From 994ec5f46d175630f428607ef74dbf24c9407f86 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Tue, 28 Jan 2025 16:28:46 +0000 Subject: [PATCH 1/2] [Jan 28] Adds new runscript Crowdstrike response action (#6435) * Adds new runscript Crowdstrike response action * Add missing information * Updates example * Address feedback * Update example (cherry picked from commit 4a52fe95423a9e3482cd8516b0847fed5f3cf719) # Conflicts: # docs/serverless/endpoint-response-actions/response-actions.asciidoc # docs/serverless/endpoint-response-actions/third-party-actions.asciidoc --- .../admin/response-actions.asciidoc | 27 ++ .../admin/third-party-actions.asciidoc | 4 + .../response-actions.asciidoc | 336 ++++++++++++++++++ .../third-party-actions.asciidoc | 96 +++++ 4 files changed, 463 insertions(+) create mode 100644 docs/serverless/endpoint-response-actions/response-actions.asciidoc create mode 100644 docs/serverless/endpoint-response-actions/third-party-actions.asciidoc diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 277cb9e680..56428764cb 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -192,6 +192,33 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold NOTE: Scanning can take longer for directories containing a lot of files. +[discrete] +[[runscript]] +=== `runscript` + +NOTE: This response action is supported only for <>. + +Run a script on a host. You must include one of the following parameters to identify the script you want to run: + +* `--Raw`: The full script content provided directly as a string. +* `--CloudFile`: The name of the script stored in a cloud storage location. +* `--HostPath`: The absolute or relative file path of the script located on the host machine. + +You can also use these optional parameters: + +* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution. +* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds. + +Required privilege: **Execute Operations** + +Examples: + +`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` + +`runscript --Raw=```Get-ChildItem.```` + +`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"` + [discrete] [[supporting-commands-parameters]] == Supporting commands and parameters diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index c2367a16f3..7cfa088d9c 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -35,6 +35,10 @@ These response actions are supported for CrowdStrike-enrolled hosts: + Refer to the instructions on <> and <> hosts for more details. +* **Run a script on a host** with the <>. + +* **View past response action activity** in the <> log. + [discrete] [[sentinelone-response-actions]] == SentinelOne response actions diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc new file mode 100644 index 0000000000..5194588b20 --- /dev/null +++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc @@ -0,0 +1,336 @@ +[[security-response-actions]] += Endpoint response actions + +// :description: Perform response actions on endpoints using a terminal-like interface. +// :keywords: serverless, security, defend, reference, manage + + +The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <> for reference. + +Response actions are supported on all endpoint platforms (Linux, macOS, and Windows). + +.Requirements +[NOTE] +==== +* Response actions and the response console UI require the Endpoint Protection Complete <>. +* Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions. +* Some response actions require either a <> or a <> with a specific feature privilege, indicated below. These are required to perform actions both in the response console and in other areas of the {security-app} (such as isolating a host from a detection alert). +* Users must have the appropriate user role privileges for at least one response action to access the response console. +==== + +[role="screenshot"] +image::images/response-actions/-management-admin-response-console.png[Response console UI] + +Launch the response console from any of the following places in {elastic-sec}: + +* **Endpoints** page → **Actions** menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) → **Respond** +* Endpoint details flyout → **Take action** → **Respond** +* Alert details flyout → **Take action** → **Respond** +* Host details page → **Respond** + +To perform an action on the endpoint, enter a <> in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. + +If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history. + +[NOTE] +==== +Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. +==== + +Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <>. + +[IMPORTANT] +==== +Once you submit a response action, you can't cancel it, even if the action is pending for an offline host. +==== + +[discrete] +[[response-action-commands]] +== Response action commands + +The following response action commands are available in the response console. + +[discrete] +[[security-response-actions-isolate]] +=== `isolate` + +<>, blocking communication with other hosts on the network. + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **Host isolation** + +Example: `isolate --comment "Isolate host related to detection