Skip to content

Elastic EDR

Elastic EDR (Endpoint Detection and Response) is a component of Elastic Security designed to address cybersecurity threats at the endpoint level. It plays a crucial role in preventing, detecting, and responding to cyber threats like ransomware and malware.


  • First, you need docker and the docker-compose plugin

    # Add Docker's official GPG key:
    sudo apt-get update
    sudo apt-get install ca-certificates curl
    sudo install -m 0755 -d /etc/apt/keyrings
    sudo curl -fsSL -o /etc/apt/keyrings/docker.asc
    sudo chmod a+r /etc/apt/keyrings/docker.asc
    # Add the repository to Apt sources:
    echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] \
    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
    sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
    sudo apt-get update
    # Install docker from apt
    sudo apt-get install docker-ce docker-ce-cli docker-buildx-plugin docker-compose-plugin

  • You might want to grant the docker right to the default user

    sudo groupadd docker
    sudo usermod -aG docker $USER

  • Install the requirements for the elastic scripts

    apt-get update
    apt-get install jq git curl

  • Clone the project

    git clone
    cd elastic-container

  • Edit .env to set the credentials and activate rules

    LICENSE=trial # enable the platinum features

  • Download the images and run the containers

    chmod +x ./
    ./ start

  • Access the Elastic EDR interface at https://localhost:5601

  • Fleet > Add agent
  • Enroll in Fleet (recommended)
  • Copy Windows PowerShell one-liner and append the --insecure flag if you are using untrusted certificates

    powershell Invoke-WebRequest -Uri -outfile
    Expand-Archive -Path -DestinationPath C:\ElasticAgent
    C:\ElasticAgent\elastic-agent-7.15.1-windows-x86_64\elastic-agent.exe install -f --fleet-server-es={{ fleet_server_es }} --fleet-server-service-token={{ fleet_token }} --fleet-server-policy={{ fleet_policy }}

  • Fleet > Integrations > Elastic Defend

    • Switch Prevent to Detect, to keep the execution running
    • Enable these features to collect more data
  • Destroy the containers

    ./ destroy