From 26d14f4a03d14678cc803e54daf66064f3719205 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic
 <137783811+natasha-moore-elastic@users.noreply.github.com>
Date: Tue, 28 Jan 2025 16:28:10 +0000
Subject: [PATCH 1/2] [Jan 28] MS Defender for Endpoint third-party response
 integration (#6478)

* MS Defender for Endpoint third-party response integration

* Address feedback

* Address feedback

* Address feedback

(cherry picked from commit 9148adbbc4e8601def0085a686bddd4649dfcd46)

# Conflicts:
#	docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
#	docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
---
 .../admin/response-actions-config.asciidoc    |  58 +++++
 .../admin/third-party-actions.asciidoc        |  15 ++
 .../response-actions-config.asciidoc          | 229 ++++++++++++++++++
 .../third-party-actions.asciidoc              |  94 +++++++
 4 files changed, 396 insertions(+)
 create mode 100644 docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
 create mode 100644 docs/serverless/endpoint-response-actions/third-party-actions.asciidoc

diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc
index 3f4f9295f3..9b3bb02936 100644
--- a/docs/management/admin/response-actions-config.asciidoc
+++ b/docs/management/admin/response-actions-config.asciidoc
@@ -11,6 +11,7 @@ preview::[]
 You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems:
 
 * CrowdStrike
+* Microsoft Defender for Endpoint
 * SentinelOne
 
 Check out <<third-party-actions>> to learn which response actions are supported for each system.
@@ -80,6 +81,63 @@ IMPORTANT: Do not create more than one CrowdStrike connector.
 This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
 ====
 
+.**Set up Microsoft Defender for Endpoint response actions**
+[%collapsible]
+====
+// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything 
+// in this section, apply the change to the other sections, too.
+
+. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions:
++
+--
+- Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
+- Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`).
+--
++
+Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details on creating a new Azure application.
++
+After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you'll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint.
+
+. **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}.
++
+NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional data source.
++
+.. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**.
+.. Enter an **Integration name**. Entering a **Description** is optional.
+.. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**.
+.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+.. Click **Save and continue**.
+.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}.
+
+. **Create a Microsoft Defender for Endpoint connector.** Elastic's Microsoft Defender for Endpoint connector enables {elastic-sec} to perform actions on Microsoft Defender–enrolled hosts.
++
+IMPORTANT: Do not create more than one Microsoft Defender for Endpoint connector.
++
+.. Find **Connectors** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then select **Create connector**.
+.. Select the Microsoft Defender for Endpoint connector.
+.. Enter the configuration information:
+   - **Connector name**: A name to identify the connector.
+   - **Application client ID**: The client ID created in step 1.
+   - **Tenant ID**: The tenant ID created in step 1.
+   - **Client secret value**: The client secret created in step 1.
+.. (Optional) If necessary, adjust the default values populated for the other configuration parameters.
+.. Click **Save**.
+
+. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<rules-ui-create,detection rules>> to generate {elastic-sec} alerts based on Microsoft Defender for Endpoint events and data.
++
+This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
++
+When creating a rule, you can target any event containing a Microsoft Defender machine ID field. Use one or more of these index patterns:
++
+--
+- `logs-microsoft_defender_endpoint.log-*`
+- `logs-m365_defender.alert-*`
+- `logs-m365_defender.incident-*`
+- `logs-m365_defender.log-*`
+- `logs-m365_defender.event-*`
+--
+
+====
 
