Host isolation

7.14 - when I go to a case, with an alert on it , and click to get the fly out, I'm not seeing an option to "Take Action" and isolate a host. Do you only see the "Take Action" button if there is a certain alert in the case (e.g. a Malware alert - I currently have a "malware prevention alert".
I also cant see "Take Action" when I go to Endpoints, but I think that might only be there in 7.15.
Basically I'm wanting to test isolation. How can I do that?

Thanks community


Hi @wmacleodstrath - thanks for using Elastic Security!

A couple initial questions for you -

  • what is the OS of the host you are looking to perform this action on? for 7.14, Host Isolation will be available for Windows/MacOS hosts.
  • what is your license level? Host Isolation will be available for Platinum / Enterprise licenses

Windows server 2016
No license - I'm on the free on prem stuff. This article says it's free, open and limitless Elastic Security 7.14: Limitless XDR protection | Elastic Blog so I wouldn't expect i would need to purchase a license for it.


FYI I'm also a Super User

and if I go via Endpoint - I do see the "Take Action" button but my only choices are:
view host details
view agent policy
view agent details
reassign agent policy

and if I look at the policy status I see "Successfully read host isolation configuration (disabled)"

I seem to be having the same issue aswell on v7.15.0

Thanks to @ BenB196 for pointing out (on another thread) that it does indeed look like a chargeable feature on this page Subscriptions | Elastic Stack Products & Support | Elastic despite many other pages referring to it as "free and open Limitless XDR"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.