From 81dfa11c2ec282724d0694b7fe8b32e41a1d4138 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 16:48:51 -0500 Subject: [PATCH] =?UTF-8?q?Bidirectional=20integration=20response=20action?= =?UTF-8?q?s=20(SentinelOne)=20=E2=80=94=20Classic=20docs=20(#4593)=20(#46?= =?UTF-8?q?22)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * First draft * Update Agent installation instructions Needed to make these slightly more generic, so we can reference them for installing Agent for other integrations (such as SentinelOne) * Add links to related docs - Add link to S1 integration docs - Add link to S1 connector docs, which will 404 (but not break build) until S1 connector docs are published (https://github.com/elastic/kibana/pull/174696) * Fix broken link It breaks CI after all (at least it does in Buildkite) * Fix step numbering * Add section heading syntax * Apply suggestions from Natasha's review Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> * Apply feedback: API tokens * Reformat collapsible sections, a few edits * Apply feedback: rule configuration * Add details, clarification - API token requirements - Installing Agent * Fix typo --------- Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> (cherry picked from commit 6793392ec9d63e850b850a47e1b4cb9a32172e6c) Co-authored-by: Joe Peeples --- .../getting-started/install-endpoint.asciidoc | 4 +- .../admin/response-actions-config.asciidoc | 82 ++++++++++++++++++- 2 files changed, 82 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc index a8bb7c4db4..8173c574fb 100644 --- a/docs/getting-started/install-endpoint.asciidoc +++ b/docs/getting-started/install-endpoint.asciidoc @@ -95,14 +95,14 @@ If you have upgraded to an {stack} version that includes {fleet-server} 7.13.0 o [[enroll-agent]] === Add the {agent} -. Go to *{fleet}* -> *Agents* -> **Add agent**. +. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to *{fleet}* -> *Agents* -> **Add agent**. + [role="screenshot"] image::images/install-endpoint/endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.] . Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. + -The selected agent policy should include {elastic-defend}. +The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {elastic-defend}). + [role="screenshot"] image::images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with {elastic-defend} integration highlighted.,575] diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index f7c3091d6c..7a3b58ed9e 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -6,8 +6,86 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [manage] +Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions. + +[discrete] +[[configure-sentinelone-response-actions]] +== Configure SentinelOne response actions + +SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI. + +preview::[] + +.Prerequisites [sidebar] -- -[.text-center] -**This is a placeholder for future documentation.** +* https://www.elastic.co/pricing[Subscription level]: Enterprise + +* {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} feature privilege]: **Actions and Connectors : All**. + +* <>: **All** for the response action features, such as **Host Isolation**, that you want to perform. + +* Endpoints must have actively running SentinelOne agents installed. -- + +Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions: + +. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. ++ +.Expand for details +[%collapsible] +==== +Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: + +- SentinelOne integration: Permission to read SentinelOne data. +- SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint). + +Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens. +==== + +. **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}. ++ +.Expand for details +[%collapsible] +==== +.. In {kib}, go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. +.. Configure the integration with an **Integration name** and optional **Description**. +.. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: + - **URL**: The SentinelOne console URL. + - **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data. +.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. +.. Click **Save and continue**. +.. Select *Add {agent} to your hosts* and continue with the <> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it to {elastic-sec}. +==== + +. **Create a SentinelOne connector.** Elastic's {kibana-ref}/action-types.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-protected hosts. +// TODO: Update link above to sentinelone-action-type.html once that page is published. ++ +.Expand for details +[%collapsible] +==== +IMPORTANT: Do not create more than one SentinelOne connector. + +.. In {kib}, go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Select the **SentinelOne** connector. +.. Enter the configuration information: + - **Connector name**: A name to identify the connector. + - **SentinelOne tenant URL**: The SentinelOne tenant URL. + - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts. +.. Click **Save**. +==== + +. **Create and enable a rule to generate {elastic-sec} alerts.** Create a <> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. ++ +.Expand for details +[%collapsible] +==== +Use these settings when creating the custom query rule to target the data collected from SentinelOne: + +- **Index patterns**: `logs-sentinel_one.alert*` +- **Custom query**: `observer.serial_number:*` + +NOTE: Do not include any other index patterns or query parameters. + +This rule will give you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. +====