Third-party response actions
editThird-party response actions
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.
CrowdStrike response actions
editThese response actions are supported for CrowdStrike-enrolled hosts:
SentinelOne response actions
editThese response actions are supported for SentinelOne-enrolled hosts:
-
Isolate and release a host using any of these methods:
- From a detection alert
- From the response console
Refer to the instructions on isolating and releasing hosts for more details.
-
Retrieve a file from a host with the
get-fileresponse action.For SentinelOne-enrolled hosts, you must use the password
Elastic@123to open the retrieved file. -
Get a list of processes running on a host with the
processesresponse action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file. -
Terminate a process running on a host with the
kill-processresponse action.For SentinelOne-enrolled hosts, you must use the parameter
--processNameto identify the process to terminate.--pidand--entityIdare not supported.Example:
kill-process --processName cat --comment "Terminate suspicious process" - View past response action activity in the response actions history log.