Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SentinelOne get-file response action [serverless] #5444

Merged
merged 2 commits into from
Jun 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -106,10 +106,17 @@ Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations ana

Example: `suspend-process --pid 123 --comment "Suspend suspicious process"`

<div id="get-file"></div>
### `get-file`

Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment.

<DocCallOut title="Note">
Files retrieved from third-party-protected hosts require a different password. Refer to the following:

- <DocLink slug="/serverless/security/third-party-actions" section="sentinelone-response-actions">SentinelOne response actions</DocLink>
</DocCallOut>

You must include the following parameter to specify the file's location on the host:

* `--path` : The file's full path (including the file name).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,12 @@ tags: ["serverless","security","defend","reference","manage"]

You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior <DocLink slug="/serverless/security/response-actions-config">configuration</DocLink> is required to connect ((elastic-sec)) with SentinelOne.

<DocCallOut title="Requirements">

Third-party response actions require the Endpoint Protection Complete <DocLink slug="/serverless/elasticsearch/manage-project" text="project feature" />, and each response action type has its own user role privilege requirements. Refer to <DocLink slug="/serverless/security/response-actions" /> for more information.

</DocCallOut>

The following response actions and related features are supported for SentinelOne-protected hosts:

- **Isolate and release a host** using any of these methods:
Expand All @@ -21,4 +27,9 @@ The following response actions and related features are supported for SentinelOn

Refer to the instructions on <DocLink slug="/serverless/security/isolate-host" section="isolate-a-host">isolating</DocLink> and <DocLink slug="/serverless/security/isolate-host" section="release-a-host">releasing</DocLink> hosts for more details.

- **Retrieve a file from a host** with the <DocLink slug="/serverless/security/response-actions" section="get-file">`get-file` response action</DocLink>.
<DocCallOut title="Note">
For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file.
</DocCallOut>

- **View past response action activity** in the <DocLink slug="/serverless/security/response-actions-history">response actions history</DocLink> log.
Loading