alerts"` + +[discrete] +[[security-response-actions-release]] +=== `release` + +Release an isolated host, allowing it to communicate with the network again. + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **Host isolation** + +Example: `release --comment "Release host, everything looks OK"` + +[discrete] +[[security-response-actions-status]] +=== `status` + +Show information about the host's status, including: {agent} status and version, the {elastic-defend} integration's policy status, and when the host was last active. + +[discrete] +[[processes]] +=== `processes` + +Show a list of all processes running on the host. This action may take a minute or so to complete. + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **Process Operations** + +[TIP] +==== +Use this command to get current PID or entity ID values, which are required for other response actions such as `kill-process` and `suspend-process`. + +Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system. +==== + +[NOTE] +==== +Running this command on third-party-protected hosts might return the process list in a different format. Refer to <> for more information. +==== + +[discrete] +[[kill-process]] +=== `kill-process` + +Terminate a process. You must include one of the following parameters to identify the process to terminate: + +* `--pid` : A process ID (PID) representing the process to terminate. +* `--entityId` : An entity ID representing the process to terminate. + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **Process Operations** + +Example: `kill-process --pid 123 --comment "Terminate suspicious process"` + +[NOTE] +==== +For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. + +Example: `kill-process --processName cat --comment "Terminate suspicious process"` +==== + +[discrete] +[[security-response-actions-suspend-process]] +=== `suspend-process` + +Suspend a process. You must include one of the following parameters to identify the process to suspend: + +* `--pid` : A process ID (PID) representing the process to suspend. +* `--entityId` : An entity ID representing the process to suspend. + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **Process Operations** + +Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` + +[discrete] +[[get-file]] +=== `get-file` + +Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + +[NOTE] +==== +Files retrieved from third-party-protected hosts require a different password. Refer to <> for your system's password. +==== + +You must include the following parameter to specify the file's location on the host: + +* `--path` : The file's full path (including the file name). + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **File Operations** + +Example: `get-file --path "/full/path/to/file.txt" --comment "Possible malware"` + +[TIP] +==== +You can use the <> to query a host's operating system and gain insight into its files and directories, then use `get-file` to retrieve specific files. +==== + +[NOTE] +==== +When {elastic-defend} prevents file activity due to <>, the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with `get-file`, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. +==== + +[discrete] +[[security-response-actions-execute]] +=== `execute` + +Run a shell command on the host. The command's output and any errors appear in the response console, up to 2000 characters. The complete output (stdout and stderr) are also saved to a downloadable `.zip` archive (password: `elastic`). Use these parameters: + +* `--command` : (Required) A shell command to run on the host. The command must be supported by `bash` for Linux and macOS hosts, and `cmd.exe` for Windows. ++ +[NOTE] +==== +* Multiple consecutive dashes in the value must be escaped; single dashes do not need to be escaped. For example, to represent a directory named `/opt/directory--name`, use the following: `/opt/directory--name`. +* You can use quotation marks without escaping. For example: +`execute --command "cd "C:\Program Files\directory""` +==== +* `--timeout` : (Optional) How long the host should wait for the command to complete. Use `h` for hours, `m` for minutes, `s` for seconds (for example, `2s` is two seconds). If no timeout is specified, it defaults to four hours. + +Predefined role: **SOC manager** or **Endpoint operations analyst** + +Custom role privilege: **Execute Operations** + +Example: `execute --command "ls -al" --timeout 2s --comment "Get list of all files"` + +[WARNING] +==== +This response action runs commands on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Be careful with any commands that could cause irrevocable changes. +==== + +[discrete] +[[security-response-actions-upload]] +=== `upload` + +Upload a file to the host. The file is saved to the location on the host where {elastic-endpoint} is installed. After you run the command, the full path is returned in the console for reference. Use these parameters: + +* `--file` : (Required) The file to send to the host. As soon as you type this parameter, a popup appears — select it to navigate to the file, or drag and drop the file onto the popup. +* `--overwrite` : (Optional) Overwrite the file on the host if it already exists. + +Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** + +Custom role privilege: **File Operations** + +Example: `upload --file --comment "Upload remediation script"` + +[TIP] +==== +You can follow this with the `execute` response action to upload and run scripts for mitigation or other purposes. +==== + +[NOTE] +==== +The default file size maximum is 25 MB, configurable in `kibana.yml` with the `xpack.securitySolution.maxUploadResponseActionFileBytes` setting. You must enter the value in bytes (the maximum is `104857600` bytes, or 100 MB). +==== + +[discrete] +[[security-response-actions-scan]] +=== `scan` + +Scan a specific file or directory on the host for malware. This uses the <> (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host's associated {elastic-defend} integration policy. Use these parameters: + +* `--path` : (Required) The absolute path to a file or directory to be scanned. + +Predefined role: **Tier 3 Analyst**, **SOC Manager**, or **Endpoint Operations Analyst** + +Custom role privilege: **Scan Operations** + +Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"` + +[NOTE] +==== +Scanning can take longer for directories containing a lot of files. +==== + +[discrete] +[[runscript]] +=== `runscript` + +NOTE: This response action is supported only for <>. + +Run a script on a host. You must include one of the following parameters to identify the script you want to run: + +* `--Raw`: The full script content provided directly as a string. +* `--CloudFile`: The name of the script stored in a cloud storage location. +* `--HostPath`: The absolute or relative file path of the script located on the host machine. + +You can also use these optional parameters: + +* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution. +* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds. + +Predefined role: **SOC manager** or **Endpoint operations analyst** + +Custom role privilege: **Execute Operations** + +Examples: + +`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` + +`runscript --Raw=```Get-ChildItem.```` + +`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"` + +[discrete] +[[supporting-commands-parameters]] +== Supporting commands and parameters + +[discrete] +[[security-response-actions-comment]] +=== `--comment` + +Add to a command to include a comment explaining or describing the action. Comments are included in the response actions history. + +[discrete] +[[security-response-actions-help]] +=== `--help` + +Add to a command to get help for that command. + +Example: `isolate --help` + +[discrete] +[[security-response-actions-clear]] +=== `clear` + +Clear all output from the response console. + +[discrete] +[[security-response-actions-help-1]] +=== `help` + +List supported commands in the console output area. + +[TIP] +==== +You can also get a list of commands in the <>, which stays on the screen independently of the output area. +==== + +[discrete] +[[help-panel]] +== Help panel + +Click image:images/icons/help.svg[Help] **Help** in the upper-right to open the **Help** panel, which lists available response action commands and parameters as a reference. + +[NOTE] +==== +This panel displays only the response actions that you have the user role privileges to perform. +==== + +[role="screenshot"] +image::images/response-actions/-management-admin-response-console-help-panel.png[Help panel] + +You can use this panel to build commands with less typing. Click the add icon (image:images/icons/plusInCircle.svg[Add]) to add a command to the input area, enter any additional parameters or a comment, then press **Return** to run the command. + +If the endpoint is running an older version of {agent}, some response actions may not be supported, as indicated by an informational icon and tooltip. {fleet-guide}/upgrade-elastic-agent.html[Upgrade {agent}] on the endpoint to be able to use the latest response actions. + +[role="screenshot"] +image::images/response-actions/-management-admin-response-console-unsupported-command.png[Unsupported response action with tooltip] + +[discrete] +[[actions-log]] +== Response actions history + +Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to <> for more details. + +[role="screenshot"] +image::images/response-actions/-management-admin-response-actions-history-console.png[Response actions history with a few past actions] diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc new file mode 100644 index 0000000000..767f4dda99 --- /dev/null +++ b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc @@ -0,0 +1,96 @@ +[[security-third-party-actions]] += Third-party response actions + +// :description: Respond to threats on hosts enrolled in third-party security systems. +// :keywords: serverless, security, defend, reference, manage + + +You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI. + +.Requirements +[NOTE] +==== +* Third-party response actions require the Endpoint Protection Complete <>. +* Each response action type has its own user role privilege requirements. Find an action's role requirements at <>. +* Additional <> is required to connect {elastic-sec} with a third-party system. +==== + +[discrete] +[[security-third-party-actions-supported-systems-and-response-actions]] +== Supported systems and response actions + +The following third-party response actions are supported for CrowdStrike and SentinelOne. <> to connect each system with {elastic-sec}. + +++++ +
