Third-party response actions
editThird-party response actions
editYou can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.
Requirements
- Third-party response actions require the Endpoint Protection Complete project feature.
- Each response action type has its own user role privilege requirements. Find an action’s role requirements at Endpoint response actions.
- Additional configuration is required to connect Elastic Security with a third-party system.
Supported systems and response actions
editThe following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with Elastic Security.
These response actions are supported for CrowdStrike-enrolled hosts:
-
Isolate and release a host using any of these methods:
-
Run a script on a host with the
runscriptresponse action. - View past response action activity in the response actions history log.
These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:
These response actions are supported for SentinelOne-enrolled hosts:
-
Isolate and release a host using any of these methods:
-
Retrieve a file from a host with the
get-fileresponse action.For SentinelOne-enrolled hosts, you must use the password
Elastic@123to open the retrieved file. -
Get a list of processes running on a host with the
processesresponse action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file. -
Terminate a process running on a host with the
kill-processresponse action.For SentinelOne-enrolled hosts, you must use the parameter
--processNameto identify the process to terminate.--pidand--entityIdare not supported.Example:
kill-process --processName cat --comment "Terminate suspicious process" - View past response action activity in the response actions history log.