diff --git a/raw-migrated-files/docs-content/serverless/security-automated-response-actions.md b/raw-migrated-files/docs-content/serverless/security-automated-response-actions.md deleted file mode 100644 index 399d0535ec..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-automated-response-actions.md +++ /dev/null @@ -1,39 +0,0 @@ -# Automated response actions [security-automated-response-actions] - -Add {{elastic-defend}}'s [response actions](../../../solutions/security/endpoint-response-actions.md) to detection rules to automatically perform actions on an affected host when an event meets the rule’s criteria. Use these actions to support your response to detected threats and suspicious events. - -::::{admonition} Requirements -:class: note - -* Automated response actions require the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* Hosts must have {{agent}} installed with the {{elastic-defend}} integration. -* Your user role must have the ability to create detection rules and the privilege to perform [specific response actions](../../../solutions/security/endpoint-response-actions.md#response-action-commands) (for example, custom roles require the **Host Isolation** privilege to isolate hosts). - -:::: - - -To add automated response actions to a new or existing rule: - -1. Do one of the following: - - * **New rule**: On the last step of rule creation, go to the **Response Actions** section and select **{{elastic-defend}}**. - * **Existing rule**: Edit the rule’s settings, then go to the **Actions*** tab. In the tab, select ***{{elastic-defend}}** under the **Response Actions** section. - -2. Select an option in the **Response action** field: - - * **Isolate**: [Isolate the host](../../../solutions/security/endpoint-response-actions/isolate-host.md), blocking communication with other hosts on the network. - * **Kill process**: Terminate a process on the host. - * **Suspend process**: Temporarily suspend a process on the host. - - ::::{important} - Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. - - :::: - -3. For process actions, specify how to identify the process you want to terminate or suspend: - - * Turn on the toggle to use the alert’s **process.pid** value as the identifier. - * To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. - -4. Enter a comment describing why you’re performing the action on the host (optional). -5. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). diff --git a/raw-migrated-files/docs-content/serverless/security-isolate-host.md b/raw-migrated-files/docs-content/serverless/security-isolate-host.md deleted file mode 100644 index aecf426793..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-isolate-host.md +++ /dev/null @@ -1,178 +0,0 @@ -# Isolate a host [security-isolate-host] - -Host isolation allows you to isolate hosts from your network, blocking communication with other hosts on your network until you release the host. Isolating a host is useful for responding to malicious activity or preventing potential attacks, as it prevents lateral movement across other hosts. - -Isolated hosts, however, can still send data to {{elastic-sec}}. You can also create [host isolation exceptions](../../../solutions/security/manage-elastic-defend/host-isolation-exceptions.md) for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. - -::::{admonition} Requirements -:class: note - -* Host isolation requires the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* Hosts must have {{agent}} installed with the {{elastic-defend}} integration. -* Host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: - - * CentOS/RHEL 8 - * Debian 11 - * Ubuntu 18.04, 20.04, and 22.04 - * AWS Linux 2 - -* To isolate and release hosts running any operating system, you must have the appropriate user role. - -:::: - - -:::{image} ../../../images/serverless--management-admin-isolated-host.png -:alt: Endpoint page highlighting a host that's been isolated -:class: screenshot -::: - -You can isolate a host from a detection alert’s details flyout, from the Endpoints page, or from the endpoint response console. Once a host is successfully isolated, an `Isolated` status displays next to the `Agent status` field, which you can view on the alert details flyout or Endpoints list table. - -::::{tip} -If the request fails, verify that the {{agent}} and your endpoint are both online before trying again. - -:::: - - -All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to [View host isolation history](../../../solutions/security/endpoint-response-actions/isolate-host.md#view-host-isolation-details) for more information. - - -## Isolate a host [isolate-a-host] - -::::{dropdown} Isolate a host from a detection alert -1. Open a detection alert: - - * From the Alerts table or Timeline: Click **View details** (![View details](../../../images/serverless-expand.svg "")). - * From a case with an attached alert: Click **Show alert details** (**>**). - -2. Click **Take action → Isolate host**. -3. Enter a comment describing why you’re isolating the host (optional). -4. Click **Confirm**. - -:::: - - -::::{dropdown} Isolate a host from an endpoint -1. Find **Endpoints** in the navigation menu or use the global search field, then either: - - * Select the appropriate endpoint in the **Endpoint** column, and click **Take action → Isolate host** in the endpoint details flyout. - * Click the **Actions** menu (*…​*) on the appropriate endpoint, then select **Isolate host**. - -2. Enter a comment describing why you’re isolating the host (optional). -3. Click **Confirm**. - -:::: - - -:::::{dropdown} Isolate a host from the response console -::::{note} -The response console requires the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - - -1. Open the response console for the host (select the **Respond** button or actions menu option on the host, endpoint, or alert details view). -2. Enter the `isolate` command and an optional comment in the input area, for example: - - `isolate --comment "Isolate this host"` - -3. Press **Return**. - -::::: - - -:::::{dropdown} Automatically isolate a host using a rule’s endpoint response action -::::{note} -The host isolation endpoint response action requires the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - - -::::{important} -Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. - -:::: - - -1. Add an endpoint response action to a new or existing custom query rule. The endpoint response action will run whenever rule conditions are met: - - * **New rule**: On the last step of [custom query rule](../../../solutions/security/detect-and-alert/create-detection-rule.md#create-custom-rule) creation, go to the **Response Actions** section and select **{{elastic-defend}}**. - * **Existing rule**: Edit the rule’s settings, then go to the **Actions*** tab. In the tab, select ***{{elastic-defend}}** under the **Response Actions** section. - -2. Click the **Response action** field, then select **Isolate**. -3. Enter a comment describing why you’re isolating the host (optional). -4. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). - -::::: - - -After the host is successfully isolated, an **Isolated** status is added to the endpoint. Active end users receive a notification that the computer has been isolated from the network: - -:::{image} ../../../images/serverless--management-admin-host-isolated-notif.png -:alt: Host isolated notification message -:class: screenshot -::: - - -## Release a host [release-a-host] - -::::{dropdown} Release a host from a detection alert -1. Open a detection alert: - - * From the Alerts table or Timeline: Click **View details** (![View details](../../../images/serverless-expand.svg "")). - * From a case with an attached alert: Click **Show alert details** (**>**). - -2. From the alert details flyout, click **Take action → Release host**. -3. Enter a comment describing why you’re releasing the host (optional). -4. Click **Confirm**. - -:::: - - -::::{dropdown} Release a host from an endpoint -1. Find **Endpoints** in the navigation menu or use the global search field, then either: - - * Select the appropriate endpoint in the **Endpoint** column, and click **Take action → Release host** in the endpoint details flyout. - * Click the **Actions** menu (*…​*) on the appropriate endpoint, then select **Release host**. - -2. Enter a comment describing why you’re releasing the host (optional). -3. Click **Confirm**. - -:::: - - -:::::{dropdown} Release a host from the response console -::::{note} -The response console requires the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). - -:::: - - -1. Open the response console for the host (select the **Respond** button or actions menu option on the host, endpoint, or alert details view). -2. Enter the `release` command and an optional comment in the input area, for example: - - `release --comment "Release this host"` - -3. Press **Return**. - -::::: - - -After the host is successfully released, the **Isolated** status is removed from the endpoint. Active end users receive a notification that the computer has been reconnected to the network: - -:::{image} ../../../images/serverless--management-admin-host-released-notif.png -:alt: Host released notification message -:class: screenshot -::: - - -## View host isolation history [view-host-isolation-details] - -To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host. - -Go to the **Endpoints** page, click an endpoint’s name, then click the **Response action history** tab. You can filter the information displayed in this view. Refer to [Response actions history](../../../solutions/security/endpoint-response-actions/response-actions-history.md) for more details. - -:::{image} ../../../images/serverless--management-admin-response-actions-history-endpoint-details.png -:alt: Response actions history page UI -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-response-actions-config.md b/raw-migrated-files/docs-content/serverless/security-response-actions-config.md deleted file mode 100644 index 18aff3b0e6..