Third-party response actions
editThird-party response actions
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.
Requirements
- Third-party response actions require the Endpoint Protection Complete project feature.
- Each response action type has its own user role privilege requirements. Find an action’s role requirements at Endpoint response actions.
Supported systems and response actions
editThe following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with Elastic Security.
These response actions are supported for CrowdStrike-enrolled hosts:
These response actions are supported for SentinelOne-enrolled hosts:
-
Isolate and release a host using any of these methods:
-
Retrieve a file from a host with the
get-file
response action.For SentinelOne-enrolled hosts, you must use the password
Elastic@123
to open the retrieved file. -
Get a list of processes running on a host with the
processes
response action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file. -
Terminate a process running on a host with the
kill-process
response action.For SentinelOne-enrolled hosts, you must use the parameter
--processName
to identify the process to terminate.--pid
and--entityId
are not supported.Example:
kill-process --processName cat --comment "Terminate suspicious process"
- View past response action activity in the response actions history log.