Configure endpoint protection with Elastic Defend
Elastic Defend is Elastic's endpoint protection integration. It prevents and detects malware, ransomware, memory threats, and malicious behavior on Windows, macOS, and Linux hosts. When a threat is detected, Elastic Defend can generate an alert or block the activity outright, depending on your protection settings.
Elastic Defend runs as part of Elastic Agent, which you deploy to each host you want to protect. Once installed, Elastic Agent communicates with Fleet for centralized policy management and sends security data to Elastic Security, where you can investigate alerts, manage exceptions, and respond to threats.
Elastic Defend relies on three components that each play a distinct role in endpoint protection:
- Elastic Defend is the integration that defines your protection policy — which threat protections are active, which events to collect, and which exceptions to apply. You add it to an Elastic Agent policy and configure it through the Elastic Security UI or API.
- Elastic Agent is the unified agent you install on each host. It manages integrations (including Elastic Defend), handles enrollment and communication with Fleet, and ships collected data to Elasticsearch.
- Elastic Endpoint is the component that Elastic Agent installs on the host when the Elastic Defend integration is added. It performs the actual threat monitoring, prevention, and response actions at the operating system level.
In practice, you add the Elastic Defend integration from the Integrations page, assign it to an Elastic Agent policy, and deploy Elastic Agent to your hosts. Elastic Agent installs Elastic Endpoint, which immediately begins monitoring the host according to your policy settings.
| Your goal | Start here |
|---|---|
| Deploy Elastic Defend for the first time | Requirements → Install Elastic Defend |
| Configure protection and event collection settings | Configure an integration policy |
| Control which users can access Elastic Defend features | Feature privileges |
| Set up endpoints in restricted networks | Configure offline endpoints and air-gapped environments |
| Remove Elastic Agent from a host | Uninstall Elastic Agent |
After installing and configuring Elastic Defend, you can:
- Manage endpoints, policies, and exceptions to tune protection for your environment.
- Read Optimize Elastic Defend to understand different Elastic Endpoint configuration settings.
- Set up endpoint response actions to isolate hosts, run commands, or take other actions on protected endpoints.
- Troubleshoot Elastic Defend if you run into installation, connectivity, or policy issues.