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-response-actions-config.md +++ /dev/null @@ -1,201 +0,0 @@ -# Configure third-party response actions [security-response-actions-config] - -You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {{elastic-sec}} UI. This page explains the configuration steps needed to enable response actions for these third-party systems: - -* CrowdStrike -* Microsoft Defender for Endpoint -* SentinelOne - -Check out [Third-party response actions](../../../solutions/security/endpoint-response-actions/third-party-response-actions.md) to learn which response actions are supported for each system. - -::::{admonition} Prerequisites -:class: note - -* [Project features add-on](../../../deploy-manage/deploy/elastic-cloud/project-settings.md): Endpoint Protection Complete -* [User roles](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles): **SOC manager** or **Endpoint operations analyst** -* Endpoints must have actively running third-party agents installed. - -:::: - - -Select a tab below for your endpoint security system: - -:::::::{tab-set} - -::::::{tab-item} CrowdStrike -To configure response actions for CrowdStrike-enrolled hosts: - -1. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike’s docs for instructions. - - * Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. - - * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts. - - * Take note of the client ID, client secret, and base URL; you’ll need them in later steps when you configure {{elastic-sec}} components to access CrowdStrike. - * The base URL varies depending on your CrowdStrike account type: - - * US-1: `https://api.crowdstrike.com` - * US-2: `https://api.us-2.crowdstrike.com` - * EU-1: `https://api.eu-1.crowdstrike.com` - * US-GOV-1: `https://api.laggar.gcw.crowdstrike.com` - -2. **Install the CrowdStrike integration and {{agent}}.** Elastic’s [CrowdStrike integration](https://docs.elastic.co/en/integrations/crowdstrike) collects and ingests logs into {{elastic-sec}}. - - 1. Find **Integrations** in the navigation menu or use the global search field, search for and select **CrowdStrike**, then select **Add CrowdStrike**. - 2. Configure the integration with an **Integration name** and optional **Description**. - 3. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**: - - * **Client ID**: Client ID for the API client used to read CrowdStrike data. - * **Client Secret**: Client secret allowing you access to CrowdStrike. - * **URL**: The base URL of the CrowdStrike API. - - 4. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**. - 5. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {{agent}} configuration settings, refer to [{{agent}} policies](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/agent-policy.md). - 6. Click **Save and continue**. - 7. Select **Add {{agent}} to your hosts** and continue with the [{{agent}} installation steps](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md#enroll-agent) to install {{agent}} on a resource in your network (such as a server or VM). {{agent}} will act as a bridge collecting data from CrowdStrike and sending it back to {{elastic-sec}}. - -3. **Create a CrowdStrike connector.** Elastic’s [CrowdStrike connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/crowdstrike-action-type.md) enables {{elastic-sec}} to perform actions on CrowdStrike-enrolled hosts. - - ::::{important} - Do not create more than one CrowdStrike connector. - - :::: - - - 1. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**. - 2. Select the **CrowdStrike** connector. - 3. Enter the configuration information: - - * **Connector name**: A name to identify the connector. - * **CrowdStrike API URL**: The base URL of the CrowdStrike API. - * **CrowdStrike Client ID**: Client ID for the API client used to perform actions in CrowdStrike. - * **Client Secret**: Client secret allowing you access to CrowdStrike. - - 4. Click **Save**. - -4. **Create and enable detection rules to generate {{elastic-sec}} alerts.** (Optional) Create [detection rules](../../../solutions/security/detect-and-alert/create-detection-rule.md) to generate {{elastic-sec}} alerts based on CrowdStrike events and data. The [CrowdStrike integration docs](https://docs.elastic.co/en/integrations/crowdstrike) list the available ingested logs and fields you can use to build a rule query. - - This gives you visibility into CrowdStrike without needing to leave {{elastic-sec}}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. -:::::: - -::::::{tab-item} Microsoft Defender for Endpoint -To configure response actions for Microsoft Defender for Endpoint–enrolled hosts: - -1. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions: - - * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). - * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). - - Refer to the [Microsoft Defender for Endpoint integration documentation](https://docs.elastic.co/en/integrations/microsoft_defender_endpoint) or [Microsoft’s documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp) for details on creating a new Azure application. - - After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you’ll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint. - -2. **Install the Microsoft Defender for Endpoint integration and {{agent}}.** Elastic’s [Microsoft Defender for Endpoint integration](https://docs.elastic.co/en/integrations/microsoft_defender_endpoint) collects and ingests logs into {{elastic-sec}}. - - ::::{note} - You can also set up the [Microsoft M365 Defender integration](https://docs.elastic.co/en/integrations/m365_defender) as an alternative or additional data source. - :::: - - - 1. Find **Integrations** in the navigation menu or use the global search field, search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**. - 2. Enter an **Integration name**. Entering a **Description** is optional. - 3. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID***, ***Client Secret**, and **Tenant ID**. - 4. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {{agent}} configuration settings, refer to [{{agent}} policies](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/agent-policy.md). - 5. Click **Save and continue**. - 6. Select **Add {{agent}} to your hosts** and continue with the [{{agent}} installation steps](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md#enroll-agent) to install {{agent}} on a resource in your network (such as a server or VM). {{agent}} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {{elastic-sec}}. - -3. **Create a Microsoft Defender for Endpoint connector.** Elastic’s Microsoft Defender for Endpoint connector enables {{elastic-sec}} to perform actions on Microsoft Defender–enrolled hosts. - - ::::{important} - Do not create more than one Microsoft Defender for Endpoint connector. - :::: - - - 1. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**. - 2. Select the Microsoft Defender for Endpoint connector. - 3. Enter the configuration information: - - * **Connector name**: A name to identify the connector. - * **Application client ID**: The client ID created in step 1. - * **Tenant ID**: The tenant ID created in step 1. - * **Client secret value**: The client secret created in step 1. - - 4. (Optional) If necessary, adjust the default values populated for the other configuration parameters. - 5. Click **Save**. - -4. **Create and enable detection rules to generate {{elastic-sec}} alerts.** Create [detection rules](../../../solutions/security/detect-and-alert/create-detection-rule.md) to generate {{elastic-sec}} alerts based on Microsoft Defender for Endpoint events and data. - - This gives you visibility into Microsoft Defender hosts without needing to leave {{elastic-sec}}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. - - When creating a rule, you can target any event containing a Microsoft Defender machine ID field. Use one or more of these index patterns: - - * `logs-microsoft_defender_endpoint.log-*` - * `logs-m365_defender.alert-*` - * `logs-m365_defender.incident-*` - * `logs-m365_defender.log-*` - * `logs-m365_defender.event-*` -:::::: - -::::::{tab-item} SentinelOne -To configure response actions for SentinelOne-enrolled hosts: - -1. **Generate API access tokens in SentinelOne.