+
+ + + +
+
+++++ +These response actions are supported for CrowdStrike-enrolled hosts: + +* **Isolate and release a host** using any of these methods: ++ +** From a detection alert +** From the response console ++ +Refer to the instructions on <> and <> hosts for more details. + +* **Run a script on a host** with the <>. + +* **View past response action activity** in the <> log. + +++++ +
+ + +
+++++ From d7ae7e6063505f43f2027244abe5191c840a5341 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 28 Jan 2025 16:30:18 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../response-actions.asciidoc | 336 ------------------ .../third-party-actions.asciidoc | 96 ----- 2 files changed, 432 deletions(-) delete mode 100644 docs/serverless/endpoint-response-actions/response-actions.asciidoc delete mode 100644 docs/serverless/endpoint-response-actions/third-party-actions.asciidoc diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc deleted file mode 100644 index 5194588b20..0000000000 --- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc +++ /dev/null @@ -1,336 +0,0 @@ -[[security-response-actions]] -= Endpoint response actions - -// :description: Perform response actions on endpoints using a terminal-like interface. -// :keywords: serverless, security, defend, reference, manage - - -The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <> for reference. - -Response actions are supported on all endpoint platforms (Linux, macOS, and Windows). - -.Requirements -[NOTE] -==== -* Response actions and the response console UI require the Endpoint Protection Complete <>. -* Endpoints must have {agent} version 8.4 or higher installed with the {elastic-defend} integration to receive response actions. -* Some response actions require either a <> or a <> with a specific feature privilege, indicated below. These are required to perform actions both in the response console and in other areas of the {security-app} (such as isolating a host from a detection alert). -* Users must have the appropriate user role privileges for at least one response action to access the response console. -==== - -[role="screenshot"] -image::images/response-actions/-management-admin-response-console.png[Response console UI] - -Launch the response console from any of the following places in {elastic-sec}: - -* **Endpoints** page → **Actions** menu (image:images/icons/boxesHorizontal.svg[Actions menu icon]) → **Respond** -* Endpoint details flyout → **Take action** → **Respond** -* Alert details flyout → **Take action** → **Respond** -* Host details page → **Respond** - -To perform an action on the endpoint, enter a <> in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. - -If a host is unavailable, pending actions will execute once the host comes online. Pending actions expire after two weeks and can be tracked in the response actions history. - -[NOTE] -==== -Some response actions may take a few seconds to complete. Once you enter a command, you can immediately enter another command while the previous action is running. -==== - -Activity in the response console is persistent, so you can navigate away from the page and any pending actions you've submitted will continue to run. To confirm that an action completed, return to the response console to view the console output or check the <>. - -[IMPORTANT] -==== -Once you submit a response action, you can't cancel it, even if the action is pending for an offline host. -==== - -[discrete] -[[response-action-commands]] -== Response action commands - -The following response action commands are available in the response console. - -[discrete] -[[security-response-actions-isolate]] -=== `isolate` - -<>, blocking communication with other hosts on the network. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Host isolation** - -Example: `isolate --comment "Isolate host related to detection alerts"` - -[discrete] -[[security-response-actions-release]] -=== `release` - -Release an isolated host, allowing it to communicate with the network again. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Host isolation** - -Example: `release --comment "Release host, everything looks OK"` - -[discrete] -[[security-response-actions-status]] -=== `status` - -Show information about the host's status, including: {agent} status and version, the {elastic-defend} integration's policy status, and when the host was last active. - -[discrete] -[[processes]] -=== `processes` - -Show a list of all processes running on the host. This action may take a minute or so to complete. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Process Operations** - -[TIP] -==== -Use this command to get current PID or entity ID values, which are required for other response actions such as `kill-process` and `suspend-process`. - -Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system. -==== - -[NOTE] -==== -Running this command on third-party-protected hosts might return the process list in a different format. Refer to <> for more information. -==== - -[discrete] -[[kill-process]] -=== `kill-process` - -Terminate a process. You must include one of the following parameters to identify the process to terminate: - -* `--pid` : A process ID (PID) representing the process to terminate. -* `--entityId` : An entity ID representing the process to terminate. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Process Operations** - -Example: `kill-process --pid 123 --comment "Terminate suspicious process"` - -[NOTE] -==== -For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported. - -Example: `kill-process --processName cat --comment "Terminate suspicious process"` -==== - -[discrete] -[[security-response-actions-suspend-process]] -=== `suspend-process` - -Suspend a process. You must include one of the following parameters to identify the process to suspend: - -* `--pid` : A process ID (PID) representing the process to suspend. -* `--entityId` : An entity ID representing the process to suspend. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **Process Operations** - -Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` - -[discrete] -[[get-file]] -=== `get-file` - -Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. - -[NOTE] -==== -Files retrieved from third-party-protected hosts require a different password. Refer to <> for your system's password. -==== - -You must include the following parameter to specify the file's location on the host: - -* `--path` : The file's full path (including the file name). - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **File Operations** - -Example: `get-file --path "/full/path/to/file.txt" --comment "Possible malware"` - -[TIP] -==== -You can use the <> to query a host's operating system and gain insight into its files and directories, then use `get-file` to retrieve specific files. -==== - -[NOTE] -==== -When {elastic-defend} prevents file activity due to <>, the file is quarantined on the host and a malware prevention alert is created. To retrieve this file with `get-file`, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. -==== - -[discrete] -[[security-response-actions-execute]] -=== `execute` - -Run a shell command on the host. The command's output and any errors appear in the response console, up to 2000 characters. The complete output (stdout and stderr) are also saved to a downloadable `.zip` archive (password: `elastic`). Use these parameters: - -* `--command` : (Required) A shell command to run on the host. The command must be supported by `bash` for Linux and macOS hosts, and `cmd.exe` for Windows. -+ -[NOTE] -==== -* Multiple consecutive dashes in the value must be escaped; single dashes do not need to be escaped. For example, to represent a directory named `/opt/directory--name`, use the following: `/opt/directory--name`. -* You can use quotation marks without escaping. For example: -`execute --command "cd "C:\Program Files\directory""` -==== -* `--timeout` : (Optional) How long the host should wait for the command to complete. Use `h` for hours, `m` for minutes, `s` for seconds (for example, `2s` is two seconds). If no timeout is specified, it defaults to four hours. - -Predefined role: **SOC manager** or **Endpoint operations analyst** - -Custom role privilege: **Execute Operations** - -Example: `execute --command "ls -al" --timeout 2s --comment "Get list of all files"` - -[WARNING] -==== -This response action runs commands on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Be careful with any commands that could cause irrevocable changes. -==== - -[discrete] -[[security-response-actions-upload]] -=== `upload` - -Upload a file to the host. The file is saved to the location on the host where {elastic-endpoint} is installed. After you run the command, the full path is returned in the console for reference. Use these parameters: - -* `--file` : (Required) The file to send to the host. As soon as you type this parameter, a popup appears — select it to navigate to the file, or drag and drop the file onto the popup. -* `--overwrite` : (Optional) Overwrite the file on the host if it already exists. - -Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst** - -Custom role privilege: **File Operations** - -Example: `upload --file --comment "Upload remediation script"` - -[TIP] -==== -You can follow this with the `execute` response action to upload and run scripts for mitigation or other purposes. -==== - -[NOTE] -==== -The default file size maximum is 25 MB, configurable in `kibana.yml` with the `xpack.securitySolution.maxUploadResponseActionFileBytes` setting. You must enter the value in bytes (the maximum is `104857600` bytes, or 100 MB). -==== - -[discrete] -[[security-response-actions-scan]] -=== `scan` - -Scan a specific file or directory on the host for malware. This uses the <> (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host's associated {elastic-defend} integration policy. Use these parameters: - -* `--path` : (Required) The