Third-party response actions

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.

Requirements

Third-party response actions require the Endpoint Protection Complete project feature.
Each response action type has its own user role privilege requirements. Find an action’s role requirements at Endpoint response actions.

Supported systems and response actions

edit

The following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with Elastic Security.

These response actions are supported for CrowdStrike-enrolled hosts:

Isolate and release a host using any of these methods:
- From a detection alert
- From the response console
  
  Refer to the instructions on isolating and releasing hosts for more details.

These response actions are supported for SentinelOne-enrolled hosts:

Isolate and release a host using any of these methods:
- From a detection alert
- From the response console
  
  Refer to the instructions on isolating and releasing hosts for more details.
Retrieve a file from a host with the get-file response action.

For SentinelOne-enrolled hosts, you must use the password Elastic@123 to open the retrieved file.
Get a list of processes running on a host with the processes response action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
Terminate a process running on a host with the kill-process response action.

For SentinelOne-enrolled hosts, you must use the parameter --processName to identify the process to terminate. --pid and --entityId are not supported.

Example: kill-process --processName cat --comment "Terminate suspicious process"
View past response action activity in the response actions history log.

« Response actions history Configure third-party response actions »