** You’ll need these tokens in later steps, and they allow {{elastic-sec}} to collect data and perform actions in SentinelOne. - - Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them: - - * SentinelOne integration: Permission to read SentinelOne data. - * SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint). - - Refer to the [SentinelOne integration docs](https://docs.elastic.co/en/integrations/sentinel_one) or SentinelOne’s docs for details on generating API tokens. - -2. **Install the SentinelOne integration and {{agent}}.** Elastic’s [SentinelOne integration](https://docs.elastic.co/en/integrations/sentinel_one) collects and ingests logs into {{elastic-sec}}. - - 1. Find **Integrations** in the navigation menu or use the global search field, search for and select **SentinelOne**, then select **Add SentinelOne**. - 2. Configure the integration with an **Integration name** and optional **Description**. - 3. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: - - * **URL**: The SentinelOne console URL. - * **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data. - - 4. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {{agent}} configuration settings, refer to [{{agent}} policies](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/agent-policy.md). - 5. Click **Save and continue**. - 6. Select **Add {{agent}} to your hosts** and continue with the [{{agent}} installation steps](../../../solutions/security/configure-elastic-defend/install-elastic-defend.md#enroll-agent) to install {{agent}} on a resource in your network (such as a server or VM). {{agent}} will act as a bridge collecting data from SentinelOne and sending it back to {{elastic-sec}}. - -3. **Create a SentinelOne connector.** Elastic’s [SentinelOne connector](asciidocalypse://docs/kibana/docs/reference/connectors-kibana/sentinelone-action-type.md) enables {{elastic-sec}} to perform actions on SentinelOne-enrolled hosts. - - ::::{important} - Do not create more than one SentinelOne connector. - - :::: - - - 1. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**. - 2. Select the **SentinelOne** connector. - 3. Enter the configuration information: - - * **Connector name**: A name to identify the connector. - * **SentinelOne tenant URL**: The SentinelOne tenant URL. - * **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts. - - 4. Click **Save**. - -4. **Create and enable detection rules to generate {{elastic-sec}} alerts.** (Optional) Create [detection rules](../../../solutions/security/detect-and-alert/create-detection-rule.md) to generate {{elastic-sec}} alerts based on SentinelOne events and data. - - This gives you visibility into SentinelOne without needing to leave {{elastic-sec}}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. - - When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns: - - | Index pattern | SentinelOne agent ID field | - | --- | --- | - | `logs-sentinel_one.alert*` | `sentinel_one.alert.agent.id` | - | `logs-sentinel_one.threat*` | `sentinel_one.threat.agent.id` | - | `logs-sentinel_one.activity*` | `sentinel_one.activity.agent.id` | - | `logs-sentinel_one.agent*` | `sentinel_one.agent.agent.id` | - - ::::{note} - Do not include any other index patterns. - - :::: -:::::: - -::::::: diff --git a/raw-migrated-files/docs-content/serverless/security-response-actions-history.md b/raw-migrated-files/docs-content/serverless/security-response-actions-history.md deleted file mode 100644 index ff99a4316e..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-response-actions-history.md +++ /dev/null @@ -1,36 +0,0 @@ -# Response actions history [security-response-actions-history] - -{{elastic-sec}} keeps a log of the [response actions](../../../solutions/security/endpoint-response-actions.md) performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action’s current status. - -::::{admonition} Requirement -:class: note - -You must have the appropriate user role to use this feature. - -:::: - - -To access the response actions history for all endpoints, find **Response actions history** in the navigation menu or use the global search field. You can also access the response actions history for an individual endpoint from these areas: - -* **Endpoints** page: Click an endpoint’s name to open the details flyout, then click the **Response actions history** tab. -* **Response console** page: Click the **Response actions history** button. - -All of these contexts contain the same information and features. The following image shows the **Response actions history** page for all endpoints: - -:::{image} ../../../images/serverless--management-admin-response-actions-history-page.png -:alt: Response actions history page UI -:class: screenshot -::: - -To filter and expand the information in the response actions history: - -* Enter a user name or comma-separated list of user names in the search field to display actions requested by those users. -* Use the various drop-down menus to filter the actions shown: - - * **Hosts**: Show actions performed on specific endpoints. (This menu is only available on the **Response actions history** page for all endpoints.) - * **Actions**: Show specific actions types. - * **Statuses**: Show actions with a specific status. - * **Types**: Show actions based on the endpoint protection agent type ({{elastic-defend}} or a third-party agent), and how the action was triggered (manually by a user or automatically by a detection rule). - -* Use the date and time picker to display actions within a specific time range. -* Click the expand arrow on the right to display more details about an action. diff --git a/raw-migrated-files/docs-content/serverless/security-response-actions.md b/raw-migrated-files/docs-content/serverless/security-response-actions.md deleted file mode 100644 index 51ed473e04..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-response-actions.md +++ /dev/null @@ -1,339 +0,0 @@ -# Endpoint response actions [security-response-actions] - -The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint’s [response actions history](../../../solutions/security/endpoint-response-actions.md#actions-log) for reference. - -Response actions are supported on all endpoint platforms (Linux, macOS, and Windows). - -::::{admonition} Requirements -:class: note - -* Response actions and the response console UI require the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* Endpoints must have {{agent}} version 8.4 or higher installed with the {{elastic-defend}} integration to receive response actions. -* Some response actions require either a [predefined Security user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with a specific feature privilege, indicated below. These are required to perform actions both in the response console and in other areas of the {{security-app}} (such as isolating a host from a detection alert). -* Users must have the appropriate user role privileges for at least one response action to access the response console. - -:::: - - -:::{image} ../../../images/serverless--management-admin-response-console.png -:alt: Response console UI -:class: screenshot -::: - -Launch the response console from any of the following places in {{elastic-sec}}: - -* **Endpoints** page → **Actions** menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")) → **Respond** -* Endpoint details flyout → **Take action** → **Respond** -* Alert details flyout → **Take action** → **Respond** -* Host details page → **Respond** - -To perform an action on the endpoint, enter a [response action command](../../../solutions/security/endpoint-response-actions.md#response-action-commands) in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. - -If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history. - -::::{note} -Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. - -:::: - - -Activity in the response console is persistent, so you can navigate away from the page and any pending actions you’ve submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the [response actions history](../../../solutions/security/endpoint-response-actions.md#actions-log). - -::::{important} -Once you submit a response action, you can’t cancel it, even if the action is pending for an offline host. - -:::: - - - -## Response action commands [response-action-commands] - -The following response action commands are available in the response console. - - -### `isolate` [security-response-actions-isolate] - -[Isolate the host](../../../solutions/security/endpoint-response-actions/isolate-host.md), blocking communication with other hosts on the network. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Host isolation** - -Example: `isolate --comment "Isolate host related to detection alerts"` - - -### `release` [security-response-actions-release] - -Release an isolated host, allowing it to communicate with the network again. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Host isolation** - -Example: `release --comment "Release host, everything looks OK"` - - -### `status` [security-response-actions-status] - -Show information about the host’s status, including: {{agent}} status and version, the {{elastic-defend}} integration’s policy status, and when the host was last active. - - -### `processes` [processes] - -Show a list of all processes running on the host. This action may take a minute or so to complete. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Process Operations** - -::::{tip} -Use this command to get current PID or entity ID values, which are required for other response actions such as `kill-process` and `suspend-process`. - -Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system. - -:::: - - -::::{note} -Running this command on third-party-protected hosts might return the process list in a different format. Refer to [Third-party response actions](../../../solutions/security/endpoint-response-actions/third-party-response-actions.md) for more information. - -:::: - - - -### `kill-process` [kill-process] - -Terminate a process. You must include one of the following parameters to identify the process to terminate: - -* `--pid` : A process ID (PID) representing the process to terminate. -* `--entityId` : An entity ID representing the process to terminate. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Process Operations** - -Example: `kill-process --pid 123 --comment "Terminate suspicious process"` - -::::{note} -For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. - -Example: `kill-process --processName cat --comment "Terminate suspicious process"` - -:::: - - - -### `suspend-process` [security-response-actions-suspend-process] - -Suspend a process. You must include one of the following parameters to identify the process to suspend: - -* `--pid` : A process ID (PID) representing the process to suspend. -* `--entityId` : An entity ID representing the process to suspend. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Process Operations** - -Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` - - -### `get-file` [get-file] - -Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. - -::::{note} -Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](../../../solutions/security/endpoint-response-actions/third-party-response-actions.md) for your system’s password. - -:::: - - -You must include the following parameter to specify the file’s location on the host: - -* `--path` : The file’s full path (including the file name). - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **File Operations** - -Example: `get-file --path "/full/path/to/file.txt" --comment "Possible malware"` - -::::{tip} -You can use the [Osquery manager integration](../../../solutions/security/investigate/osquery.md) to query a host’s operating system and gain insight into its files and directories, then use `get-file` to retrieve specific files. - -:::: - - -::::{note} -When {{elastic-defend}} prevents file activity due to [malware prevention](../../../solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection), the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with `get-file`, copy the path from the alert’s **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. - -:::: - - - -### `execute` [security-response-actions-execute] - -Run a shell command on the host. The command’s output and any errors appear in the response console, up to 2000 characters. The complete output (stdout and stderr) are also saved to a downloadable `.zip` archive (password: `elastic`). Use these parameters: - -* `--command` : (Required) A shell command to run on the host. The command must be supported by `bash` for Linux and macOS hosts, and `cmd.exe` for Windows. - - ::::{note} - * Multiple consecutive dashes in the value must be escaped; single dashes do not need to be escaped. For example, to represent a directory named `/opt/directory--name`, use the following: `/opt/directory--name`. - * You can use quotation marks without escaping. For example: `execute --command "cd "C:\Program Files\directory""` - - :::: - -* `--timeout` : (Optional) How long the host should wait for the command to complete. Use `h` for hours, `m` for minutes, `s` for seconds (for example, `2s` is two seconds). If no timeout is specified, it defaults to four hours. - -Predefined role: **SOC manager** or **Endpoint operations analyst** - -Custom role privilege: **Execute Operations** - -Example: `execute --command "ls -al" --timeout 2s --comment "Get list of all files"` - -::::{warning} -This response action runs commands on the host using the same user account running the {{elastic-defend}} integration, which normally has full control over the system. Be careful with any commands that could cause irrevocable changes. - -:::: - - - -### `upload` [security-response-actions-upload] - -Upload a file to the host. The file is saved to the location on the host where {{elastic-endpoint}} is installed. After you run the command, the full path is returned in the console for reference. Use these parameters: - -* `--file` : (Required) The file to send to the host. As soon as you type this parameter, a popup appears — select it to navigate to the file, or drag and drop the file onto the popup. -* `--overwrite` : (Optional) Overwrite the file on the host if it already exists. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **File Operations** - -Example: `upload --file --comment "Upload remediation script"` - -::::{tip} -You can follow this with the `execute` response action to upload and run scripts for mitigation or other purposes. - -:::: - - -::::{note} -The default file size maximum is 25 MB, configurable in `kibana.yml` with the `xpack.securitySolution.maxUploadResponseActionFileBytes` setting. You must enter the value in bytes (the maximum is `104857600` bytes, or 100 MB). - -:::: - - - -### `scan` [security-response-actions-scan] - -Scan a specific file or directory on the host for malware. This uses the [malware protection settings](../../../solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection) (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host’s associated {{elastic-defend}} integration policy. Use these parameters: - -* `--path` : (Required) The absolute path to a file or directory to be scanned. - -Predefined role: **Tier 3 Analyst**, **SOC Manager**, or **Endpoint Operations Analyst** - -Custom role privilege: **Scan Operations** - -Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"` - -::::{note} -Scanning can take longer for directories containing a lot of files. - -:::: - - - -### `runscript` [runscript] - -::::{note} -This response action is supported only for [CrowdStrike-enrolled hosts](../../../solutions/security/endpoint-response-actions/third-party-response-actions.md#security-third-party-actions-supported-systems-and-response-actions). -:::: - - -Run a script on a host. You must include one of the following parameters to identify the script you want to run: - -* `--Raw`: The full script content provided directly as a string. -* `--CloudFile`: The name of the script stored in a cloud storage location. -* `--HostPath`: The absolute or relative file path of the script located on the host machine. - -You can also use these optional parameters: - -* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution. -* `--Timeout`: The maximum duration, in seconds, that the script can run before it’s forcibly stopped. If no timeout is specified, it defaults to 60 seconds. - -Predefined role: **SOC manager** or **Endpoint operations analyst** - -Custom role privilege: **Execute Operations** - -Examples: - -`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` - -`runscript --Raw=```Get-ChildItem.```` - -`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"` - - -## Supporting commands and parameters [supporting-commands-parameters] - - -### `--comment` [security-response-actions-comment] - -Add to a command to include a comment explaining or describing the action. Comments are included in the response actions history. - - -### `--help` [security-response-actions-help] - -Add to a command to get help for that command. - -Example: `isolate --help` - - -### `clear` [security-response-actions-clear] - -Clear all output from the response console. - - -### `help` [security-response-actions-help-1] - -List supported commands in the console output area. - -::::{tip} -You can also get a list of commands in the [Help panel](../../../solutions/security/endpoint-response-actions.md#help-panel), which stays on the screen independently of the output area. - -:::: - - - -## Help panel [help-panel] - -Click ![Help](../../../images/serverless-help.svg "") **Help** in the upper-right to open the **Help** panel, which lists available response action commands and parameters as a reference. - -::::{note} -This panel displays only the response actions that you have the user role privileges to perform. - -:::: - - -:::{image} ../../../images/serverless--management-admin-response-console-help-panel.png -:alt: Help panel -:class: screenshot -::: - -You can use this panel to build commands with less typing. Click the add icon (![Add](../../../images/serverless-plusInCircle.svg "")) to add a command to the input area, enter any additional parameters or a comment, then press **Return** to run the command. - -If the endpoint is running an older version of {{agent}}, some response actions may not be supported, as indicated by an informational icon and tooltip. [Upgrade {{agent}}](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/upgrade-elastic-agent.md) on the endpoint to be able to use the latest response actions. - -:::{image} ../../../images/serverless--management-admin-response-console-unsupported-command.png -:alt: Unsupported response action with tooltip -:class: screenshot -::: - - -## Response actions history [actions-log] - -Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to [Response actions history](../../../solutions/security/endpoint-response-actions/response-actions-history.md) for more details. - -:::{image} ../../../images/serverless--management-admin-response-actions-history-console.png -:alt: Response actions history with a few past actions -:class: screenshot -::: diff --git a/raw-migrated-files/docs-content/serverless/security-third-party-actions.md b/raw-migrated-files/docs-content/serverless/security-third-party-actions.md deleted file mode 100644 index 51489fca77..