Third-party response actions

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.

CrowdStrike response actions

edit

These response actions are supported for CrowdStrike-enrolled hosts:

  • Isolate and release a host using any of these methods:

    • From a detection alert
    • From the response console

    Refer to the instructions on isolating and releasing hosts for more details.

SentinelOne response actions

edit

These response actions are supported for SentinelOne-enrolled hosts:

  • Isolate and release a host using any of these methods:

    • From a detection alert
    • From the response console

    Refer to the instructions on isolating and releasing hosts for more details.

  • Retrieve a file from a host with the get-file response action.

    For SentinelOne-enrolled hosts, you must use the password Elastic@123 to open the retrieved file.

  • Get a list of processes running on a host with the processes response action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
  • Terminate a process running on a host with the kill-process response action.

    For SentinelOne-enrolled hosts, you must use the parameter --processName to identify the process to terminate. --pid and --entityId are not supported.

    Example: kill-process --processName cat --comment "Terminate suspicious process"

  • View past response action activity in the response actions history log.