 .**Set up SentinelOne response actions**
 [%collapsible]
diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
index c2367a16f3..5e622e6d64 100644
--- a/docs/management/admin/third-party-actions.asciidoc
+++ b/docs/management/admin/third-party-actions.asciidoc
@@ -35,6 +35,21 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+[discrete]
+[[defender-response-actions]]
+== Microsoft Defender for Endpoint response actions
+
+These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:
+
+* **Isolate and release a host** using any of these methods:
++
+--
+** From a detection alert
+** From the response console
+--
++
+Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
+
 [discrete]
 [[sentinelone-response-actions]]
 == SentinelOne response actions
diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc b/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
new file mode 100644
index 0000000000..5cbe74a9b3
--- /dev/null
+++ b/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
@@ -0,0 +1,229 @@
+[[security-response-actions-config]]
+= Configure third-party response actions
+
+// :description: Configure {elastic-sec} to perform response actions on hosts protected by third-party systems.
+// :keywords: serverless, security, how-to, configure
+
+
+preview::[]
+
+You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems:
+
+* CrowdStrike
+* Microsoft Defender for Endpoint
+* SentinelOne
+
+Check out <<security-third-party-actions>> to learn which response actions are supported for each system.
+
+.Prerequisites
+[NOTE]
+====
+* <<elasticsearch-manage-project,Project features add-on>>: Endpoint Protection Complete
+* <<general-assign-user-roles,User roles>>: **SOC manager** or **Endpoint operations analyst**
+* Endpoints must have actively running third-party agents installed.
+====
+
+Select a tab below for your endpoint security system:
+
+++++
+<div class="tabs" data-tab-group="endpoint-response-actions-response-actions-config">
+  <div role="tablist" aria-label="endpoint-response-actions-response-actions-config">
+    <button role="tab" aria-selected="true" aria-controls="endpoint-response-actions-response-actions-config-crowdstrike-panel" id="endpoint-response-actions-response-actions-config-crowdstrike-button">
+      CrowdStrike
+    </button>
+    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-response-actions-config-defender-panel" id="endpoint-response-actions-response-actions-config-defender-button" tabindex="-1">
+      Microsoft Defender for Endpoint
+    </button>
+    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-response-actions-config-sentinelone-panel" id="endpoint-response-actions-response-actions-config-sentinelone-button" tabindex="-1">
+      SentinelOne
+    </button>
+  </div>
+  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-crowdstrike-panel" aria-labelledby="endpoint-response-actions-response-actions-config-crowdstrike-button">
+++++
+////
+/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything
+  in this tab, apply the change to the other tabs, too. */
+////
+
+To configure response actions for CrowdStrike-enrolled hosts:
+
+. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.
++
+** Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
+*** To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
+** Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.
+** The base URL varies depending on your CrowdStrike account type:
+*** US-1:  `https://api.crowdstrike.com`
+*** US-2: `https://api.us-2.crowdstrike.com`
+*** EU-1: `https://api.eu-1.crowdstrike.com`
+*** US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`
+. **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] collects and ingests logs into {elastic-sec}.
++
+.. Find **Integrations** in the navigation menu or use the global search field, search for and select **CrowdStrike**, then select **Add CrowdStrike**.
+.. Configure the integration with an **Integration name** and optional **Description**.
+.. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**:
++
+*** **Client ID**: Client ID for the API client used to read CrowdStrike data.
+*** **Client Secret**: Client secret allowing you access to CrowdStrike.
+*** **URL**: The base URL of the CrowdStrike API.
+.. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**.
+.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+.. Click **Save and continue**.
+.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from CrowdStrike and sending it back to {elastic-sec}.
+. **Create a CrowdStrike connector.** Elastic's {kibana-ref}/crowdstrike-action-type.html[CrowdStrike connector] enables {elastic-sec} to perform actions on CrowdStrike-enrolled hosts.
++
+[IMPORTANT]
+====
+Do not create more than one CrowdStrike connector.
+====
++
+.. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**.
+.. Select the **CrowdStrike** connector.
+.. Enter the configuration information:
++
+*** **Connector name**: A name to identify the connector.
+*** **CrowdStrike API URL**: The base URL of the CrowdStrike API.
