Elastic Defend keeps a log of the response actions performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action's current status.
You must have the appropriate user role to use this feature.
To access the response actions history for all endpoints, go to Assets → Response actions history. You can also access the response actions history for an individual endpoint from these areas:
- Endpoints page: Click an endpoint's name to open the details flyout, then click the Response actions history tab.
- Response console page: Click the Response actions history button.
All of these contexts contain the same information and features. The following image shows the Response actions history page for all endpoints:
To filter and expand the information in the response actions history:
- Enter a user name or comma-separated list of user names in the search field to display actions requested by those users.
- Use the Hosts menu to display actions performed on specific endpoints. (This menu is only available on the Response actions history page for all endpoints.)
- Use the Actions menu to display specific actions types.
- Use the Statuses menu to display actions with a specific status.
- Use the Type menu to display actions manually run by a user (
Triggered manually) or automatically run by a rule (
Triggered by rule).
- Use the date and time picker to display actions within a specific time range.
- Click the expand arrow on the right to display more details about an action.
On this page