From dacd3a253623dc5ed2bc95b9203bee7a268485a1 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 3 Jul 2024 10:52:26 -0400 Subject: [PATCH] First draft (#5499) --- docs/management/admin/response-actions.asciidoc | 8 ++++++++ docs/management/admin/third-party-actions.asciidoc | 10 ++++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 8da977cd3d..821034bbb9 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -106,10 +106,18 @@ Required privilege: *Process Operations* Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` [discrete] +[[get-file]] === `get-file` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. +[NOTE] +==== +Files retrieved from third-party-protected hosts require a different password. Refer to the following: + +* <> +==== + You must include the following parameter to specify the file's location on the host: * `--path` : The file's full path (including the file name). diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index cb50f31128..a544666a75 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -14,6 +14,12 @@ preview::[] You can direct SentinelOne to perform response actions on protected hosts without leaving the {elastic-sec} UI. Prior <> is required to connect {elastic-sec} with SentinelOne. +.Requirements +[sidebar] +-- +Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription], and each response action type has its own user role privilege requirements. Refer to <> for more information. +-- + The following response actions and related features are supported for SentinelOne-protected hosts: * **Isolate and release a host** using any of these methods: @@ -25,4 +31,8 @@ The following response actions and related features are supported for SentinelOn + Refer to the instructions on <> and <> hosts for more details. +* **Retrieve a file from a host** with the <>. ++ +NOTE: For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. + * **View past response action activity** in the <> log.