Host isolation

7.14 - when I go to a case, with an alert on it , and click to get the fly out, I'm not seeing an option to "Take Action" and isolate a host. Do you only see the "Take Action" button if there is a certain alert in the case (e.g. a Malware alert - I currently have a "malware prevention alert".
I also cant see "Take Action" when I go to Endpoints, but I think that might only be there in 7.15.
Basically I'm wanting to test isolation. How can I do that?

Thanks community


Hi @wmacleodstrath - thanks for using Elastic Security!

A couple initial questions for you -

  • what is the OS of the host you are looking to perform this action on? for 7.14, Host Isolation will be available for Windows/MacOS hosts.
  • what is your license level? Host Isolation will be available for Platinum / Enterprise licenses

Windows server 2016
No license - I'm on the free on prem stuff. This article says it's free, open and limitless Elastic Security 7.14: Limitless XDR protection | Elastic Blog so I wouldn't expect i would need to purchase a license for it.


FYI I'm also a Super User

and if I go via Endpoint - I do see the "Take Action" button but my only choices are:
view host details
view agent policy
view agent details
reassign agent policy

and if I look at the policy status I see "Successfully read host isolation configuration (disabled)"

I seem to be having the same issue aswell on v7.15.0

Thanks to @ BenB196 for pointing out (on another thread) that it does indeed look like a chargeable feature on this page Subscriptions | Elastic Stack Products & Support | Elastic despite many other pages referring to it as "free and open Limitless XDR"