diff --git a/docs/getting-started/defend-feature-privs.asciidoc b/docs/getting-started/defend-feature-privs.asciidoc
index 555ba4ff5b..c0a091f827 100644
--- a/docs/getting-started/defend-feature-privs.asciidoc
+++ b/docs/getting-started/defend-feature-privs.asciidoc
@@ -57,6 +57,9 @@ To grant access, select *All* for the *Security* feature in the *{kib} privilege
 a| Perform shell commands and script-related <<response-actions,response actions>> in the response console.
 
 WARNING: The commands are run on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Only grant this feature privilege to {elastic-sec} users who require this level of access.
+
+| *Scan Operations*
+| Perform folder scan <<response-actions,response actions>> in the response console.
 |==============================================
 
 [discrete]
diff --git a/docs/getting-started/images/endpoint-privileges.png b/docs/getting-started/images/endpoint-privileges.png
index a1144296ed..d3c9cf2e2f 100644
Binary files a/docs/getting-started/images/endpoint-privileges.png and b/docs/getting-started/images/endpoint-privileges.png differ
diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index 821034bbb9..dd2b10ff20 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -173,6 +173,19 @@ TIP: You can follow this with the `execute` response action to upload and run sc
 
 NOTE: The default file size maximum is 25 MB, configurable in `kibana.yml` with the `maxUploadResponseActionFileBytes` setting. You must enter the value in bytes (the maximum is `104857600` bytes, or 100 MB).
 
+[discrete]
+=== `scan`
+
+Scan a specific file or directory on the host for malware. The scan uses the <<malware-protection,malware protection settings>> (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host's associated {elastic-defend} integration policy. Use these parameters:
+
+* `--path` : (Required) The absolute path to a file or directory to be scanned.
+
+Required privilege: *Scan Operations*
+
+Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"`
+
+NOTE: Scanning can take longer for directories containing a lot of files.
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters