From 8f61f372ff2956ce4688345f96b4fcc879899967 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 4 Sep 2024 15:58:51 +0100 Subject: [PATCH 1/7] Adds Elastic Endpoint reference --- .../admin/endpoint-command-ref.asciidoc | 247 ++++++++++++++++++ docs/management/manage-intro.asciidoc | 1 + 2 files changed, 248 insertions(+) create mode 100644 docs/management/admin/endpoint-command-ref.asciidoc diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc new file mode 100644 index 0000000000..d208747ef9 --- /dev/null +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -0,0 +1,247 @@ +[[endpoint-command-ref]] += {elastic-endpoint} command reference + +This page lists the commands for management and troubleshooting of {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. + +[NOTE] +==== +* The service is not added to the `PATH` system variable, so you must prepend the commands with the full OS-dependent path: +** On Windows: `"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"` +** On macOS: `/Library/Elastic/Endpoint/elastic-endpoint` +** On Linux: `/opt/Elastic/Endpoint/elastic-endpoint` + +* You must run the commands from an elevated command prompt—as the root user on POSIX, or Administrator on Windows. +==== + +The following {elastic-endpoint} commands are available: + +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> +* <> + +Each of the commands accepts logging options: + +* `--log [stdout,stderr,debugview,file]` +* `--log-level [error,info,debug]` + +[discrete] +[[elastic-endpoint-diagnostics-command]] +== elastic-endpoint diagnostics + +Gather diagnostics information from {elastic-endpoint}. This command produces an archive that contains: + +- `version.txt`: Version information +- `elastic-endpoint.yaml`: Current policy +- `metrics.json`: Metrics document +- `policy_response.json`: Last policy response +- `system_info.txt`: System information +- `analysis.txt`: Diagnostic analysis report +- `logs` directory: Copy of {elastic-endpoint} log files + +[discrete] +[[elastic-endpoint-help-command]] +== elastic-endpoint help + +Show help for the available commands. + +[discrete] +[[elastic-endpoint-inspect-command]] +== elastic-endpoint inspect + +Show the current {elastic-endpoint} configuration. + +[discrete] +[[elastic-endpoint-install-command]] +== elastic-endpoint install + +Install {elastic-endpoint} as a system service. + +NOTE: Elastic doesn't publish independent {elastic-endpoint} packages since {elastic-endpoint} is managed by {agent}. + +[discrete] +=== Options + +`--resources`:: +Install the resources `.zip` file. + +`--upgrade`:: +Upgrade the existing installation. + +[discrete] +[[elastic-endpoint-memorydump-command]] +== elastic-endpoint memorydump + +Save a memory dump of the {elastic-endpoint} service. + +[discrete] +=== Options + +`--compress`:: +Compress the saved memory dump. + +`--timeout`:: +The memory collection timeout; the default is 60 seconds. + +[discrete] +[[elastic-endpoint-run-command]] +== elastic-endpoint run + +Run `elastic-endpoint` as a foreground process if no other instance is already running. + +[discrete] +[[elastic-endpoint-send-command]] +== elastic-endpoint send + +Send the requested document to the {stack}. + +[discrete] +=== Subcommands + +`metadata`:: +Send an off-schedule metrics document to the {stack}. + +[discrete] +[[elastic-endpoint-status-command]] +== elastic-endpoint status + +Retrieve the current status of the running {elastic-endpoint} service. The command also returns the last known status of {agent}. + +[discrete] +=== Options + +`--output`:: +Control the level of detail and formatting of the information. Valid values are: + +* `human`: Returns limited information when {elastic-endpoint}'s status is `Healthy`. If any policy actions weren't successfully applied, the relevant details are displayed. +* `full`: Always returns the full status information. +* `json`: Always returns the full status information. + +[discrete] +[[elastic-endpoint-test-command]] +== elastic-endpoint test + +Perform the requested test. + +[discrete] +=== Subcommands + +`output`:: +Test whether {elastic-endpoint} can connect to remote resources. + +[discrete] +=== Example + +[source,txt] +---- +Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml] + +Using proxy: + +Elasticsearch server: https://example.elastic.co:443 + Status: Success + +Global artifact server: https://artifacts.security.elastic.co + Status: Success + +Fleet server: https://fleet.example.elastic.co:443 + Status: Success +---- + +[discrete] +[[elastic-endpoint-top-command]] +== elastic-endpoint top + +Show a breakdown of the executables that triggered {elastic-endpoint} CPU usage within the last interval. This utility displays which {elastic-endpoint} features are resource-intensive for a particular executable. + +NOTE: The meaning and output of this command are similar, but not identical, to the POSIX `top` command. The `elastic-endpoint top` command aggregates multiple processes by executable. The utilization values aren't measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the {elastic-defend} policy and exception lists in your deployment. + +[discrete] +=== Options + +`--interval`:: +The data collection interval; the default is 5 seconds. + +`--limit`:: +The number of updates to collect; by default, data is collected until interrupted by **Ctrl+C**. + +`--normalized`:: +Normalize values to 100% on multi-CPU systems. + +[discrete] +=== Example + +[source,txt] +---- +| PROCESS | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE | LIB | MEM SCAN | MLWR | NET | PROC | RANSOM | REG | +============================================================================================================================================================= +| MSBuild.exe | 3146.0 | 0.0 | 0.8 | 0.7 | 0.0 | 2330.9 | 0.0 | 226.2 | 586.9 | 0.0 | 0.0 | 0.4 | 0.0 | +| Microsoft.Management.Services.IntuneWindowsAgen... | 30.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.2 | 29.8 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| svchost.exe | 27.3 | 0.0 | 0.1 | 0.1 | 0.0 | 0.4 | 0.2 | 0.0 | 26.6 | 0.0 | 0.0 | 0.0 | 0.0 | +| LenovoVantage-(LenovoServiceBridgeAddin).exe | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| msedgewebview2.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| msedge.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| powershell.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| WmiPrvSE.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Slack.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| uhssvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| explorer.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| taskhostw.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Widgets.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| elastic-endpoint.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| sppsvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | + +Endpoint service (16 CPU): 113.0% out of 1600% + +Collecting data. Press Ctrl-C to cancel +---- + +[discrete] +==== Column abbreviations + +* `API`: ETW API events +* `AUTH`: Authentication events +* `BHVR`: Malicious behavior protection +* `CRED`: Credential access events +* `DIAG BHVR`: Diagnostic malicious behavior protection +* `DNS`: DNS events +* `FILE`: File events +* `LIB`: Library load events +* `MEM SCAN`: Memory scanning +* `MLWR`: Malware protection +* `NET`: Network events +* `PROC`: Process events +* `PROC INJ`: Process injection +* `RANSOM`: Ransomware protection +* `REG`: Registry events + +[discrete] +[[elastic-endpoint-uninstall-command]] +== elastic-endpoint uninstall + +Uninstall {elastic-endpoint}. + +NOTE: {elastic-endpoint} is managed by {agent}. To remove {elastic-endpoint} from the target machine permanently, remove the {elastic-defend} integration from the {fleet} policy. The <> command also uninstalls {elastic-endpoint}; therefore, in practice, the `elastic-endpoint uninstall` command is used only to troubleshoot broken installations. + +[discrete] +=== Options + +`--uninstall-token`:: +The uninstall token. This is required if <> is enabled. + +[discrete] +[[elastic-endpoint-version-command]] +== elastic-endpoint version + +Show the version of {elastic-endpoint}. + diff --git a/docs/management/manage-intro.asciidoc b/docs/management/manage-intro.asciidoc index 13ae697a8f..45e8abcb1c 100644 --- a/docs/management/manage-intro.asciidoc +++ b/docs/management/manage-intro.asciidoc @@ -14,3 +14,4 @@ include::{security-docs-root}/docs/management/admin/endpoint-artifacts.asciidoc[ include::{security-docs-root}/docs/management/admin/endpoint-event-capture.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+1] include::{security-docs-root}/docs/management/admin/endpoint-self-protection.asciidoc[leveloffset=+1] +include::{security-docs-root}/docs/management/admin/endpoint-command-ref.asciidoc[leveloffset=+1] From ee8bbe186cb35bd2a85e79b914637cbde6b75684 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 5 Sep 2024 11:03:04 +0100 Subject: [PATCH 2/7] Tweaks --- .../admin/endpoint-command-ref.asciidoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc index d208747ef9..9592b27b03 100644 --- a/docs/management/admin/endpoint-command-ref.asciidoc +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -88,8 +88,8 @@ Save a memory dump of the {elastic-endpoint} service. `--compress`:: Compress the saved memory dump. -`--timeout`:: -The memory collection timeout; the default is 60 seconds. +`--timeout `:: +Specify the memory collection timeout; the default is 60 seconds. [discrete] [[elastic-endpoint-run-command]] @@ -167,11 +167,11 @@ NOTE: The meaning and output of this command are similar, but not identical, to [discrete] === Options -`--interval`:: -The data collection interval; the default is 5 seconds. +`--interval `:: +Specify the data collection interval; the default is 5 seconds. -`--limit`:: -The number of updates to collect; by default, data is collected until interrupted by **Ctrl+C**. +`--limit `:: +Specify the number of updates to collect; by default, data is collected until interrupted by **Ctrl+C**. `--normalized`:: Normalize values to 100% on multi-CPU systems. @@ -236,8 +236,8 @@ NOTE: {elastic-endpoint} is managed by {agent}. To remove {elastic-endpoint} fro [discrete] === Options -`--uninstall-token`:: -The uninstall token. This is required if <> is enabled. +`--uninstall-token `:: +Provide the uninstall token. The token is required if <> is enabled. [discrete] [[elastic-endpoint-version-command]] From 9ae6d16d7a3ba5127106f00b6fb507354680ba61 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 5 Sep 2024 12:40:35 +0100 Subject: [PATCH 3/7] Add to serverless docs --- .../admin/endpoint-command-ref.asciidoc | 16 +- .../edr-manage/endpoint-command-ref.mdx | 226 ++++++++++++++++++ .../serverless-security.docnav.json | 3 + 3 files changed, 237 insertions(+), 8 deletions(-) create mode 100644 docs/serverless/edr-manage/endpoint-command-ref.mdx diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc index 9592b27b03..8b4e05c171 100644 --- a/docs/management/admin/endpoint-command-ref.asciidoc +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -10,7 +10,7 @@ This page lists the commands for management and troubleshooting of {elastic-endp ** On macOS: `/Library/Elastic/Endpoint/elastic-endpoint` ** On Linux: `/opt/Elastic/Endpoint/elastic-endpoint` -* You must run the commands from an elevated command prompt—as the root user on POSIX, or Administrator on Windows. +* You must run the commands with elevated privileges—as the root user on POSIX systems, or as Administrator on Windows. ==== The following {elastic-endpoint} commands are available: @@ -28,7 +28,7 @@ The following {elastic-endpoint} commands are available: * <> * <> -Each of the commands accepts logging options: +Each of the commands accepts the following logging options: * `--log [stdout,stderr,debugview,file]` * `--log-level [error,info,debug]` @@ -70,8 +70,8 @@ NOTE: Elastic doesn't publish independent {elastic-endpoint} packages since {ela [discrete] === Options -`--resources`:: -Install the resources `.zip` file. +`--resources `:: +Specify a resources `.zip` file to be used during the installation. `--upgrade`:: Upgrade the existing installation. @@ -89,7 +89,7 @@ Save a memory dump of the {elastic-endpoint} service. Compress the saved memory dump. `--timeout `:: -Specify the memory collection timeout; the default is 60 seconds. +Specify the memory collection timeout, in seconds; the default is 60 seconds. [discrete] [[elastic-endpoint-run-command]] @@ -168,13 +168,13 @@ NOTE: The meaning and output of this command are similar, but not identical, to === Options `--interval `:: -Specify the data collection interval; the default is 5 seconds. +Specify the data collection interval, in seconds; the default is 5 seconds. `--limit `:: Specify the number of updates to collect; by default, data is collected until interrupted by **Ctrl+C**. `--normalized`:: -Normalize values to 100% on multi-CPU systems. +Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU systems. [discrete] === Example @@ -209,7 +209,7 @@ Collecting data. Press Ctrl-C to cancel [discrete] ==== Column abbreviations -* `API`: ETW API events +* `API`: Event Tracing for Windows (ETW) API events * `AUTH`: Authentication events * `BHVR`: Malicious behavior protection * `CRED`: Credential access events diff --git a/docs/serverless/edr-manage/endpoint-command-ref.mdx b/docs/serverless/edr-manage/endpoint-command-ref.mdx new file mode 100644 index 0000000000..c2938c3fed --- /dev/null +++ b/docs/serverless/edr-manage/endpoint-command-ref.mdx @@ -0,0 +1,226 @@ +--- +slug: /serverless/security/endpoint-command-ref +title: ((elastic-endpoint)) command reference +description: Manage and troubleshoot ((elastic-endpoint)) using CLI commands. +tags: ["security","reference","manage"] +status: in review +--- + + +
+ +This page lists the commands for management and troubleshooting of ((elastic-endpoint)), the installed component that performs ((elastic-defend))'s threat monitoring and prevention. + + + +* The service is not added to the `PATH` system variable, so you must prepend the commands with the full OS-dependent path: + * On Windows: `"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"` + * On macOS: `/Library/Elastic/Endpoint/elastic-endpoint` + * On Linux: `/opt/Elastic/Endpoint/elastic-endpoint` + +* You must run the commands with elevated privileges—as the root user on POSIX systems, or as Administrator on Windows. + + + +The following ((elastic-endpoint)) commands are available: + +* diagnostics +* help +* inspect +* install +* memorydump +* run +* send +* status +* test +* top +* uninstall +* version + +Each of the commands accepts the following logging options: + +* `--log [stdout,stderr,debugview,file]` +* `--log-level [error,info,debug]` + +## elastic-endpoint diagnostics + +Gather diagnostics information from ((elastic-endpoint)). This command produces an archive that contains: + +- `version.txt`: Version information +- `elastic-endpoint.yaml`: Current policy +- `metrics.json`: Metrics document +- `policy_response.json`: Last policy response +- `system_info.txt`: System information +- `analysis.txt`: Diagnostic analysis report +- `logs` directory: Copy of ((elastic-endpoint)) log files + +## elastic-endpoint help + +Show help for the available commands. + +## elastic-endpoint inspect + +Show the current ((elastic-endpoint)) configuration. + +## elastic-endpoint install + +Install ((elastic-endpoint)) as a system service. + + +Elastic doesn't publish independent ((elastic-endpoint)) packages since ((elastic-endpoint)) is managed by ((agent)). + +### Options + +`--resources ` + : Specify a resources `.zip` file to be used during the installation. + +`--upgrade` + : Upgrade the existing installation. + +## elastic-endpoint memorydump + +Save a memory dump of the ((elastic-endpoint)) service. + +### Options + +`--compress` + : Compress the saved memory dump. + +`--timeout ` + : Specify the memory collection timeout, in seconds; the default is 