absolute path to a file or directory to be scanned. - -Predefined role: **Tier 3 Analyst**, **SOC Manager**, or **Endpoint Operations Analyst** - -Custom role privilege: **Scan Operations** - -Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"` - -[NOTE] -==== -Scanning can take longer for directories containing a lot of files. -==== - -[discrete] -[[runscript]] -=== `runscript` - -NOTE: This response action is supported only for <>. - -Run a script on a host. You must include one of the following parameters to identify the script you want to run: - -* `--Raw`: The full script content provided directly as a string. -* `--CloudFile`: The name of the script stored in a cloud storage location. -* `--HostPath`: The absolute or relative file path of the script located on the host machine. - -You can also use these optional parameters: - -* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution. -* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds. - -Predefined role: **SOC manager** or **Endpoint operations analyst** - -Custom role privilege: **Execute Operations** - -Examples: - -`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` - -`runscript --Raw=```Get-ChildItem.```` - -`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"` - -[discrete] -[[supporting-commands-parameters]] -== Supporting commands and parameters - -[discrete] -[[security-response-actions-comment]] -=== `--comment` - -Add to a command to include a comment explaining or describing the action. Comments are included in the response actions history. - -[discrete] -[[security-response-actions-help]] -=== `--help` - -Add to a command to get help for that command. - -Example: `isolate --help` - -[discrete] -[[security-response-actions-clear]] -=== `clear` - -Clear all output from the response console. - -[discrete] -[[security-response-actions-help-1]] -=== `help` - -List supported commands in the console output area. - -[TIP] -==== -You can also get a list of commands in the <>, which stays on the screen independently of the output area. -==== - -[discrete] -[[help-panel]] -== Help panel - -Click image:images/icons/help.svg[Help] **Help** in the upper-right to open the **Help** panel, which lists available response action commands and parameters as a reference. - -[NOTE] -==== -This panel displays only the response actions that you have the user role privileges to perform. -==== - -[role="screenshot"] -image::images/response-actions/-management-admin-response-console-help-panel.png[Help panel] - -You can use this panel to build commands with less typing. Click the add icon (image:images/icons/plusInCircle.svg[Add]) to add a command to the input area, enter any additional parameters or a comment, then press **Return** to run the command. - -If the endpoint is running an older version of {agent}, some response actions may not be supported, as indicated by an informational icon and tooltip. {fleet-guide}/upgrade-elastic-agent.html[Upgrade {agent}] on the endpoint to be able to use the latest response actions. - -[role="screenshot"] -image::images/response-actions/-management-admin-response-console-unsupported-command.png[Unsupported response action with tooltip] - -[discrete] -[[actions-log]] -== Response actions history - -Click **Response actions history** to display a log of the response actions performed on the endpoint, such as isolating a host or terminating a process. You can filter the information displayed in this view. Refer to <> for more details. - -[role="screenshot"] -image::images/response-actions/-management-admin-response-actions-history-console.png[Response actions history with a few past actions] diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc deleted file mode 100644 index 767f4dda99..0000000000 --- a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc +++ /dev/null @@ -1,96 +0,0 @@ -[[security-third-party-actions]] -= Third-party response actions - -// :description: Respond to threats on hosts enrolled in third-party security systems. -// :keywords: serverless, security, defend, reference, manage - - -You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI. - -.Requirements -[NOTE] -==== -* Third-party response actions require the Endpoint Protection Complete <>. -* Each response action type has its own user role privilege requirements. Find an action's role requirements at <>. -* Additional <> is required to connect {elastic-sec} with a third-party system. -==== - -[discrete] -[[security-third-party-actions-supported-systems-and-response-actions]] -== Supported systems and response actions - -The following third-party response actions are supported for CrowdStrike and SentinelOne. <> to connect each system with {elastic-sec}. - -++++ -
-
- - - -
-
-++++ -These response actions are supported for CrowdStrike-enrolled hosts: - -* **Isolate and release a host** using any of these methods: -+ -** From a detection alert -** From the response console -+ -Refer to the instructions on <> and <> hosts for more details. - -* **Run a script on a host** with the <>. - -* **View past response action activity** in the <> log. - -++++ -
- - -
-++++