Endpoint command reference
This page lists the commands for management and troubleshooting of Elastic Endpoint, the installed component that performs Elastic Defend's threat monitoring and prevention.
Elastic Endpoint is not added to the
PATHsystem variable, so you must prepend the commands with the full OS-dependent path:- On Windows:
"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" - On macOS:
/Library/Elastic/Endpoint/elastic-endpoint - On Linux:
/opt/Elastic/Endpoint/elastic-endpoint
- On Windows:
You must run the commands with elevated privileges—using
sudoto run as the root user on Linux and macOS, or running as Administrator on Windows.
The following Elastic Endpoint commands are available:
Each of the commands accepts the following logging options:
--log [stdout,stderr,debugview,file]--log-level [error,info,debug]
Gather diagnostics information from Elastic Endpoint. This command produces an archive that contains:
version.txt: Version informationelastic-endpoint.yaml: Current policymetrics.json: Metrics documentpolicy_response.json: Last policy responsesystem_info.txt: System informationanalysis.txt: Diagnostic analysis reportlogsdirectory: Copy of Elastic Endpoint log files
elastic-endpoint diagnostics
Show help for the available commands.
elastic-endpoint help
Show the current Elastic Endpoint configuration.
elastic-endpoint inspect
Install Elastic Endpoint as a system service.
We do not recommend installing Elastic Endpoint using this command. Elastic Endpoint is managed by Elastic Agent and cannot function as a standalone service. Therefore, there is no separate installation package for Elastic Endpoint, and it should not be installed independently.
--resources <string>- Specify a resources
.zipfile to be used during the installation. This option is required. --upgrade- Upgrade the existing installation.
elastic-endpoint install --upgrade --resources endpoint-security-resources.zip
Save a memory dump of the Elastic Endpoint service.
--compress- Compress the saved memory dump.
--timeout <duration>- Specify the memory collection timeout, in seconds; the default is 60 seconds.
elastic-endpoint memorydump --timeout 120
Run elastic-endpoint as a foreground process if no other instance is already running.
elastic-endpoint run
Send the requested document to the Elastic Stack.
metadata- Send an off-schedule metrics document to the Elastic Stack.
elastic-endpoint send metadata
Retrieve the current status of the running Elastic Endpoint service. The command also returns the last known status of Elastic Agent.
--output-
Control the level of detail and formatting of the information. Valid values are:
human: Returns limited information when Elastic Endpoint's status isHealthy. If any policy actions weren’t successfully applied, the relevant details are displayed.full: Always returns the full status information.json: Always returns the full status information.
elastic-endpoint status --output json
Perform the requested test.
output- Test whether Elastic Endpoint can connect to remote resources.
elastic-endpoint test output
Testing output connections
Using proxy:
Elasticsearch server: https://example.elastic.co:443
Status: Success
Global artifact server: https://artifacts.security.elastic.co
Status: Success
Fleet server: https://fleet.example.elastic.co:443
Status: Success
Show a breakdown of the executables that triggered Elastic Endpoint CPU usage within the last interval. This displays which Elastic Endpoint features are resource-intensive for a particular executable.
The meaning and output of this command are similar, but not identical, to the POSIX top command. The elastic-endpoint top command aggregates multiple processes by executable. The utilization values aren’t measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the Elastic Defend policy and exception lists in your deployment.
--interval <duration>- Specify the data collection interval, in seconds; the default is 5 seconds.
--limit <number>- Specify the number of updates to collect; by default, data is collected until interrupted by Ctrl+C.
--normalized- Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU systems.
elastic-endpoint top --interval 10 --limit 5
| PROCESS | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE | LIB | MEM SCAN | MLWR | NET | PROC | RANSOM | REG |
=============================================================================================================================================================
| MSBuild.exe | 3146.0 | 0.0 | 0.8 | 0.7 | 0.0 | 2330.9 | 0.0 | 226.2 | 586.9 | 0.0 | 0.0 | 0.4 | 0.0 |
| Microsoft.Management.Services.IntuneWindowsAgen... | 30.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.2 | 29.8 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| svchost.exe | 27.3 | 0.0 | 0.1 | 0.1 | 0.0 | 0.4 | 0.2 | 0.0 | 26.6 | 0.0 | 0.0 | 0.0 | 0.0 |
| LenovoVantage-(LenovoServiceBridgeAddin).exe | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| msedgewebview2.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| msedge.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| powershell.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| WmiPrvSE.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| Slack.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| uhssvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| explorer.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| taskhostw.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| Widgets.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| elastic-endpoint.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
| sppsvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 |
Endpoint service (16 CPU): 113.0% out of 1600%
Collecting data. Press Ctrl-C to cancel
API: Event Tracing for Windows (ETW) API eventsAUTH: Authentication eventsBHVR: Malicious behavior protectionCRED: Credential access eventsDIAG BHVR: Diagnostic malicious behavior protectionDNS: DNS eventsFILE: File eventsLIB: Library load eventsMEM SCAN: Memory scanningMLWR: Malware protectionNET: Network eventsPROC: Process eventsPROC INJ: Process injectionRANSOM: Ransomware protectionREG: Registry events
Uninstall Elastic Endpoint.
Elastic Endpoint is managed by Elastic Agent. To remove Elastic Endpoint from the target machine permanently, remove the Elastic Defend integration from the Fleet policy. The elastic-agent uninstall command also uninstalls Elastic Endpoint; therefore, in practice, the elastic-endpoint uninstall command is used only to troubleshoot broken installations.
--uninstall-token <string>- Provide the uninstall token. The token is required if agent tamper protection is enabled.
elastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012
Show the version of Elastic Endpoint.
elastic-endpoint version