+*** **CrowdStrike Client ID**: Client ID for the API client used to perform actions in CrowdStrike.
+*** **Client Secret**: Client secret allowing you access to CrowdStrike.
+.. Click **Save**.
+. **Create and enable detection rules to generate {elastic-sec} alerts.** (Optional) Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on CrowdStrike events and data. The {integrations-docs}/crowdstrike[CrowdStrike integration docs] list the available ingested logs and fields you can use to build a rule query.
++
+This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
+
+++++
+  </div>
+  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-defender-panel" aria-labelledby="endpoint-response-actions-response-actions-config-defender-button" hidden="">
+++++
+////
+/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything
+  in this tab, apply the change to the other tabs, too. */
+////
+
+To configure response actions for Microsoft Defender for Endpoint–enrolled hosts:
+
+. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions:
++
+--
+- Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
+- Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`).
+--
++
+Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details on creating a new Azure application.
++
+After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you'll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint.
+
+. **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}.
++
+NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional data source.
++
+.. Find **Integrations** in the navigation menu or use the global search field, search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**.
+.. Enter an **Integration name**. Entering a **Description** is optional.
+.. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**.
+.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+.. Click **Save and continue**.
+.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}.
+
+. **Create a Microsoft Defender for Endpoint connector.** Elastic's Microsoft Defender for Endpoint connector enables {elastic-sec} to perform actions on Microsoft Defender–enrolled hosts.
++
+IMPORTANT: Do not create more than one Microsoft Defender for Endpoint connector.
++
+.. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**.
+.. Select the Microsoft Defender for Endpoint connector.
+.. Enter the configuration information:
+   - **Connector name**: A name to identify the connector.
+   - **Application client ID**: The client ID created in step 1.
+   - **Tenant ID**: The tenant ID created in step 1.
+   - **Client secret value**: The client secret created in step 1.
+.. (Optional) If necessary, adjust the default values populated for the other configuration parameters.
+.. Click **Save**.
+
+. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on Microsoft Defender for Endpoint events and data.
++
+This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
++
+When creating a rule, you can target any event containing a Microsoft Defender machine ID field. Use one or more of these index patterns:
++
+--
+- `logs-microsoft_defender_endpoint.log-*`
+- `logs-m365_defender.alert-*`
+- `logs-m365_defender.incident-*`
+- `logs-m365_defender.log-*`
+- `logs-m365_defender.event-*`
+--
+
+++++
+  </div>
+  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-sentinelone-panel" aria-labelledby="endpoint-response-actions-response-actions-config-sentinelone-button" hidden="">
+++++
+////
+/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything
+  in this tab, apply the change to the other tabs, too. */
+////
+
+To configure response actions for SentinelOne-enrolled hosts:
+
+. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne.
++
+Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them:
++
+** SentinelOne integration: Permission to read SentinelOne data.
+** SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).
++
+Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens.
+. **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}.
++
+.. Find **Integrations** in the navigation menu or use the global search field, search for and select **SentinelOne**, then select **Add SentinelOne**.
+.. Configure the integration with an **Integration name** and optional **Description**.
+.. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**:
++
+*** **URL**: The SentinelOne console URL.
+*** **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data.
+.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+.. Click **Save and continue**.
+.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it back to {elastic-sec}.
+. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-enrolled hosts.
++
+[IMPORTANT]
+====
+Do not create more than one SentinelOne connector.
+====
++
+.. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**.
+.. Select the **SentinelOne** connector.
+.. Enter the configuration information:
++
+*** **Connector name**: A name to identify the connector.