60 seconds. + +## elastic-endpoint run + +Run `elastic-endpoint` as a foreground process if no other instance is already running. + +## elastic-endpoint send + +Send the requested document to the ((stack)). + +### Subcommands + +`metadata` + : Send an off-schedule metrics document to the ((stack)). + +## elastic-endpoint status + +Retrieve the current status of the running ((elastic-endpoint)) service. The command also returns the last known status of ((agent)). + +### Options + +`--output` + : Control the level of detail and formatting of the information. Valid values are: + + * `human`: Returns limited information when ((elastic-endpoint))'s status is `Healthy`. If any policy actions weren't successfully applied, the relevant details are displayed. + * `full`: Always returns the full status information. + * `json`: Always returns the full status information. + +## elastic-endpoint test + +Perform the requested test. + +### Subcommands + +`output` + : Test whether ((elastic-endpoint)) can connect to remote resources. + +### Example + +``` +Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml] + +Using proxy: + +Elasticsearch server: https://example.elastic.co:443 + Status: Success + +Global artifact server: https://artifacts.security.elastic.co + Status: Success + +Fleet server: https://fleet.example.elastic.co:443 + Status: Success +``` + +## elastic-endpoint top + +Show a breakdown of the executables that triggered ((elastic-endpoint)) CPU usage within the last interval. This utility displays which ((elastic-endpoint)) features are resource-intensive for a particular executable. + + +The meaning and output of this command are similar, but not identical, to the POSIX `top` command. The `elastic-endpoint top` command aggregates multiple processes by executable. The utilization values aren't measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the ((elastic-defend)) policy and exception lists in your deployment. + + +### Options + +`--interval ` + : Specify the data collection interval, in seconds; the default is 5 seconds. + +`--limit ` + : Specify the number of updates to collect; by default, data is collected until interrupted by **Ctrl+C**. + +`--normalized` + : Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU systems. + +### Example + +``` +| PROCESS | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE | LIB | MEM SCAN | MLWR | NET | PROC | RANSOM | REG | +============================================================================================================================================================= +| MSBuild.exe | 3146.0 | 0.0 | 0.8 | 0.7 | 0.0 | 2330.9 | 0.0 | 226.2 | 586.9 | 0.0 | 0.0 | 0.4 | 0.0 | +| Microsoft.Management.Services.IntuneWindowsAgen... | 30.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.2 | 29.8 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| svchost.exe | 27.3 | 0.0 | 0.1 | 0.1 | 0.0 | 0.4 | 0.2 | 0.0 | 26.6 | 0.0 | 0.0 | 0.0 | 0.0 | +| LenovoVantage-(LenovoServiceBridgeAddin).exe | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.1 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| msedgewebview2.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| msedge.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| powershell.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| WmiPrvSE.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Lenovo.Modern.ImController.PluginHost.Device.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Slack.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| uhssvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| explorer.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| taskhostw.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| Widgets.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| elastic-endpoint.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | +| sppsvc.exe | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | + +Endpoint service (16 CPU): 113.0% out of 1600% + +Collecting data. Press Ctrl-C to cancel +``` + +#### Column abbreviations + +* `API`: Event Tracing for Windows (ETW) API events +* `AUTH`: Authentication events +* `BHVR`: Malicious behavior protection +* `CRED`: Credential access events +* `DIAG BHVR`: Diagnostic malicious behavior protection +* `DNS`: DNS events +* `FILE`: File events +* `LIB`: Library load events +* `MEM SCAN`: Memory scanning +* `MLWR`: Malware protection +* `NET`: Network events +* `PROC`: Process events +* `PROC INJ`: Process injection +* `RANSOM`: Ransomware protection +* `REG`: Registry events + +## elastic-endpoint uninstall + +Uninstall ((elastic-endpoint)). + + +((elastic-endpoint)) is managed by ((agent)). To remove ((elastic-endpoint)) from the target machine permanently, remove the ((elastic-defend)) integration from the ((fleet)) policy. The elastic-agent uninstall command also uninstalls ((elastic-endpoint)); therefore, in practice, the `elastic-endpoint uninstall` command is used only to troubleshoot broken installations. + + +### Options + +`--uninstall-token ` + : Provide the uninstall token. The token is required if agent tamper protection is enabled. + +## elastic-endpoint version + +Show the version of ((elastic-endpoint)). + + diff --git a/docs/serverless/serverless-security.docnav.json b/docs/serverless/serverless-security.docnav.json index 747862bc78..d7497fde44 100644 --- a/docs/serverless/serverless-security.docnav.json +++ b/docs/serverless/serverless-security.docnav.json @@ -176,6 +176,9 @@ }, { "slug": "/serverless/security/endpoint-self-protection" + }, + { + "slug": "/serverless/security/endpoint-command-ref" } ] }, From c1b28489043213d8948d1e40ee0523461142e4d2 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 5 Sep 2024 17:30:24 +0100 Subject: [PATCH 4/7] Adds command examples --- .../admin/endpoint-command-ref.asciidoc | 96 +++++++++++++++++++ .../edr-manage/endpoint-command-ref.mdx | 70 ++++++++++++++ 2 files changed, 166 insertions(+) diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc index 8b4e05c171..6580c33875 100644 --- a/docs/management/admin/endpoint-command-ref.asciidoc +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -47,18 +47,42 @@ Gather diagnostics information from {elastic-endpoint}. This command produces an - `analysis.txt`: Diagnostic analysis report - `logs` directory: Copy of {elastic-endpoint} log files +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint diagnostics +------ + [discrete] [[elastic-endpoint-help-command]] == elastic-endpoint help Show help for the available commands. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint help +------ + [discrete] [[elastic-endpoint-inspect-command]] == elastic-endpoint inspect Show the current {elastic-endpoint} configuration. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint inspect +------ + [discrete] [[elastic-endpoint-install-command]] == elastic-endpoint install @@ -76,6 +100,14 @@ Specify a resources `.zip` file to be used during the installation. `--upgrade`:: Upgrade the existing installation. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade +------ + [discrete] [[elastic-endpoint-memorydump-command]] == elastic-endpoint memorydump @@ -91,12 +123,28 @@ Compress the saved memory dump. `--timeout `:: Specify the memory collection timeout, in seconds; the default is 60 seconds. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint memorydump --timeout 120 +------ + [discrete] [[elastic-endpoint-run-command]] == elastic-endpoint run Run `elastic-endpoint` as a foreground process if no other instance is already running. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint run +------ + [discrete] [[elastic-endpoint-send-command]] == elastic-endpoint send @@ -109,6 +157,14 @@ Send the requested document to the {stack}. `metadata`:: Send an off-schedule metrics document to the {stack}. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint send metadata +------ + [discrete] [[elastic-endpoint-status-command]] == elastic-endpoint status @@ -125,6 +181,14 @@ Control the level of detail and formatting of the information. Valid values are: * `full`: Always returns the full status information. * `json`: Always returns the full status information. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint status --output json +------ + [discrete] [[elastic-endpoint-test-command]] == elastic-endpoint test @@ -140,6 +204,14 @@ Test whether {elastic-endpoint} can connect to remote resources. [discrete] === Example +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint test output +------ + +[discrete] +=== Example output + [source,txt] ---- Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml] @@ -179,6 +251,14 @@ Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU syste [discrete] === Example +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint top --interval 10 --limit 5 +------ + +[discrete] +=== Example output + [source,txt] ---- | PROCESS | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE | LIB | MEM SCAN | MLWR | NET | PROC | RANSOM | REG | @@ -239,9 +319,25 @@ NOTE: {elastic-endpoint} is managed by {agent}. To remove {elastic-endpoint} fro `--uninstall-token `:: Provide the uninstall token. The token is required if <> is enabled. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012 +------ + [discrete] [[elastic-endpoint-version-command]] == elastic-endpoint version Show the version of {elastic-endpoint}. +[discrete] +=== Example + +[source,shell] +------ +sudo /Library/Elastic/Endpoint/elastic-endpoint version +------ + diff --git a/docs/serverless/edr-manage/endpoint-command-ref.mdx b/docs/serverless/edr-manage/endpoint-command-ref.mdx index c2938c3fed..9357b5bf26 100644 --- a/docs/serverless/edr-manage/endpoint-command-ref.mdx +++ b/docs/serverless/edr-manage/endpoint-command-ref.mdx @@ -54,14 +54,32 @@ Gather diagnostics information from ((elastic-endpoint)). This command produces - `analysis.txt`: Diagnostic analysis report - `logs` directory: Copy of ((elastic-endpoint)) log files +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint diagnostics +``` + ## elastic-endpoint help Show help for the available commands. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint help +``` + ## elastic-endpoint inspect Show the current ((elastic-endpoint)) configuration. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint inspect +``` + ## elastic-endpoint install Install ((elastic-endpoint)) as a system service. @@ -77,6 +95,12 @@ Elastic doesn't publish independent ((elastic-endpoint)) packages since ((elasti `--upgrade` : Upgrade the existing installation. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade +``` + ## elastic-endpoint memorydump Save a memory dump of the ((elastic-endpoint)) service. @@ -89,10 +113,22 @@ Save a memory dump of the ((elastic-endpoint)) service. `--timeout ` : Specify the memory collection timeout, in seconds; the default is 60 seconds. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint memorydump --timeout 120 +``` + ## elastic-endpoint run Run `elastic-endpoint` as a foreground process if no other instance is already running. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint run +``` + ## elastic-endpoint send Send the requested document to the ((stack)). @@ -102,6 +138,12 @@ Send the requested document to the ((stack)). `metadata` : Send an off-schedule metrics document to the ((stack)). +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint send metadata +``` + ## elastic-endpoint status Retrieve the current status of the running ((elastic-endpoint)) service. The command also returns the last known status of ((agent)). @@ -115,6 +157,12 @@ Retrieve the current status of the running ((elastic-endpoint)) service. The com * `full`: Always returns the full status information. * `json`: Always returns the full status information. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint status --output json +``` + ## elastic-endpoint test Perform the requested test. @@ -126,6 +174,12 @@ Perform the requested test. ### Example +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint test output +``` + +### Example output + ``` Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml] @@ -162,6 +216,12 @@ The meaning and output of this command are similar, but not identical, to the PO ### Example +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint top --interval 10 --limit 5 +``` + +### Example output + ``` | PROCESS | OVERALL | API | BHVR | DIAG BHVR | DNS | FILE | LIB | MEM SCAN | MLWR | NET | PROC | RANSOM | REG | ============================================================================================================================================================= @@ -219,8 +279,18 @@ Uninstall ((elastic-endpoint)). `--uninstall-token ` : Provide the uninstall token. The token is required if agent tamper protection is enabled. +### Example + +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012 +``` + ## elastic-endpoint version Show the version of ((elastic-endpoint)). +### Example +``` +sudo /Library/Elastic/Endpoint/elastic-endpoint version +``` From 333d6b9854e90a10f9f4c7e47b82088b829822bb Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 9 Sep 2024 13:38:31 +0100 Subject: [PATCH 5/7] Apply tech review feedback --- docs/management/admin/endpoint-command-ref.asciidoc | 6 +++--- docs/serverless/edr-manage/endpoint-command-ref.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc index 6580c33875..9ed5ce56ea 100644 --- a/docs/management/admin/endpoint-command-ref.asciidoc +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -95,7 +95,7 @@ NOTE: Elastic doesn't publish independent {elastic-endpoint} packages since {ela === Options `--resources `:: -Specify a resources `.zip` file to be used during the installation. +Specify a resources `.zip` file to be used during the installation. This option is required. `--upgrade`:: Upgrade the existing installation. @@ -105,7 +105,7 @@ Upgrade the existing installation. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade +sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade --resources endpoint-security-resources.zip ------ [discrete] @@ -214,7 +214,7 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test output [source,txt] ---- -Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml] +Testing output connections Using proxy: diff --git a/docs/serverless/edr-manage/endpoint-command-ref.mdx b/docs/serverless/edr-manage/endpoint-command-ref.mdx index 9357b5bf26..10f3316032 100644 --- a/docs/serverless/edr-manage/endpoint-command-ref.mdx +++ b/docs/serverless/edr-manage/endpoint-command-ref.mdx @@ -90,7 +90,7 @@ Elastic doesn't publish independent ((elastic-endpoint)) packages since ((elasti ### Options `--resources ` - : Specify a resources `.zip` file to be used during the installation. + : Specify a resources `.zip` file to be used during the installation. This option is required. `--upgrade` : Upgrade the existing installation. @@ -98,7 +98,7 @@ Elastic doesn't publish independent ((elastic-endpoint)) packages since ((elasti ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade +sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade --resources endpoint-security-resources.zip ``` ## elastic-endpoint memorydump @@ -181,7 +181,7 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint test output ### Example output ``` -Testing output connections using config file: [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml] +Testing output connections Using proxy: From c88e227aa0639c56f7514a7abe8d78e1067f2113 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 10 Sep 2024 13:43:43 +0100 Subject: [PATCH 6/7] Apply editorial feedback --- docs/management/admin/endpoint-command-ref.asciidoc | 6 +++--- docs/serverless/edr-manage/endpoint-command-ref.