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-third-party-actions.md +++ /dev/null @@ -1,77 +0,0 @@ -# Third-party response actions [security-third-party-actions] - -You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {{elastic-sec}} UI. - -::::{admonition} Requirements -:class: note - -* Third-party response actions require the Endpoint Protection Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md). -* Each response action type has its own user role privilege requirements. Find an action’s role requirements at [Endpoint response actions](../../../solutions/security/endpoint-response-actions.md). -* Additional [configuration](../../../solutions/security/endpoint-response-actions/configure-third-party-response-actions.md) is required to connect {{elastic-sec}} with a third-party system. - -:::: - - - -## Supported systems and response actions [security-third-party-actions-supported-systems-and-response-actions] - -The following third-party response actions are supported for CrowdStrike and SentinelOne. [Prior configuration is required](../../../solutions/security/endpoint-response-actions/configure-third-party-response-actions.md) to connect each system with {{elastic-sec}}. - -:::::::{tab-set} - -::::::{tab-item} CrowdStrike -These response actions are supported for CrowdStrike-enrolled hosts: - -* **Isolate and release a host** using any of these methods: - - * From a detection alert - * From the response console - - Refer to the instructions on [isolating](../../../solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](../../../solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. - -* **Run a script on a host** with the [`runscript` response action](../../../solutions/security/endpoint-response-actions.md#runscript). -* **View past response action activity** in the [response actions history](../../../solutions/security/endpoint-response-actions/response-actions-history.md) log. -:::::: - -::::::{tab-item} Microsoft Defender for Endpoint -These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts: - -* **Isolate and release a host** using any of these methods: - - * From a detection alert - * From the response console - - Refer to the instructions on [isolating](../../../solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](../../../solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. -:::::: - -::::::{tab-item} SentinelOne -These response actions are supported for SentinelOne-enrolled hosts: - -* **Isolate and release a host** using any of these methods: - - * From a detection alert - * From the response console - - Refer to the instructions on [isolating](../../../solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](../../../solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. - -* **Retrieve a file from a host** with the [`get-file` response action](../../../solutions/security/endpoint-response-actions.md#get-file). - - ::::{note} - For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file. - - :::: - -* **Get a list of processes running on a host** with the [`processes` response action](../../../solutions/security/endpoint-response-actions.md#processes). For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file. -* **Terminate a process running on a host** with the [`kill-process` response action](../../../solutions/security/endpoint-response-actions.md#kill-process). - - ::::{note} - For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. - - Example: `kill-process --processName cat --comment "Terminate suspicious process"` - - :::: - -* **View past response action activity** in the [response actions history](../../../solutions/security/endpoint-response-actions/response-actions-history.md) log. -:::::: - -::::::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 3c8a230c77..2e8a685fd4 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -190,7 +190,6 @@ toc: - file: docs-content/serverless/security-ai-usecase-incident-reporting.md - file: docs-content/serverless/security-alert-suppression.md - file: docs-content/serverless/security-alerts-manage.md - - file: docs-content/serverless/security-automated-response-actions.md - file: docs-content/serverless/security-automatic-import.md - file: docs-content/serverless/security-benchmark-rules-kspm.md - file: docs-content/serverless/security-benchmark-rules.md @@ -219,7 +218,6 @@ toc: - file: docs-content/serverless/security-environment-variable-capture.md - file: docs-content/serverless/security-get-started-with-kspm.md - file: docs-content/serverless/security-interactive-investigation-guides.md - - file: docs-content/serverless/security-isolate-host.md - file: docs-content/serverless/security-kspm.md - file: docs-content/serverless/security-llm-connector-guides.md - file: docs-content/serverless/security-llm-performance-matrix.md @@ -229,15 +227,11 @@ toc: - file: docs-content/serverless/security-prebuilt-rules-management.md - file: docs-content/serverless/security-query-alert-indices.md - file: docs-content/serverless/security-reduce-notifications-alerts.md - - file: docs-content/serverless/security-response-actions-config.md - - file: docs-content/serverless/security-response-actions-history.md - - file: docs-content/serverless/security-response-actions.md - file: docs-content/serverless/security-rule-monitoring-dashboard.md - file: docs-content/serverless/security-rules-coverage.md - file: docs-content/serverless/security-rules-create.md - file: docs-content/serverless/security-rules-ui-management.md - file: docs-content/serverless/security-signals-to-cases.md - - file: docs-content/serverless/security-third-party-actions.md - file: docs-content/serverless/security-triage-alerts-with-elastic-ai-assistant.md - file: docs-content/serverless/security-tune-detection-signals.md - file: docs-content/serverless/security-view-alert-details.md diff --git a/solutions/security/endpoint-response-actions.md b/solutions/security/endpoint-response-actions.md index 7e8296ff0c..ff202f8e53 100644 --- a/solutions/security/endpoint-response-actions.md +++ b/solutions/security/endpoint-response-actions.md @@ -6,44 +6,25 @@ mapped_urls: # Endpoint response actions -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/response-actions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-response-actions.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$actions-log$$$ - -$$$get-file$$$ - -$$$help-panel$$$ - -$$$kill-process$$$ - -$$$processes$$$ - -$$$response-action-commands$$$ - -$$$runscript$$$ - The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint’s [response actions history](/solutions/security/endpoint-response-actions.md#actions-log) for reference. Response actions are supported on all endpoint platforms (Linux, macOS, and Windows). ::::{admonition} Requirements -* Response actions and the response console UI are [Enterprise subscription](https://www.elastic.co/pricing) features. +* Response actions and the response console UI require the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. * Endpoints must have {{agent}} version 8.4 or higher installed with the {{elastic-defend}} integration to receive response actions. -* Some response actions require specific [privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md), indicated below. These are required to perform actions both in the response console and in other areas of the {{security-app}} (such as isolating a host from a detection alert). -* Users must have privileges for at least one response action to access the response console. +* Some response actions require: + * In {{stack}}, specific [privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md), indicated below. + * In {{serverless-short}}, either a [predefined Security user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with a specific feature privilege, indicated below. + These are required to perform actions both in the response console and in other areas of the {{security-app}} (such as isolating a host from a detection alert). +* Users must have the appropriate user role or privileges for at least one response action to access the response console. :::: :::{image} ../../images/security-response-console.png :alt: Response console UI +:width: 90% :class: screenshot ::: @@ -70,7 +51,6 @@ Once you submit a response action, you can’t cancel it, even if the action is :::: - ## Response action commands [response-action-commands] The following response action commands are available in the response console. @@ -80,7 +60,9 @@ The following response action commands are available in the response console. [Isolate the host](/solutions/security/endpoint-response-actions/isolate-host.md), blocking communication with other hosts on the network. -Required privilege: **Host Isolation** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Host Isolation** Example: `isolate --comment "Isolate host related to detection alerts"` @@ -89,7 +71,9 @@ Example: `isolate --comment "Isolate host related to detection alerts"` Release an isolated host, allowing it to communicate with the network again. -Required privilege: **Host Isolation** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Host Isolation** Example: `release --comment "Release host, everything looks OK"` @@ -103,22 +87,22 @@ Show information about the host’s status, including: {{agent}} status and vers Show a list of all processes running on the host. This action may take a minute or so to complete. -Required privilege: **Process Operations** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Process Operations** ::::{tip} Use this command to get current PID or entity ID values, which are required for other response actions such as `kill-process` and `suspend-process`. Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system. - :::: ::::{note} -Running this command on third-party-protected hosts might return the process list in a different format. Refer to [*Third-party response actions*](/solutions/security/endpoint-response-actions/third-party-response-actions.md) for more information. +Running this command on third-party-protected hosts might return the process list in a different format. Refer to [](/solutions/security/endpoint-response-actions/third-party-response-actions.md) for more information. :::: - ### `kill-process` [kill-process] Terminate a process. You must include one of the following parameters to identify the process to terminate: @@ -126,7 +110,9 @@ Terminate a process. You must include one of the following parameters to identif * `--pid` : A process ID (PID) representing the process to terminate. * `--entityId` : An entity ID representing the process to terminate. -Required privilege: **Process Operations** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Process Operations** Example: `kill-process --pid 123 --comment "Terminate suspicious process"` @@ -134,11 +120,9 @@ Example: `kill-process --pid 123 --comment "Terminate suspicious process"` For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. Example: `kill-process --processName cat --comment "Terminate suspicious process"` - :::: - ### `suspend-process` [_suspend_process] Suspend a process. You must include one of the following parameters to identify the process to suspend: @@ -146,7 +130,9 @@ Suspend a process. You must include one of the following parameters to identify * `--pid` : A process ID (PID) representing the process to suspend. * `--entityId` : An entity ID representing the process to suspend. -Required privilege: **Process Operations** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Process Operations** Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` @@ -156,7 +142,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. ::::{note} -Files retrieved from third-party-protected hosts require a different password. Refer to [*Third-party response actions*](/solutions/security/endpoint-response-actions/third-party-response-actions.md) for your system’s password. +Files retrieved from third-party-protected hosts require a different password. Refer to [](/solutions/security/endpoint-response-actions/third-party-response-actions.md) for your system’s password. :::: @@ -164,7 +150,9 @@ You must include the following parameter to specify the file’s location on the * `--path` : The file’s full path (including the file name). -Required privilege: **File Operations** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **File Operations** Example: `get-file --path "/full/path/to/file.txt" --comment "Possible malware"` @@ -175,11 +163,9 @@ You can use the [Osquery manager integration](/solutions/security/investigate/os ::::{note} When {{elastic-defend}} prevents file activity due to [malware prevention](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection), the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with `get-file`, copy the path from the alert’s **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. - :::: - ### `execute` [_execute] Run a shell command on the host. The command’s output and any errors appear in the response console, up to 2000 characters. The complete output (stdout and stderr) are also saved to a downloadable `.zip` archive (password: `elastic`). Use these parameters: @@ -189,12 +175,13 @@ Run a shell command on the host. The command’s output and any errors appear in ::::{note} * Multiple consecutive dashes in the value must be escaped; single dashes do not need to be escaped. For example, to represent a directory named `/opt/directory--name`, use the following: `/opt/directory\-\-name`. * You can use quotation marks without escaping. For example:
`execute --command "cd "C:\Program Files\directory""` - :::: * `--timeout` : (Optional) How long the host should wait for the command to complete. Use `h` for hours, `m` for minutes, `s` for seconds (for example, `2s` is two seconds). If no timeout is specified, it defaults to four hours. -Required privilege: **Execute Operations** +Predefined role (in {{serverless-short}}): **SOC manager** or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Execute Operations** Example: `execute --command "ls -al" --timeout 2s --comment "Get list of all files"` @@ -203,7 +190,6 @@ This response action runs commands on the host using the same user account runni :::: - ### `upload` [_upload] Upload a file to the host. The file is saved to the location on the host where {{elastic-endpoint}} is installed. After you run the command, the full path is returned in the console for reference. Use these parameters: @@ -211,7 +197,9 @@ Upload a file to the host. The file is saved to the location on the host where { * `--file` : (Required) The file to send to the host. As soon as you type this parameter, a popup appears — select it to navigate to the file, or drag and drop the file onto the popup. * `--overwrite` : (Optional) Overwrite the file on the host if it already exists. -Required privilege: **File Operations** +Predefined role (in {{serverless-short}}): **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **File Operations** Example: `upload --file --comment "Upload remediation script"` @@ -225,14 +213,15 @@ The default file size maximum is 25 MB, configurable in `kibana.yml` with the `x :::: - ### `scan` [_scan] Scan a specific file or directory on the host for malware. This uses the [malware protection settings](/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md#malware-protection) (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host’s associated {{elastic-defend}} integration policy. Use these parameters: * `--path` : (Required) The absolute path to a file or directory to be scanned. -Required privilege: **Scan Operations** +Predefined role (in {{serverless-short}}): **Tier 3 Analyst**, **SOC Manager**, or **Endpoint Operations Analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Scan Operations** Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"` @@ -241,7 +230,6 @@ Scanning can take longer for directories containing a lot of files. :::: - ### `runscript` [runscript] ::::{note} @@ -260,13 +248,15 @@ You can also use these optional parameters: * `--CommandLine`: Additional command-line arguments passed to the script to customize its execution. * `--Timeout`: The maximum duration, in seconds, that the script can run before it’s forcibly stopped. If no timeout is specified, it defaults to 60 seconds. -Required privilege: **Execute Operations** +Predefined role (in {{serverless-short}}): **SOC manager** or **Endpoint operations analyst** + +Required privilege (in {{stack}}) or custom role privilege (in {{serverless-short}}): **Execute Operations** Examples: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` -`runscript --Raw=```Get-ChildItem.```` +` runscript --Raw=```Get-ChildItem.