+*** **SentinelOne tenant URL**: The SentinelOne tenant URL.
+*** **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
+.. Click **Save**.
+. **Create and enable detection rules to generate {elastic-sec} alerts.** (Optional) Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on SentinelOne events and data.
++
+This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
++
+When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns:
++
+|===
+| Index pattern| SentinelOne agent ID field
+
+| `logs-sentinel_one.alert*`
+| `sentinel_one.alert.agent.id`
+
+| `logs-sentinel_one.threat*`
+| `sentinel_one.threat.agent.id`
+
+| `logs-sentinel_one.activity*`
+| `sentinel_one.activity.agent.id`
+
+| `logs-sentinel_one.agent*`
+| `sentinel_one.agent.agent.id`
+|===
++
+[NOTE]
+====
+Do not include any other index patterns.
+====
+
+++++
+  </div>
+</div>
+++++
diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
new file mode 100644
index 0000000000..b7d6a4fe08
--- /dev/null
+++ b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
@@ -0,0 +1,94 @@
+[[security-third-party-actions]]
+= Third-party response actions
+
+// :description: Respond to threats on hosts enrolled in third-party security systems.
+// :keywords: serverless, security, defend, reference, manage
+
+
+preview::[]
+
+You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI.
+
+.Requirements
+[NOTE]
+====
+* Third-party response actions require the Endpoint Protection Complete <<elasticsearch-manage-project,project feature>>.
+* Each response action type has its own user role privilege requirements. Find an action's role requirements at <<security-response-actions>>.
+* Additional <<security-response-actions-config,configuration>> is required to connect {elastic-sec} with a third-party system.
+====
+
+[discrete]
+[[security-third-party-actions-supported-systems-and-response-actions]]
+== Supported systems and response actions
+
+The following third-party response actions are supported for CrowdStrike and SentinelOne. <<security-response-actions-config,Prior configuration is required>> to connect each system with {elastic-sec}.
+
+++++
+<div class="tabs" data-tab-group="endpoint-response-actions-third-party-actions">
+  <div role="tablist" aria-label="endpoint-response-actions-third-party-actions">
+    <button role="tab" aria-selected="true" aria-controls="endpoint-response-actions-third-party-actions-crowdstrike-panel" id="endpoint-response-actions-third-party-actions-crowdstrike-button">
+      CrowdStrike
+    </button>
+    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-third-party-actions-defender-panel" id="endpoint-response-actions-third-party-actions-defender-button" tabindex="-1">
+      Microsoft Defender for Endpoint
+    </button>
+    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-third-party-actions-sentinelone-panel" id="endpoint-response-actions-third-party-actions-sentinelone-button" tabindex="-1">
+      SentinelOne
+    </button>
+  </div>
+  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-crowdstrike-panel" aria-labelledby="endpoint-response-actions-third-party-actions-crowdstrike-button">
+++++
+These response actions are supported for CrowdStrike-enrolled hosts:
+
+* **Isolate and release a host** using any of these methods:
++
+** From a detection alert
+** From the response console
++
+Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
+
+++++
+  </div>
+  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-defender-panel" aria-labelledby="endpoint-response-actions-third-party-actions-defender-button" hidden="">
+++++
+These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:
+
+* **Isolate and release a host** using any of these methods:
++
+** From a detection alert
+** From the response console
++
+Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
+++++
+  </div>
+  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-sentinelone-panel" aria-labelledby="endpoint-response-actions-third-party-actions-sentinelone-button" hidden="">
+++++
+These response actions are supported for SentinelOne-enrolled hosts:
+
+* **Isolate and release a host** using any of these methods:
++
+** From a detection alert
+** From the response console
++
+Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
+* **Retrieve a file from a host** with the <<get-file,`get-file` response action>>.
++
+[NOTE]
+====
+For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.
+====
+* **Get a list of processes running on a host** with the <<processes,`processes` response action>>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
+* **Terminate a process running on a host** with the <<kill-process,`kill-process` response action>>.
++
+[NOTE]
+====
+For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
+
+Example: `kill-process --processName cat --comment "Terminate suspicious process"`
+====
+* **View past response action activity** in the <<security-response-actions-history,response actions history>> log.
+
+++++
+  </div>
+</div>
+++++

From d68d67dd215983d6ddf9c471630ca2453037eaed Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Tue, 28 Jan 2025 16:29:09 +0000
Subject: [PATCH 2/2] Delete docs/serverless directory and its contents

---
 .../response-actions-config.asciidoc          | 229 ------------------
 .../third-party-actions.asciidoc              |  94 -------
 2 files changed, 323 deletions(-)
 delete mode 100644 docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
 delete mode 100644 docs/serverless/endpoint-response-actions/third-party-actions.asciidoc

diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc b/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
deleted file mode 100644
index 5cbe74a9b3..0000000000
--- a/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
+++ /dev/null
@@ -1,229 +0,0 @@
-[[security-response-actions-config]]
-= Configure third-party response actions
-
-// :description: Configure {elastic-sec} to perform response actions on hosts protected by third-party systems.
-// :keywords: serverless, security, how-to, configure
-
-
-preview::[]
-
-You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems:
-
-* CrowdStrike
-* Microsoft Defender for Endpoint
-* SentinelOne
-
-Check out <<security-third-party-actions>> to learn which response actions are supported for each system.
-
-.Prerequisites
-[NOTE]
-====
-* <<elasticsearch-manage-project,Project features add-on>>: Endpoint Protection Complete
-* <<general-assign-user-roles,User roles>>: **SOC manager** or **Endpoint operations analyst**
-* Endpoints must have actively running third-party agents installed.
-====
-
-Select a tab below for your endpoint security system:
-
-++++
-<div class="tabs" data-tab-group="endpoint-response-actions-response-actions-config">
-  <div role="tablist" aria-label="endpoint-response-actions-response-actions-config">
-    <button role="tab" aria-selected="true" aria-controls="endpoint-response-actions-response-actions-config-crowdstrike-panel" id="endpoint-response-actions-response-actions-config-crowdstrike-button">
-      CrowdStrike
-    </button>
-    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-response-actions-config-defender-panel" id="endpoint-response-actions-response-actions-config-defender-button" tabindex="-1">
-      Microsoft Defender for Endpoint
-    </button>
-    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-response-actions-config-sentinelone-panel" id="endpoint-response-actions-response-actions-config-sentinelone-button" tabindex="-1">
-      SentinelOne
-    </button>
-  </div>
-  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-crowdstrike-panel" aria-labelledby="endpoint-response-actions-response-actions-config-crowdstrike-button">
-++++
-////
-/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything
-  in this tab, apply the change to the other tabs, too. */
-////
-
-To configure response actions for CrowdStrike-enrolled hosts:
-
-. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.
-+
-** Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
-*** To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
-** Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.
-** The base URL varies depending on your CrowdStrike account type:
-*** US-1:  `https://api.crowdstrike.com`
-*** US-2: `https://api.us-2.crowdstrike.com`
-*** EU-1: `https://api.eu-1.crowdstrike.com`
-*** US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`
-. **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] collects and ingests logs into {elastic-sec}.
-+
-.. Find **Integrations** in the navigation menu or use the global search field, search for and select **CrowdStrike**, then select **Add CrowdStrike**.
-.. Configure the integration with an **Integration name** and optional **Description**.
-.. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**:
-+
-*** **Client ID**: Client ID for the API client used to read CrowdStrike data.
-*** **Client Secret**: Client secret allowing you access to CrowdStrike.
-*** **URL**: The base URL of the CrowdStrike API.
-.. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**.
-.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
-.. Click **Save and continue**.
-.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from CrowdStrike and sending it back to {elastic-sec}.
-. **Create a CrowdStrike connector.** Elastic's {kibana-ref}/crowdstrike-action-type.html[CrowdStrike connector] enables {elastic-sec} to perform actions on CrowdStrike-enrolled hosts.
-+
-[IMPORTANT]
-====
-Do not create more than one CrowdStrike connector.
-====
-+
-.. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**.
-.. Select the **CrowdStrike** connector.
-.. Enter the configuration information:
-+
-*** **Connector name**: A name to identify the connector.
-*** **CrowdStrike API URL**: The base URL of the CrowdStrike API.
-*** **CrowdStrike Client ID**: Client ID for the API client used to perform actions in CrowdStrike.
-*** **Client Secret**: Client secret allowing you access to CrowdStrike.
-.. Click **Save**.
-. **Create and enable detection rules to generate {elastic-sec} alerts.** (Optional) Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on CrowdStrike events and data. The {integrations-docs}/crowdstrike[CrowdStrike integration docs] list the available ingested logs and fields you can use to build a rule query.
-+
-This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
-
-++++
-  </div>
-  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-defender-panel" aria-labelledby="endpoint-response-actions-response-actions-config-defender-button" hidden="">
-++++
-////
-/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything
-  in this tab, apply the change to the other tabs, too. */
-////
-
-To configure response actions for Microsoft Defender for Endpoint–enrolled hosts:
-
-. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions:
-+
---
-- Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
-- Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`).
---
-+
-Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details on creating a new Azure application.
-+
-After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you'll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint.
-
-. **Install the Microsoft Defender for Endpoint integration and {agent}.** Elastic's {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration] collects and ingests logs into {elastic-sec}.
-+
-NOTE: You can also set up the {integrations-docs}/m365_defender[Microsoft M365 Defender integration] as an alternative or additional data source.
-+
-.. Find **Integrations** in the navigation menu or use the global search field, search for and select **Microsoft Defender for Endpoint**, then select **Add Microsoft Defender for Endpoint**.
-.. Enter an **Integration name**. Entering a **Description** is optional.
-.. Ensure that **Microsoft Defender for Endpoint logs** is selected, and enter the required values for **Client ID**, **Client Secret**, and **Tenant ID**.
-.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
-.. Click **Save and continue**.
-.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge, collecting data from Microsoft Defender for Endpoint and sending it back to {elastic-sec}.
-
-. **Create a Microsoft Defender for Endpoint connector.** Elastic's Microsoft Defender for Endpoint connector enables {elastic-sec} to perform actions on Microsoft Defender–enrolled hosts.
-+
-IMPORTANT: Do not create more than one Microsoft Defender for Endpoint connector.
-+
-.. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**.
-.. Select the Microsoft Defender for Endpoint connector.
-.. Enter the configuration information:
-   - **Connector name**: A name to identify the connector.
-   - **Application client ID**: The client ID created in step 1.
-   - **Tenant ID**: The tenant ID created in step 1.
-   - **Client secret value**: The client secret created in step 1.
-.. (Optional) If necessary, adjust the default values populated for the other configuration parameters.
-.. Click **Save**.
-
-. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on Microsoft Defender for Endpoint events and data.
-+
-This gives you visibility into Microsoft Defender hosts without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
-+
-When creating a rule, you can target any event containing a Microsoft Defender machine ID field. Use one or more of these index patterns:
-+
---
-- `logs-microsoft_defender_endpoint.log-*`
-- `logs-m365_defender.alert-*`
-- `logs-m365_defender.incident-*`
-- `logs-m365_defender.log-*`
-- `logs-m365_defender.event-*`
---
-
-++++
-  </div>
-  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-response-actions-config-sentinelone-panel" aria-labelledby="endpoint-response-actions-response-actions-config-sentinelone-button" hidden="">
-++++
-////
-/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything
-  in this tab, apply the change to the other tabs, too. */
-////
-
-To configure response actions for SentinelOne-enrolled hosts:
-
-. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne.
-+
-Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them:
-+
-** SentinelOne integration: Permission to read SentinelOne data.
-** SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).
-+
-Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens.
-. **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}.
-+
-.. Find **Integrations** in the navigation menu or use the global search field, search for and select **SentinelOne**, then select **Add SentinelOne**.
-.. Configure the integration with an **Integration name** and optional **Description**.
-.. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**:
-+
-*** **URL**: The SentinelOne console URL.
-*** **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data.
-.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
-.. Click **Save and continue**.
-.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it back to {elastic-sec}.
-. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-enrolled hosts.
-+
-[IMPORTANT]
-====
-Do not create more than one SentinelOne connector.
-====
-+
-.. Find **Connectors** in the navigation menu or use the global search field, then select **Create connector**.
-.. Select the **SentinelOne** connector.
