Configure third-party response actions

edit

Configure third-party response actions

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the Elastic Security UI. This page explains the configuration steps needed to enable response actions for these third-party systems:

  • CrowdStrike
  • SentinelOne

Check out Third-party response actions to learn which response actions are supported for each system.

Expand a section below for your endpoint security system:

Set up CrowdStrike response actions
  1. Enable API access in CrowdStrike. Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike’s docs for instructions.

    • Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.

      • To isolate and release hosts, the API client must have Read access for Alerts, and Read and Write access for Hosts.
    • Take note of the client ID, client secret, and base URL; you’ll need them in later steps when you configure Elastic Security components to access CrowdStrike.
    • The base URL varies depending on your CrowdStrike account type:

      • US-1: https://api.crowdstrike.com
      • US-2: https://api.us-2.crowdstrike.com
      • EU-1: https://api.eu-1.crowdstrike.com
      • US-GOV-1: https://api.laggar.gcw.crowdstrike.com
  2. Install the CrowdStrike integration and Elastic Agent. Elastic’s CrowdStrike integration collects and ingests logs into Elastic Security.

    1. Go to Integrations, search for and select CrowdStrike, then select Add CrowdStrike.
    2. Configure the integration with an Integration name and optional Description.
    3. Select Collect CrowdStrike logs via API, and enter the required Settings:

      • Client ID: Client ID for the API client used to read CrowdStrike data.
      • Client Secret: Client secret allowing you access to CrowdStrike.
      • URL: The base URL of the CrowdStrike API.
    4. Select the Falcon Alerts and Hosts sub-options under Collect CrowdStrike logs via API.
    5. Scroll down and enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.
    6. Click Save and continue.
    7. Select Add Elastic Agent to your hosts and continue with the Elastic Agent installation steps to install Elastic Agent on a resource in your network (such as a server or VM). Elastic Agent will act as a bridge collecting data from CrowdStrike and sending it back to Elastic Security.
  3. Create a CrowdStrike connector. Elastic’s CrowdStrike connector enables Elastic Security to perform actions on CrowdStrike-enrolled hosts.

    Do not create more than one CrowdStrike connector.

    1. Go to Stack ManagementConnectors, then select Create connector.
    2. Select the CrowdStrike connector.
    3. Enter the configuration information:

      • Connector name: A name to identify the connector.
      • CrowdStrike API URL: The base URL of the CrowdStrike API.
      • CrowdStrike Client ID: Client ID for the API client used to perform actions in CrowdStrike.
      • Client Secret: Client secret allowing you access to CrowdStrike.
    4. Click Save.
  4. Create and enable detection rules to generate Elastic Security alerts. (Optional) Create detection rules to generate Elastic Security alerts based on CrowdStrike events and data. The CrowdStrike integration docs list the available ingested logs and fields you can use to build a rule query.

    This gives you visibility into CrowdStrike without needing to leave Elastic Security. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the Take action menu in the alert details flyout.

Set up SentinelOne response actions
  1. Generate API access tokens in SentinelOne. You’ll need these tokens in later steps, and they allow Elastic Security to collect data and perform actions in SentinelOne.

    Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them:

    • SentinelOne integration: Permission to read SentinelOne data.
    • SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).

    Refer to the SentinelOne integration docs or SentinelOne’s docs for details on generating API tokens.

  2. Install the SentinelOne integration and Elastic Agent. Elastic’s SentinelOne integration collects and ingests logs into Elastic Security.

    1. Go to Integrations, search for and select SentinelOne, then select Add SentinelOne.
    2. Configure the integration with an Integration name and optional Description.
    3. Ensure that Collect SentinelOne logs via API is selected, and enter the required Settings:

      • URL: The SentinelOne console URL.
      • API Token: The SentinelOne API access token you generated previously, with permission to read SentinelOne data.
    4. Scroll down and enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to Elastic Agent policies.
    5. Click Save and continue.
    6. Select Add Elastic Agent to your hosts and continue with the Elastic Agent installation steps to install Elastic Agent on a resource in your network (such as a server or VM). Elastic Agent will act as a bridge collecting data from SentinelOne and sending it to Elastic Security.
  3. Create a SentinelOne connector. Elastic’s SentinelOne connector enables Elastic Security to perform actions on SentinelOne-enrolled hosts.

    Do not create more than one SentinelOne connector.

    1. Go to Stack ManagementConnectors, then select Create connector.
    2. Select the SentinelOne connector.
    3. Enter the configuration information:

      • Connector name: A name to identify the connector.
      • SentinelOne tenant URL: The SentinelOne tenant URL.
      • API token: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
    4. Click Save.
  4. Create and enable a rule to generate Elastic Security alerts. Create a custom query detection rule to generate Elastic Security alerts whenever SentinelOne generates alerts.

    Use these settings when creating the custom query rule to target the data collected from SentinelOne:

    • Index patterns: logs-sentinel_one.alert*
    • Custom query: observer.serial_number:*

    Do not include any other index patterns or query parameters.

    This gives you visibility into SentinelOne without needing to leave Elastic Security. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the Take action menu in the alert details flyout.