Skip to content

Commit

Permalink
First draft (#5444)
Browse files Browse the repository at this point in the history
  • Loading branch information
joepeeples authored Jun 25, 2024
1 parent d32f517 commit f9d7847
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -106,10 +106,17 @@ Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations ana

Example: `suspend-process --pid 123 --comment "Suspend suspicious process"`

<div id="get-file"></div>
### `get-file`

Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment.

<DocCallOut title="Note">
Files retrieved from third-party-protected hosts require a different password. Refer to the following:

- <DocLink slug="/serverless/security/third-party-actions" section="sentinelone-response-actions">SentinelOne response actions</DocLink>
</DocCallOut>

You must include the following parameter to specify the file's location on the host:

* `--path` : The file's full path (including the file name).
Expand Down
11 changes: 11 additions & 0 deletions docs/serverless/endpoint-response-actions/third-party-actions.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ tags: ["serverless","security","defend","reference","manage"]

You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior <DocLink slug="/serverless/security/response-actions-config">configuration</DocLink> is required to connect ((elastic-sec)) with SentinelOne.

<DocCallOut title="Requirements">

Third-party response actions require the Endpoint Protection Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature" />, and each response action type has its own user role privilege requirements. Refer to <DocLink slug="/serverless/security/response-actions" /> for more information.

</DocCallOut>

The following response actions and related features are supported for SentinelOne-protected hosts:

- **Isolate and release a host** using any of these methods:
Expand All @@ -21,4 +27,9 @@ The following response actions and related features are supported for SentinelOn

Refer to the instructions on <DocLink slug="/serverless/security/isolate-host" section="isolate-a-host">isolating</DocLink> and <DocLink slug="/serverless/security/isolate-host" section="release-a-host">releasing</DocLink> hosts for more details.

- **Retrieve a file from a host** with the <DocLink slug="/serverless/security/response-actions" section="get-file">`get-file` response action</DocLink>.
<DocCallOut title="Note">
For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file.
</DocCallOut>

- **View past response action activity** in the <DocLink slug="/serverless/security/response-actions-history">response actions history</DocLink> log.

0 comments on commit f9d7847

Please sign in to comment.