-.. Enter the configuration information:
-+
-*** **Connector name**: A name to identify the connector.
-*** **SentinelOne tenant URL**: The SentinelOne tenant URL.
-*** **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
-.. Click **Save**.
-. **Create and enable detection rules to generate {elastic-sec} alerts.** (Optional) Create <<security-rules-create,detection rules>> to generate {elastic-sec} alerts based on SentinelOne events and data.
-+
-This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
-+
-When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns:
-+
-|===
-| Index pattern| SentinelOne agent ID field
-
-| `logs-sentinel_one.alert*`
-| `sentinel_one.alert.agent.id`
-
-| `logs-sentinel_one.threat*`
-| `sentinel_one.threat.agent.id`
-
-| `logs-sentinel_one.activity*`
-| `sentinel_one.activity.agent.id`
-
-| `logs-sentinel_one.agent*`
-| `sentinel_one.agent.agent.id`
-|===
-+
-[NOTE]
-====
-Do not include any other index patterns.
-====
-
-++++
-  </div>
-</div>
-++++
diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
deleted file mode 100644
index b7d6a4fe08..0000000000
--- a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
+++ /dev/null
@@ -1,94 +0,0 @@
-[[security-third-party-actions]]
-= Third-party response actions
-
-// :description: Respond to threats on hosts enrolled in third-party security systems.
-// :keywords: serverless, security, defend, reference, manage
-
-
-preview::[]
-
-You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI.
-
-.Requirements
-[NOTE]
-====
-* Third-party response actions require the Endpoint Protection Complete <<elasticsearch-manage-project,project feature>>.
-* Each response action type has its own user role privilege requirements. Find an action's role requirements at <<security-response-actions>>.
-* Additional <<security-response-actions-config,configuration>> is required to connect {elastic-sec} with a third-party system.
-====
-
-[discrete]
-[[security-third-party-actions-supported-systems-and-response-actions]]
-== Supported systems and response actions
-
-The following third-party response actions are supported for CrowdStrike and SentinelOne. <<security-response-actions-config,Prior configuration is required>> to connect each system with {elastic-sec}.
-
-++++
-<div class="tabs" data-tab-group="endpoint-response-actions-third-party-actions">
-  <div role="tablist" aria-label="endpoint-response-actions-third-party-actions">
-    <button role="tab" aria-selected="true" aria-controls="endpoint-response-actions-third-party-actions-crowdstrike-panel" id="endpoint-response-actions-third-party-actions-crowdstrike-button">
-      CrowdStrike
-    </button>
-    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-third-party-actions-defender-panel" id="endpoint-response-actions-third-party-actions-defender-button" tabindex="-1">
-      Microsoft Defender for Endpoint
-    </button>
-    <button role="tab" aria-selected="false" aria-controls="endpoint-response-actions-third-party-actions-sentinelone-panel" id="endpoint-response-actions-third-party-actions-sentinelone-button" tabindex="-1">
-      SentinelOne
-    </button>
-  </div>
-  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-crowdstrike-panel" aria-labelledby="endpoint-response-actions-third-party-actions-crowdstrike-button">
-++++
-These response actions are supported for CrowdStrike-enrolled hosts:
-
-* **Isolate and release a host** using any of these methods:
-+
-** From a detection alert
-** From the response console
-+
-Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
-
-++++
-  </div>
-  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-defender-panel" aria-labelledby="endpoint-response-actions-third-party-actions-defender-button" hidden="">
-++++
-These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:
-
-* **Isolate and release a host** using any of these methods:
-+
-** From a detection alert
-** From the response console
-+
-Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
-++++
-  </div>
-  <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-sentinelone-panel" aria-labelledby="endpoint-response-actions-third-party-actions-sentinelone-button" hidden="">
-++++
-These response actions are supported for SentinelOne-enrolled hosts:
-
-* **Isolate and release a host** using any of these methods:
-+
-** From a detection alert
-** From the response console
-+
-Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
-* **Retrieve a file from a host** with the <<get-file,`get-file` response action>>.
-+
-[NOTE]
-====
-For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.
-====
-* **Get a list of processes running on a host** with the <<processes,`processes` response action>>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
-* **Terminate a process running on a host** with the <<kill-process,`kill-process` response action>>.
-+
-[NOTE]
-====
-For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
-
-Example: `kill-process --processName cat --comment "Terminate suspicious process"`
-====
-* **View past response action activity** in the <<security-response-actions-history,response actions history>> log.
-
-++++
-  </div>
-</div>
-++++