``` ` `runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"` @@ -300,18 +290,18 @@ You can also get a list of commands in the [Help panel](/solutions/security/endp :::: - ## Help panel [help-panel] Click ![Help icon](../../images/security-help-icon.png "") **Help** in the upper-right to open the **Help** panel, which lists available response action commands and parameters as a reference. ::::{note} -This panel displays only the response actions that the user has privileges to perform. +This panel displays only the response actions that you have the user role or privileges to perform. :::: :::{image} ../../images/security-response-console-help-panel.png :alt: Help panel +:width: 65% :class: screenshot ::: @@ -321,15 +311,17 @@ If the endpoint is running an older version of {{agent}}, some response actions :::{image} ../../images/security-response-console-unsupported-command.png :alt: Unsupported response action with tooltip +:width: 65% :class: screenshot ::: ## Response actions history [actions-log] -Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to [*Response actions history*](/solutions/security/endpoint-response-actions/response-actions-history.md) for more details. +Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to [](/solutions/security/endpoint-response-actions/response-actions-history.md) for more details. :::{image} ../../images/security-response-actions-history-console.png :alt: Response actions history with a few past actions +:width: 85% :class: screenshot ::: diff --git a/solutions/security/endpoint-response-actions/automated-response-actions.md b/solutions/security/endpoint-response-actions/automated-response-actions.md index 30f265771e..d677e03214 100644 --- a/solutions/security/endpoint-response-actions/automated-response-actions.md +++ b/solutions/security/endpoint-response-actions/automated-response-actions.md @@ -6,20 +6,13 @@ mapped_urls: # Automated response actions -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/automated-response-actions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-automated-response-actions.md Add {{elastic-defend}}'s [response actions](/solutions/security/endpoint-response-actions.md) to detection rules to automatically perform actions on an affected host when an event meets the rule’s criteria. Use these actions to support your response to detected threats and suspicious events. ::::{admonition} Requirements -* Automated response actions require an [Enterprise subscription](https://www.elastic.co/pricing). +* Automated response actions require the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. * Hosts must have {{agent}} installed with the {{elastic-defend}} integration. * Your user role must have the ability to create detection rules and the privilege to perform [specific response actions](/solutions/security/endpoint-response-actions.md#response-action-commands) (for example, the **Host Isolation** privilege to isolate hosts). - :::: @@ -33,12 +26,14 @@ To add automated response actions to a new or existing rule: 2. Select an option in the **Response action** field: * **Isolate**: [Isolate the host](/solutions/security/endpoint-response-actions/isolate-host.md), blocking communication with other hosts on the network. + + ::::{important} + Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. + :::: + * **Kill process**: Terminate a process on the host. * **Suspend process**: Temporarily suspend a process on the host. - ::::{important} - Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. - :::: 3. For process actions, specify how to identify the process you want to terminate or suspend: diff --git a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md index fbc6c6a81c..2e10e8dc9c 100644 --- a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md @@ -6,12 +6,6 @@ mapped_urls: # Configure third-party response actions -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/response-actions-config.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-response-actions-config.md You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {{elastic-sec}} UI. This page explains the configuration steps needed to enable response actions for these third-party systems: @@ -19,20 +13,20 @@ You can direct third-party endpoint protection systems to perform response actio * Microsoft Defender for Endpoint * SentinelOne -Check out [*Third-party response actions*](/solutions/security/endpoint-response-actions/third-party-response-actions.md) to learn which response actions are supported for each system. +Check out [](/solutions/security/endpoint-response-actions/third-party-response-actions.md) to learn which response actions are supported for each system. ::::{admonition} Prerequisites -* [Subscription level](https://www.elastic.co/pricing): Enterprise +* This feature requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. * [{{kib}} feature privilege](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md): Under **Actions and Connectors**, turn on **Customize sub-feature privileges** and enable **Endpoint Security**. * [{{elastic-sec}} feature privileges](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md): **All** for the response action features, such as **Host Isolation**, that you want to perform. +* (In {{serverless-short}}) [User roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles): **SOC manager** or **Endpoint operations analyst** * Endpoints must have actively running third-party agents installed. - :::: Expand a section below for your endpoint security system: -::::{dropdown} **Set up CrowdStrike response actions** +::::{dropdown} Set up CrowdStrike response actions 1. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike’s docs for instructions. * Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. @@ -83,12 +77,10 @@ Expand a section below for your endpoint security system: 4. **Create and enable detection rules to generate {{elastic-sec}} alerts.** (Optional) Create [detection rules](/solutions/security/detect-and-alert/create-detection-rule.md) to generate {{elastic-sec}} alerts based on CrowdStrike events and data. The [CrowdStrike integration docs](https://docs.elastic.co/en/integrations/crowdstrike) list the available ingested logs and fields you can use to build a rule query. This gives you visibility into CrowdStrike without needing to leave {{elastic-sec}}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout. - - :::: -::::{dropdown} **Set up Microsoft Defender for Endpoint response actions** +::::{dropdown} Set up Microsoft Defender for Endpoint response actions 1. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions: * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). @@ -107,7 +99,7 @@ Expand a section below for your endpoint security system: 1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**. 2. Enter an **Integration name**. Entering a **Description** is optional. - 3. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID***, ***Client Secret**, and **Tenant ID**. + 3. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**. 4. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {{agent}} configuration settings, refer to [{{agent}} policies](asciidocalypse://docs/docs-content/docs/reference/ingestion-tools/fleet/agent-policy.md). 5. Click **Save and continue**. 6. Select **Add {{agent}} to your hosts** and continue with the [{{agent}} installation steps](/solutions/security/configure-elastic-defend/install-elastic-defend.md#enroll-agent) to install {{agent}} on a resource in your network (such as a server or VM). {{agent}} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {{elastic-sec}}. @@ -142,12 +134,10 @@ Expand a section below for your endpoint security system: * `logs-m365_defender.incident-*` * `logs-m365_defender.log-*` * `logs-m365_defender.event-*` - - :::: -::::{dropdown} **Set up SentinelOne response actions** +::::{dropdown} Set up SentinelOne response actions 1. **Generate API access tokens in SentinelOne.** You’ll need these tokens in later steps, and they allow {{elastic-sec}} to collect data and perform actions in SentinelOne. Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them: @@ -203,6 +193,4 @@ Expand a section below for your endpoint security system: ::::{note} Do not include any other index patterns. :::: - - :::: diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index 945650f495..54aa36b553 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -6,37 +6,22 @@ mapped_urls: # Isolate a host -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/host-isolation-ov.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-isolate-host.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$isolate-a-host$$$ - -$$$release-a-host$$$ - -$$$view-host-isolation-details$$$ Host isolation allows you to isolate hosts from your network, blocking communication with other hosts on your network until you release the host. Isolating a host is useful for responding to malicious activity or preventing potential attacks, as it prevents lateral movement across other hosts. -Isolated hosts, however, can still send data to {{es}} and {{kib}}. You can also create [host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md) for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. +Isolated hosts, however, can still send data to {{elastic-sec}}. You can also create [host isolation exceptions](/solutions/security/manage-elastic-defend/host-isolation-exceptions.md) for specific IP addresses that isolated hosts are still allowed to communicate with, even when blocked from the rest of your network. ::::{admonition} Requirements -* Host isolation is a [Platinum or Enterprise subscription](https://www.elastic.co/pricing) feature. +* Host isolation requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. * Hosts must have {{agent}} installed with the {{elastic-defend}} integration. -* For {{stack}} versions >= 7.15.0, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: +* For {{stack}} versions >= 7.15.0 and {{serverless-short}}, host isolation is supported for endpoints running Windows, macOS, and these Linux distributions: * CentOS/RHEL 8 * Debian 11 * Ubuntu 18.04, 20.04, and 