Third-party response actions

Respond to threats on hosts enrolled in third-party security systems.

Technical preview

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.

Requirements

  • Third-party response actions require the Endpoint Protection Complete project feature.

  • Each response action type has its own user role privilege requirements. Find an action's role requirements at Endpoint response actions.

Supported systems and response actions

The following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with Elastic Security.

These response actions are supported for CrowdStrike-enrolled hosts:

  • Isolate and release a host using any of these methods:

    • From a detection alert
    • From the response console

    Refer to the instructions on isolating and releasing hosts for more details.

On this page