- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Third-party response actions
editThird-party response actions
editYou can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.
Requirements
- Third-party response actions require the Endpoint Protection Complete project feature.
- Each response action type has its own user role privilege requirements. Find an action’s role requirements at Endpoint response actions.
- Additional configuration is required to connect Elastic Security with a third-party system.
Supported systems and response actions
editThe following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with Elastic Security.
These response actions are supported for CrowdStrike-enrolled hosts:
-
Isolate and release a host using any of these methods:
-
Run a script on a host with the
runscriptresponse action. - View past response action activity in the response actions history log.
These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:
These response actions are supported for SentinelOne-enrolled hosts:
-
Isolate and release a host using any of these methods:
-
Retrieve a file from a host with the
get-fileresponse action.For SentinelOne-enrolled hosts, you must use the password
Elastic@123to open the retrieved file. -
Get a list of processes running on a host with the
processesresponse action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file. -
Terminate a process running on a host with the
kill-processresponse action.For SentinelOne-enrolled hosts, you must use the parameter
--processNameto identify the process to terminate.--pidand--entityIdare not supported.Example:
kill-process --processName cat --comment "Terminate suspicious process" - View past response action activity in the response actions history log.
On this page