22.04 * AWS Linux 2 -* To isolate and release hosts running any operating system, you must have the **Host Isolation** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md). - +* To isolate and release hosts running any operating system, you must have the **Host Isolation** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role. :::: @@ -45,14 +30,14 @@ Isolated hosts, however, can still send data to {{es}} and {{kib}}. You can also :class: screenshot ::: -You can isolate a host from a detection alert’s details flyout, from the Endpoints page, or (with an Enterprise subscription) from the endpoint response console. Once a host is successfully isolated, an `Isolated` status displays next to the `Agent status` field, which you can view on the alert details flyout or Endpoints list table. +You can isolate a host from a detection alert’s details flyout, from the Endpoints page, or from the endpoint response console. Once a host is successfully isolated, an `Isolated` status displays next to the `Agent status` field, which you can view on the alert details flyout or Endpoints list table. ::::{tip} If the request fails, verify that the {{agent}} and your endpoint are both online before trying again. :::: -All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to [View host isolation history](/solutions/security/endpoint-response-actions/isolate-host.md#view-host-isolation-details) for more information. +All actions executed on a host are tracked in the host’s response actions history, which you can access from the Endpoints page. Refer to [](/solutions/security/endpoint-response-actions/isolate-host.md#view-host-isolation-details) for more information. ## Isolate a host [isolate-a-host] @@ -66,7 +51,6 @@ All actions executed on a host are tracked in the host’s response actions hist 2. Click **Take action → Isolate host**. 3. Enter a comment describing why you’re isolating the host (optional). 4. Click **Confirm**. - :::: @@ -78,13 +62,12 @@ All actions executed on a host are tracked in the host’s response actions hist 2. Enter a comment describing why you’re isolating the host (optional). 3. Click **Confirm**. - :::: :::::{dropdown} Isolate a host from the response console ::::{note} -The response console is an [Enterprise subscription](https://www.elastic.co/pricing) feature. +The response console requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. :::: @@ -94,13 +77,12 @@ The response console is an [Enterprise subscription](https://www.elastic.co/pric `isolate --comment "Isolate this host"` 3. Press **Return**. - ::::: :::::{dropdown} Automatically isolate a host using a rule’s endpoint response action ::::{note} -The host isolation endpoint response action is an [Enterprise subscription](https://www.elastic.co/pricing) feature. +The host isolation endpoint response action requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. :::: @@ -117,7 +99,6 @@ Be aware that automatic host isolation can result in unintended consequences, su 2. In the **Response action** field, select **Isolate**. 3. Enter a comment describing why you’re isolating the host (optional). 4. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). - ::::: @@ -125,6 +106,7 @@ After the host is successfully isolated, an **Isolated** status is added to the :::{image} ../../../images/security-host-isolated-notif.png :alt: Host isolated notification message +:width: 50% :class: screenshot ::: @@ -140,7 +122,6 @@ After the host is successfully isolated, an **Isolated** status is added to the 2. From the alert details flyout, click **Take action → Release host**. 3. Enter a comment describing why you’re releasing the host (optional). 4. Click **Confirm**. - :::: @@ -152,13 +133,12 @@ After the host is successfully isolated, an **Isolated** status is added to the 2. Enter a comment describing why you’re releasing the host (optional). 3. Click **Confirm**. - :::: :::::{dropdown} Release a host from the response console ::::{note} -The response console is an [Enterprise subscription](https://www.elastic.co/pricing) feature. +The response console requires the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. :::: @@ -168,7 +148,6 @@ The response console is an [Enterprise subscription](https://www.elastic.co/pric `release --comment "Release this host"` 3. Press **Return**. - ::::: @@ -176,6 +155,7 @@ After the host is successfully released, the **Isolated** status is removed from :::{image} ../../../images/security-host-released-notif.png :alt: Host released notification message +:width: 50% :class: screenshot ::: @@ -184,9 +164,10 @@ After the host is successfully released, the **Isolated** status is removed from To confirm if a host has been successfully isolated or released, check the response actions history, which logs the response actions performed on a host. -Go to the **Endpoints** page, click an endpoint’s name, then click the **Response action history** tab. You can filter the information displayed in this view. Refer to [*Response actions history*](/solutions/security/endpoint-response-actions/response-actions-history.md) for more details. +Go to the **Endpoints** page, click an endpoint’s name, then click the **Response action history** tab. You can filter the information displayed in this view. Refer to [](/solutions/security/endpoint-response-actions/response-actions-history.md) for more details. :::{image} ../../../images/security-response-actions-history-endpoint-details.png :alt: Response actions history page UI +:width: 90% :class: screenshot ::: diff --git a/solutions/security/endpoint-response-actions/response-actions-history.md b/solutions/security/endpoint-response-actions/response-actions-history.md index a671edc11b..4522f26c5b 100644 --- a/solutions/security/endpoint-response-actions/response-actions-history.md +++ b/solutions/security/endpoint-response-actions/response-actions-history.md @@ -6,18 +6,11 @@ mapped_urls: # Response actions history -% What needs to be done: Align serverless/stateful -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/response-actions-history.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-response-actions-history.md - -{{elastic-sec}} keeps a log of the [response actions](/solutions/security/endpoint-response-actions.md) performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the {{kib}} user who requested the action, any comments added to the action, and the action’s current status. +{{elastic-sec}} keeps a log of the [response actions](/solutions/security/endpoint-response-actions.md) performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action’s current status. ::::{admonition} Requirement -You must have the **Response Actions History** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) to access this feature. - +You must have the **Response Actions History** [privilege](/solutions/security/configure-elastic-defend/elastic-defend-feature-privileges.md) or the appropriate user role to access this feature. :::: diff --git a/solutions/security/endpoint-response-actions/third-party-response-actions.md b/solutions/security/endpoint-response-actions/third-party-response-actions.md index e8a8657bda..45911ab768 100644 --- a/solutions/security/endpoint-response-actions/third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/third-party-response-actions.md @@ -6,30 +6,16 @@ mapped_urls: # Third-party response actions -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/third-party-actions.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-third-party-actions.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$crowdstrike-response-actions$$$ - -$$$security-third-party-actions-supported-systems-and-response-actions$$$ You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {{elastic-sec}} UI. ::::{admonition} Requirements -* Third-party response actions require an [Enterprise subscription](https://www.elastic.co/pricing). +* Third-party response actions require the appropriate [subscription](https://www.elastic.co/pricing) in {{stack}} or [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md) in {{serverless-short}}. * Each response action type has its own user role privilege requirements. Find an action’s role requirements at [Endpoint response actions](/solutions/security/endpoint-response-actions.md). * Additional [configuration](/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md) is required to connect {{elastic-sec}} with a third-party system. - :::: - ## CrowdStrike response actions [crowdstrike-response-actions] These response actions are supported for CrowdStrike-enrolled hosts: @@ -57,7 +43,6 @@ These response actions are supported for Microsoft Defender for Endpoint–enrol Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. - ## SentinelOne response actions [sentinelone-response-actions] These response actions are supported for SentinelOne-enrolled hosts: @@ -82,7 +67,6 @@ These response actions are supported for SentinelOne-enrolled hosts: For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. Example: `kill-process --processName cat --comment "Terminate suspicious process"` - :::: * **View past response action activity** in the [response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md) log.