Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bidirectional integration response actions (SentinelOne) #4312

Closed
8 tasks done
joepeeples opened this issue Nov 27, 2023 · 2 comments
Closed
8 tasks done

Bidirectional integration response actions (SentinelOne) #4312

joepeeples opened this issue Nov 27, 2023 · 2 comments
Assignees
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Feature: Response actions also includes response console Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.12.0

Comments

@joepeeples
Copy link
Contributor

joepeeples commented Nov 27, 2023

Description

Create docs and docs links for bi-directional integration response actions, per https://github.com/elastic/security-team/issues/7780#issuecomment-1828209705.

Response action configuration

From #4534, which we closed in favor of this meta-ish issue.

First release of our bidirectional integration work - https://github.com/elastic/security-team/issues/6200

There are a handful of steps users must take to ensure they are able to successfully take action on Sentinel One hosts (for the initial tech preview release in 8.12, the only action is to isolate / release a host). We want to make sure we have a page that walks through the full configuration requirements.

Prerequesites:

  • Should have active running S1 agents

High level steps:

  1. Ensure there is an agent policy created (Fleet) that will be responsible for pulling S1 data)
  2. Add and configure the Sentinel One integration to policy
  3. Create a security detection rule to get elastic alerts for Sentinel One alerts
    • logs-sentinel_one.alert*
  4. Create a connector for Sentinel One
    • Needed for manual response actions; automated actions not available yet
    • Create ONLY one connector
    • API token needs to have privileges to perform actions (isolate/release host)

Information needed

  • Which documentation set does this change impact? (ESS, serverless, or both) — Both
  • Feature differences (ESS vs. serverless) — n/a
  • ESS release — 8.12.0
  • Serverless release — January 16, 2024 (coordinated with ESS release)
  • API docs impact — ???
  • License/subscription/tier required:
    • ESS — Enterprise
    • Serverless — Endpoint Protection Complete
  • RBAC required:
    • ESS permissions/roles — all permissions for connectors & actions (may change in future releases)
    • Serverless preset roles — SOC manager, Endpoint operations analyst (per security-team#7911)
  • Feature flags needed to enable feature — ESS available as of 8.12 BC5. Serverless flags enabled to hide in serverless until ESS release.

Pull requests, related tasks

Tasks

Preview Give feedback

Order of operations

Cross-docs links create some dependencies between the PRs above. Merge in the following order to minimize breaking builds. Note that we'll need to update links in some PRs before merging them.

  1. Connector docs
  2. Main docs — Update link to connector docs
  3. Integration docs — Update link to main docs (once 8.12 docs are published and current == 8.12)
  4. Serverless connector docs — Confirm link from serverless landing page to classic connector page works
@joepeeples joepeeples added Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management Feature: Response actions also includes response console v8.12.0 labels Nov 27, 2023
@joepeeples joepeeples self-assigned this Nov 27, 2023
@joepeeples joepeeples added Docset: Serverless Issues for Serverless Security Docset: ESS Issues that apply to docs in the Stack release labels Nov 27, 2023
@joepeeples joepeeples changed the title Bi-directional integration response actions (SentinelOne) Bidirectional integration response actions (SentinelOne) Jan 10, 2024
@joepeeples
Copy link
Contributor Author

Features are available now (as of 8.12.0 release). OK to publish serverless as soon as content is ready.

@joepeeples
Copy link
Contributor Author

All docs updates complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Feature: Response actions also includes response console Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.12.0
Projects
None yet
Development

No branches or pull requests

1 participant