diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index bcce5e1e90..cc2cde5d81 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -24,7 +24,7 @@ Check out <> to learn which response actions are supported * <>: **All** for the response action features, such as **Host Isolation**, that you want to perform. -* Endpoints must have actively running endpoint agents installed. +* Endpoints must have actively running third-party agents installed. -- Expand a section below for your endpoint security system: @@ -37,8 +37,8 @@ Expand a section below for your endpoint security system: . **Create an API client in CrowdStrike.** Refer to CrowdStrike's docs for instructions on creating an API client. + -- Give the API client the least privilege required to read CrowdStrike data and perform actions on enrolled hosts. -- Take note of the client ID, client secret, and base URL: you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike. +- Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. +- Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike. . **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] collects and ingests logs into {elastic-sec}. @@ -71,7 +71,7 @@ IMPORTANT: Do not create more than one CrowdStrike connector. + NOTE: Do not include any other index patterns. + -This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. +This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout. ==== @@ -83,7 +83,7 @@ This gives you visibility into CrowdStrike without needing to leave {elastic-sec . **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. + -Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: +Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them: + -- - SentinelOne integration: Permission to read SentinelOne data. @@ -126,5 +126,5 @@ Use these settings when creating the custom query rule to target the data collec + NOTE: Do not include any other index patterns or query parameters. + -This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. +This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout. ==== \ No newline at end of file diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx index ff5a352b71..e5aba1d9e3 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-config.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions-config.mdx @@ -21,7 +21,7 @@ Check out to learn w * Project features add-on: Endpoint Protection Complete * User roles: **SOC manager** or **Endpoint operations analyst** -* Endpoints must have actively running endpoint agents installed. +* Endpoints must have actively running third-party agents installed. Select a tab below for your endpoint security system: @@ -34,9 +34,9 @@ Select a tab below for your endpoint security system: 1. **Create an API client in CrowdStrike.** Refer to CrowdStrike's docs for instructions on creating an API client. - - Give the API client the least privilege required to read CrowdStrike data and perform actions on enrolled hosts. + - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. - - Take note of the client ID, client secret, and base URL: you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.

+ - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.

1. **Install the CrowdStrike integration and ((agent)).** Elastic's [CrowdStrike integration](((integrations-docs))/crowdstrike) collects and ingests logs into ((elastic-sec)). 1. Go to **Project Settings** → **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**. @@ -71,7 +71,7 @@ Select a tab below for your endpoint security system: Do not include any other index patterns. - This gives you visibility into CrowdStrike without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. + This gives you visibility into CrowdStrike without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout. @@ -81,7 +81,7 @@ Select a tab below for your endpoint security system: 1. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow ((elastic-sec)) to collect data and perform actions in SentinelOne. - Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: + Create two API tokens in SentinelOne, and give them the minimum privilege required by the Elastic components that will use them: - SentinelOne integration: Permission to read SentinelOne data. - SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).

@@ -122,6 +122,6 @@ Select a tab below for your endpoint security system: Do not include any other index patterns or query parameters. - This gives you visibility into SentinelOne without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. + This gives you visibility into SentinelOne without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout.