From 37b25386a905f57f6e826a261d0551fdc31bb00f Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 24 Sep 2024 11:09:49 +0300 Subject: [PATCH 1/2] Add docs for WithSecure response actions --- .../action_library/endpoint/withsecure.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docs/integration/action_library/endpoint/withsecure.md b/docs/integration/action_library/endpoint/withsecure.md index 0fea14f772..b745c5950d 100644 --- a/docs/integration/action_library/endpoint/withsecure.md +++ b/docs/integration/action_library/endpoint/withsecure.md @@ -107,6 +107,40 @@ Update status on Incident. | `status` | `string` | Status. | | `resolution` | `string` | Resolution. | +### Enumerate processes + +Enumerate running processes. + +| Name | Type | Description | +|-------------------|------------|-----------------------------------------------| +| `target` | `string` | Device identifier on which action is created. | +| `organization_id` | `string` | UUID of an organization. | +| `thread_id` | `integer` | ID of a Thread to kill. | + +### Kill Thread + +Kill thread. + +| Name | Type | Description | +|-------------------|---------------|-----------------------------------------------| +| `target` | `string` | Device identifier on which action is created. | +| `organization_id` | `string` | UUID of an organization. | +| `thread_id` | `integer` | ID of a Thread to kill. | + + +### Kill Process + +Kill processes matching patterns. + +| Name | Type | Description | +|------------------------|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `target` | `string` | Device identifier on which action is created. | +| `organization_id` | `string` | UUID of an organization. | +| `match` | `string` | Strategy used to match processes
(`processId`,`processName`,`processNameRegex`,`processPath`,`processPathRegex`) | +| `process_match_values` | `array` | List of values that are used to match process to kill. Depending on selected strategy it might be list of identifiers, names or regular expressions. Up to 6 elements. | +| `process_memory_dump` | `boolean` | Whether to run memory dump on process before killing it. Memory dump can be run only if `processName` or `processId` strategy is used | +| `memory_dump_flag` | `string` | Memory dump flag (`full` - memory dump includes all accessible memory of process, `pmem` - only information necessary to capture process' stack traces) | + ## Extra From a62ced345acf743f6814598bdfdf70e88630dc0e Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 24 Sep 2024 11:37:38 +0300 Subject: [PATCH 2/2] Fix `enumerate process` args --- docs/integration/action_library/endpoint/withsecure.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/integration/action_library/endpoint/withsecure.md b/docs/integration/action_library/endpoint/withsecure.md index b745c5950d..0ee74447a7 100644 --- a/docs/integration/action_library/endpoint/withsecure.md +++ b/docs/integration/action_library/endpoint/withsecure.md @@ -115,7 +115,6 @@ Enumerate running processes. |-------------------|------------|-----------------------------------------------| | `target` | `string` | Device identifier on which action is created. | | `organization_id` | `string` | UUID of an organization. | -| `thread_id` | `integer` | ID of a Thread to kill. | ### Kill Thread