Elements Endpoint Detection and Response

Getting started with WithSecure™ Elements Endpoint Detection and Response

Follow the steps below to get started with using WithSecure™ Elements Endpoint Detection and Response.

Step 1 — Log in to Elements Security Center

You need a WithSecure™ Business Account to access Elements Security Center ↗, the management portal for all WithSecure™ Elements products.

When you purchase from a WithSecure partner, the partner typically creates your first administrator account and sends you an email with a temporary password. If your account hasn’t been created yet but you have a subscription key, go to elements.withsecure.com/self-register ↗ to create one.

Tip: If you haven’t received your activation email, check your junk mail folder first.

Step 2 — Deploy the endpoint sensor

Elements EDR works by installing a lightweight sensor on each device you want to monitor. The sensor collects behavioral event data — file accesses, process creation, network connections, registry changes — and sends it to the backend for analysis.

Before you deploy

To get the best possible detection coverage, apply these recommendations on target devices before installing:

Windows: Make sure a Windows audit policy is configured to generate security log events. Also ensure that PowerShell ScriptBlock logging is not disabled — turning it off limits detection capabilities.
Linux: Use kernel 5.10 or newer for best performance. If using kernel 3.16 or older, make sure auditd is installed and configured correctly.

Install the sensor

Elements EDR covers Windows (workstations and servers), Mac, and Linux. Choose the method that suits your environment:

Email invitation — good for a small number of devices. Go to Environment > Devices, select the three-dots icon next to Devices, choose Add new device, and follow the wizard to send users a download link.
Download the installer — suited for larger deployments. Go to Downloads in the sidebar, select the package for your platform (EXE or MSI for Windows, MPKG for Mac, DEB/RPM/tar for Linux), select a subscription key, and download. The key is embedded in the installer.

Deploying at scale? The user guide covers deployment via Active Directory GPO, Microsoft Intune, and VDI environments. See the link in Further reading.

Step 3 — Verify with a test detection

Once the sensor is installed, verify it’s working by triggering a test Broad Context Detection. Regular users don’t run the whoami command, so it reliably produces a detection.

Log in to the monitored endpoint where the sensor is installed.
Open a Command Prompt and run: whoami
Run exit to close the prompt, then log out of the endpoint.
In Elements Security Center, go to Events > Broad Context Detections. The detection should appear within a few minutes.

When a real detection appears

Each detection shows a risk level score, confidence, and criticality to help you prioritize. Select a detection to see the process tree, log view, and related events. From there you can take response actions — such as isolating the host from the network — or escalate the case to WithSecure experts using Elevate to WithSecure.

Tip: For advanced testing using PowerShell, see Appendix A of the Elements EDR user guide.

User guide — Elements Endpoint Detection and Response

Full documentation covering deployment methods, investigation workflows, response actions, best practices, and more

View Full Guide

WithSecure Community

Stay up to date with product announcements and changelogs, get answers to your questions, and share product ideas

Go to Community

Knowledge base

Troubleshooting and how-to articles covering sensor deployment, Broad Context Detections, response actions, and host isolation

Endpoint Detection and Response Knowledge Base