Third-party response actions

You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the Elastic Security UI.

Requirements

CrowdStrike response actions ¶

These response actions are supported for CrowdStrike-enrolled hosts:

Microsoft Defender for Endpoint response actions ¶

These response actions are supported for Microsoft Defender for Endpoint–enrolled hosts:

  • Isolate and release a host using any of these methods:
    • From a detection alert
    • From the response console
    Refer to the instructions on isolating and releasing hosts for more details.

SentinelOne response actions ¶

These response actions are supported for SentinelOne-enrolled hosts:

  • Isolate and release a host using any of these methods:
    • From a detection alert
    • From the response console
    Refer to the instructions on isolating and releasing hosts for more details.
  • Retrieve a file from a host with the get-file response action. ::::{note}
    For SentinelOne-enrolled hosts, you must use the password Elastic@123 to open the retrieved file.
    ::::
  • Get a list of processes running on a host with the processes response action. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
  • Terminate a process running on a host with the kill-process response action. ::::{note}
    For SentinelOne-enrolled hosts, you must use the parameter --processName to identify the process to terminate. --pid and --entityId are not supported. Example: kill-process --processName cat --comment "Terminate suspicious process" ::::
  • View past response action activity in the response actions history log.