -[NOTE] -===== -Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features. +.Requirements +[sidebar] +-- +* Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features. -Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions. -===== +* Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions. + +* You must have the `superuser` {ref}/built-in-users.html[built-in user role] to access the response console. +-- [role="screenshot"] image::images/response-console.png[Response console UI] @@ -23,11 +26,11 @@ Launch the response console from any of the following places in {elastic-sec}: To perform an action on the endpoint, enter a <> in the input area at the bottom of the console, then press *Return*. Output from the action is displayed in the console. -If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the actions log. +If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history. NOTE: Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. -Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <>. +Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <>. IMPORTANT: Once you submit a response action, you can't cancel it, even if the action is pending for an offline host. @@ -82,7 +85,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` === `--comment` -Add to a command to include a comment explaining or describing the action. Comments are included in the actions log. +Add to a command to include a comment explaining or describing the action. Comments are included in the response actions history. === `--help` @@ -105,20 +108,15 @@ TIP: You can also get a list of commands in the <>, which Click image:images/help-icon.png[Help icon,17,18] *Help* in the upper-right to open the *Help* panel, which lists available response action commands and parameters as a reference. -You can use this panel to build commands with less typing. Click the add icon (image:images/add-command-icon.png[Add icon,17,17]) to add a command to the input area, enter any additional parameters or a comment, then press *Return* to run the command. - [role="screenshot"] -image::images/response-console-help-panel.png[Help panel,60%] +image::images/response-console-help-panel.png[Help panel,50%] -[[actions-log]] -== Actions log - -Click *Actions log* to display a history of response actions performed on the host, such as isolating the host or terminating a process. The actions log includes when each command was performed, the user who performed the action, any comments added to the action, and the action's current status. +You can use this panel to build commands with less typing. Click the add icon (image:images/add-command-icon.png[Add icon,17,17]) to add a command to the input area, enter any additional parameters or a comment, then press *Return* to run the command. -* Click the expand arrow on the right to display more details about an action. -* Use the date and time picker to display actions within a specific time range. +[[actions-log]] +== Response actions history -TIP: You can also access the actions log from the Endpoints page (*Manage* -> *Endpoints* -> *_Endpoint name_* -> *Actions Log*). +Click *Response actions history* to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to <> for more details. [role="screenshot"] -image::images/response-console-actions-log.png[Actions log with a few past actions,75%] +image::images/response-actions-history-console.png[Response actions history with a few past actions,75%] diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index c5ec90188a..684a8f8984 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -6,6 +6,7 @@ The following section provides an overview of the management tools admins can us include::{security-docs-root}/docs/management/admin/admin-pg-ov.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/response-actions.asciidoc[leveloffset=+2] +include::{security-docs-root}/docs/management/admin/response-actions-history.asciidoc[leveloffset=+2] include::{security-docs-root}/docs/management/admin/host-isolation-ov.asciidoc[leveloffset=+2] include::{security-docs-root}/docs/management/admin/policy-list.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/trusted-apps.asciidoc[leveloffset=+1]