elastic · joepeeples · Oct 18, 2022 · Oct 4, 2022 · Oct 4, 2022 · Oct 4, 2022
@@ -55,7 +55,7 @@ NOTE: {agent} statuses in {fleet} correspond to the agent statuses in the {secur
 
 ** *Respond*: Open the <<response-actions,response console>> to perform response actions directly on the host.
 
-** *View actions log*: View a history of response actions performed on the host.
+** *View response actions history*: View a <<response-action-history-tab,history of response actions>> performed on the host.
 
 ** *View host details*: View host details on the *Hosts* page in the {security-app}.
 
@@ -74,6 +74,15 @@ Click any link in the *Endpoint* column to display host details in a flyout. You
 [role="screenshot"]
 image::images/host-flyout.png[Endpoint details flyout,width=75%]
 
+[discrete]
+[[response-action-history-tab]]
+=== Response actions history
+
+The endpoint details flyout also includes the *Response actions history* tab, which provides a log of the <<response-actions,response actions>> performed on the endpoint, such as isolating a host or terminating a process. You can use the tools at the top to filter the information displayed in this view. Refer to <<response-actions-history>> for more details.
+
+[role="screenshot"]
+image::images/response-actions-history-endpoint-details.png[Response actions history with a few past actions,75%]
+
 [discrete]
 [[integration-policy-details]]
 === Integration policy details

@@ -29,7 +29,7 @@ You can isolate a host from an alert attached to a case, from the Endpoints page
 
 TIP: If the request fails, verify that the {agent} and your endpoint are both online before trying again.
 
-All actions executed on a host are tracked in the host’s actions log, which you can access from the Endpoints page. See <<view-host-isolation-details, View host isolation history>> for more information.
+All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to <<view-host-isolation-details, View host isolation history>> for more information.
 
 [discrete]
 [[isolate-a-host]]
@@ -117,13 +117,9 @@ image::images/host-released-notif.png[Host released notification message,350]
 [[view-host-isolation-details]]
 == View host isolation history
 
-The actions log provides a history of response actions performed on a host, such as isolating the host or terminating a process. The log displays when each command was performed, the user who performed the action, any comments added to the action, and the action's current status. 
+To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host.
 
-To view a host’s actions log:
-
-. Go to *Manage -> Endpoints*, then click the host's name in the *Endpoint* column. The endpoint details flyout opens.
-. Click *Actions Log*.
-. Use the date and time picker to display actions within a specific time period.
+Go to *Manage* -> *Endpoints*, click an endpoint's name, then click the *Response action history* tab. You can filter the information displayed in this view. Refer to <<response-actions-history>> for more details.
 
 [role="screenshot"]
-image::images/activity-log.png[Actions log with a few past actions,75%]
+image::images/response-actions-history-endpoint-details.png[Response actions history page UI,75%]
@@ -0,0 +1,23 @@
+[[response-actions-history]]
+= Response actions history
+
+{elastic-defend} keeps a log of the <<response-actions,response actions>> performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the {kib} user who requested the action, any comments added to the action, and the action's current status.
+
+To access the response actions history for all endpoints, go to *Manage* -> *Response actions history*. You can also access the response actions history for an individual endpoint from these areas:
+
+* *Endpoints* page: Click an endpoint's name to open the details flyout, then click the *Response actions history* tab.
+* *Response console* page: Click the *Response actions history* button.
+
+All of these contexts contain the same information and features. The following image shows the *Response actions history* page for all endpoints:
+
+[role="screenshot"]
+image::images/response-actions-history-page.png[Response actions history page UI]
+
+To filter and expand the information in the response actions history:
+
+* Enter a user name or comma-separated list of user names in the search field to display actions requested by those users.
+* Use the *Hosts* menu to display actions performed on specific endpoints. (This menu is only available on the *Response actions history* page for all endpoints.)
+* Use the *Actions* menu to display specific actions types.
+* Use the *Statuses* menu to display actions with a specific status.
+* Use the date and time picker to display actions within a specific time range.
+* Click the expand arrow on the right to display more details about an action.
@@ -1,16 +1,19 @@
 [[response-actions]]
 = Endpoint response actions
 
-The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <<actions-log,actions log>> for reference.
+The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <<actions-log,response actions history>> for reference.
 
 Response actions are supported on all endpoint platforms (Linux, macOS, and Windows).
 
-[NOTE]
-=====
-Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features.
+.Requirements
+[sidebar]
+--
+* Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features.
 
-Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions.
-=====
+* Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions.
+
+* You must have the `superuser` {ref}/built-in-users.html[built-in user role] to access the response console.
+--
 
 [role="screenshot"]
 image::images/response-console.png[Response console UI]
@@ -23,11 +26,11 @@ Launch the response console from any of the following places in {elastic-sec}:
 
 To perform an action on the endpoint, enter a <<response-action-commands,response action command>> in the input area at the bottom of the console, then press *Return*. Output from the action is displayed in the console.
 
-If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the actions log.
+If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history.
 
 NOTE: Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. 
 
-Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <<actions-log,actions log>>.
+Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <<actions-log,response actions history>>.
 
 IMPORTANT: Once you submit a response action, you can't cancel it, even if the action is pending for an offline host.
 
@@ -82,7 +85,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"`
 
 === `--comment`
 
-Add to a command to include a comment explaining or describing the action. Comments are included in the actions log.
+Add to a command to include a comment explaining or describing the action. Comments are included in the response actions history.
 
 === `--help`
 
@@ -105,20 +108,15 @@ TIP: You can also get a list of commands in the <<help-panel,Help panel>>, which
 
 Click image:images/help-icon.png[Help icon,17,18] *Help* in the upper-right to open the *Help* panel, which lists available response action commands and parameters as a reference.
 
-You can use this panel to build commands with less typing. Click the add icon (image:images/add-command-icon.png[Add icon,17,17]) to add a command to the input area, enter any additional parameters or a comment, then press *Return* to run the command.
-
 [role="screenshot"]
-image::images/response-console-help-panel.png[Help panel,60%]
+image::images/response-console-help-panel.png[Help panel,50%]
 
-[[actions-log]]
-== Actions log
-
-Click *Actions log* to display a history of response actions performed on the host, such as isolating the host or terminating a process. The actions log includes when each command was performed, the user who performed the action, any comments added to the action, and the action's current status. 
+You can use this panel to build commands with less typing. Click the add icon (image:images/add-command-icon.png[Add icon,17,17]) to add a command to the input area, enter any additional parameters or a comment, then press *Return* to run the command.
 
-* Click the expand arrow on the right to display more details about an action.
-* Use the date and time picker to display actions within a specific time range.
+[[actions-log]]
+== Response actions history
 
-TIP: You can also access the actions log from the Endpoints page (*Manage* -> *Endpoints* -> *_Endpoint name_* -> *Actions Log*).
+Click *Response actions history* to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to <<response-actions-history>> for more details.
 
 [role="screenshot"]
-image::images/response-console-actions-log.png[Actions log with a few past actions,75%]
+image::images/response-actions-history-console.png[Response actions history with a few past actions,75%]
@@ -6,6 +6,7 @@ The following section provides an overview of the management tools admins can us
 
 include::{security-docs-root}/docs/management/admin/admin-pg-ov.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/response-actions.asciidoc[leveloffset=+2]
+include::{security-docs-root}/docs/management/admin/response-actions-history.asciidoc[leveloffset=+2]
 include::{security-docs-root}/docs/management/admin/host-isolation-ov.asciidoc[leveloffset=+2]
 include::{security-docs-root}/docs/management/admin/policy-list.asciidoc[leveloffset=+1]
 include::{security-docs-root}/docs/management/admin/trusted-apps.asciidoc[leveloffset=+1]