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc index 9ed5ce56ea..45d15e6eb6 100644 --- a/docs/management/admin/endpoint-command-ref.asciidoc +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -5,12 +5,12 @@ This page lists the commands for management and troubleshooting of {elastic-endp [NOTE] ==== -* The service is not added to the `PATH` system variable, so you must prepend the commands with the full OS-dependent path: +* {elastic-endpoint} is not added to the `PATH` system variable, so you must prepend the commands with the full OS-dependent path: ** On Windows: `"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"` ** On macOS: `/Library/Elastic/Endpoint/elastic-endpoint` ** On Linux: `/opt/Elastic/Endpoint/elastic-endpoint` -* You must run the commands with elevated privileges—as the root user on POSIX systems, or as Administrator on Windows. +* You must run the commands with elevated privileges—as the root user on Linux and macOS, or as Administrator on Windows. ==== The following {elastic-endpoint} commands are available: @@ -232,7 +232,7 @@ Fleet server: https://fleet.example.elastic.co:443 [[elastic-endpoint-top-command]] == elastic-endpoint top -Show a breakdown of the executables that triggered {elastic-endpoint} CPU usage within the last interval. This utility displays which {elastic-endpoint} features are resource-intensive for a particular executable. +Show a breakdown of the executables that triggered {elastic-endpoint} CPU usage within the last interval. This displays which {elastic-endpoint} features are resource-intensive for a particular executable. NOTE: The meaning and output of this command are similar, but not identical, to the POSIX `top` command. The `elastic-endpoint top` command aggregates multiple processes by executable. The utilization values aren't measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the {elastic-defend} policy and exception lists in your deployment. diff --git a/docs/serverless/edr-manage/endpoint-command-ref.mdx b/docs/serverless/edr-manage/endpoint-command-ref.mdx index 10f3316032..1e6cadcc82 100644 --- a/docs/serverless/edr-manage/endpoint-command-ref.mdx +++ b/docs/serverless/edr-manage/endpoint-command-ref.mdx @@ -13,12 +13,12 @@ This page lists the commands for management and troubleshooting of ((elastic-end -* The service is not added to the `PATH` system variable, so you must prepend the commands with the full OS-dependent path: +* ((elastic-endpoint)) is not added to the `PATH` system variable, so you must prepend the commands with the full OS-dependent path: * On Windows: `"C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"` * On macOS: `/Library/Elastic/Endpoint/elastic-endpoint` * On Linux: `/opt/Elastic/Endpoint/elastic-endpoint` -* You must run the commands with elevated privileges—as the root user on POSIX systems, or as Administrator on Windows. +* You must run the commands with elevated privileges—as the root user on Linux and macOS, or as Administrator on Windows. @@ -197,7 +197,7 @@ Fleet server: https://fleet.example.elastic.co:443 ## elastic-endpoint top -Show a breakdown of the executables that triggered ((elastic-endpoint)) CPU usage within the last interval. This utility displays which ((elastic-endpoint)) features are resource-intensive for a particular executable. +Show a breakdown of the executables that triggered ((elastic-endpoint)) CPU usage within the last interval. This displays which ((elastic-endpoint)) features are resource-intensive for a particular executable. The meaning and output of this command are similar, but not identical, to the POSIX `top` command. The `elastic-endpoint top` command aggregates multiple processes by executable. The utilization values aren't measured by the OS scheduler but by a wall clock in user mode. The output helps identify outliers causing excessive CPU utilization, allowing you to fine-tune the ((elastic-defend)) policy and exception lists in your deployment. From e12cd577023622770609e9f5a744bfe244ab4a9f Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 11 Sep 2024 12:42:24 +0100 Subject: [PATCH 7/7] Applies feedback --- .../admin/endpoint-command-ref.asciidoc | 28 +++++++++---------- .../edr-manage/endpoint-command-ref.mdx | 28 +++++++++---------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/docs/management/admin/endpoint-command-ref.asciidoc b/docs/management/admin/endpoint-command-ref.asciidoc index 45d15e6eb6..89a4f66237 100644 --- a/docs/management/admin/endpoint-command-ref.asciidoc +++ b/docs/management/admin/endpoint-command-ref.asciidoc @@ -10,7 +10,7 @@ This page lists the commands for management and troubleshooting of {elastic-endp ** On macOS: `/Library/Elastic/Endpoint/elastic-endpoint` ** On Linux: `/opt/Elastic/Endpoint/elastic-endpoint` -* You must run the commands with elevated privileges—as the root user on Linux and macOS, or as Administrator on Windows. +* You must run the commands with elevated privileges—using `sudo` to run as the root user on Linux and macOS, or running as Administrator on Windows. ==== The following {elastic-endpoint} commands are available: @@ -52,7 +52,7 @@ Gather diagnostics information from {elastic-endpoint}. This command produces an [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint diagnostics +elastic-endpoint diagnostics ------ [discrete] @@ -66,7 +66,7 @@ Show help for the available commands. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint help +elastic-endpoint help ------ [discrete] @@ -80,7 +80,7 @@ Show the current {elastic-endpoint} configuration. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint inspect +elastic-endpoint inspect ------ [discrete] @@ -89,7 +89,7 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint inspect Install {elastic-endpoint} as a system service. -NOTE: Elastic doesn't publish independent {elastic-endpoint} packages since {elastic-endpoint} is managed by {agent}. +NOTE: We do not recommend installing {elastic-endpoint} using this command. {elastic-endpoint} is managed by {agent} and cannot function as a standalone service. Therefore, there is no separate installation package for {elastic-endpoint}, and it should not be installed independently. [discrete] === Options @@ -105,7 +105,7 @@ Upgrade the existing installation. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade --resources endpoint-security-resources.zip +elastic-endpoint install --upgrade --resources endpoint-security-resources.zip ------ [discrete] @@ -128,7 +128,7 @@ Specify the memory collection timeout, in seconds; the default is 60 seconds. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint memorydump --timeout 120 +elastic-endpoint memorydump --timeout 120 ------ [discrete] @@ -142,7 +142,7 @@ Run `elastic-endpoint` as a foreground process if no other instance is already r [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint run +elastic-endpoint run ------ [discrete] @@ -162,7 +162,7 @@ Send an off-schedule metrics document to the {stack}. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint send metadata +elastic-endpoint send metadata ------ [discrete] @@ -186,7 +186,7 @@ Control the level of detail and formatting of the information. Valid values are: [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint status --output json +elastic-endpoint status --output json ------ [discrete] @@ -206,7 +206,7 @@ Test whether {elastic-endpoint} can connect to remote resources. [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint test output +elastic-endpoint test output ------ [discrete] @@ -253,7 +253,7 @@ Normalize CPU usage values to a total of 100% across all CPUs on multi-CPU syste [source,shell] ------ -sudo /Library/Elastic/Endpoint/elastic-endpoint top --interval 10 --limit 5 +elastic-endpoint top --interval 10 --limit 5 ------ [discrete] @@ -324,7 +324,7 @@ Provide the uninstall token. The token is required if < @@ -57,7 +57,7 @@ Gather diagnostics information from ((elastic-endpoint)). This command produces ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint diagnostics +elastic-endpoint diagnostics ``` ## elastic-endpoint help @@ -67,7 +67,7 @@ Show help for the available commands. ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint help +elastic-endpoint help ``` ## elastic-endpoint inspect @@ -77,7 +77,7 @@ Show the current ((elastic-endpoint)) configuration. ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint inspect +elastic-endpoint inspect ``` ## elastic-endpoint install @@ -85,7 +85,7 @@ sudo /Library/Elastic/Endpoint/elastic-endpoint inspect Install ((elastic-endpoint)) as a system service. -Elastic doesn't publish independent ((elastic-endpoint)) packages since ((elastic-endpoint)) is managed by ((agent)). +We do not recommend installing ((elastic-endpoint)) using this command. ((elastic-endpoint)) is managed by ((agent)) and cannot function as a standalone service. Therefore, there is no separate installation package for ((elastic-endpoint)), and it should not be installed independently. ### Options @@ -98,7 +98,7 @@ Elastic doesn't publish independent ((elastic-endpoint)) packages since ((elasti ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint install --upgrade --resources endpoint-security-resources.zip +elastic-endpoint install --upgrade --resources endpoint-security-resources.zip ``` ## elastic-endpoint memorydump @@ -116,7 +116,7 @@ Save a memory dump of the ((elastic-endpoint)) service. ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint memorydump --timeout 120 +elastic-endpoint memorydump --timeout 120 ``` ## elastic-endpoint run @@ -126,7 +126,7 @@ Run `elastic-endpoint` as a foreground process if no other instance is already r ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint run +elastic-endpoint run ``` ## elastic-endpoint send @@ -141,7 +141,7 @@ Send the requested document to the ((stack)). ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint send metadata +elastic-endpoint send metadata ``` ## elastic-endpoint status @@ -160,7 +160,7 @@ Retrieve the current status of the running ((elastic-endpoint)) service. The com ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint status --output json +elastic-endpoint status --output json ``` ## elastic-endpoint test @@ -175,7 +175,7 @@ Perform the requested test. ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint test output +elastic-endpoint test output ``` ### Example output @@ -217,7 +217,7 @@ The meaning and output of this command are similar, but not identical, to the PO ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint top --interval 10 --limit 5 +elastic-endpoint top --interval 10 --limit 5 ``` ### Example output @@ -282,7 +282,7 @@ Uninstall ((elastic-endpoint)). ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012 +elastic-endpoint uninstall --uninstall-token 12345678901234567890123456789012 ``` ## elastic-endpoint version @@ -292,5 +292,5 @@ Show the version of ((elastic-endpoint)). ### Example ``` -sudo /Library/Elastic/Endpoint/elastic-endpoint version +elastic-endpoint version ```