Fills in config details, edits

elastic · Jul 11, 2024 · 937bf43 · 937bf43
1 parent 8110b7d
commit 937bf43
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 23 deletions.
diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx
@@ -11,7 +11,7 @@ tags: ["serverless","security","how-to","configure"]
 
 <div id="response-actions-config"></div>
 
-You can direct third-party endpoint protection systems to perform response actions on protected hosts, such as isolating a suspicious endpoint from your network, without leaving the ((elastic-sec)) UI. This page explains the configuration steps needed to enable response actions for these third-party systems:
+You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the ((elastic-sec)) UI. This page explains the configuration steps needed to enable response actions for these third-party systems:
 
 * CrowdStrike
 * SentinelOne
@@ -30,28 +30,27 @@ Select a tab below for your endpoint security system:
     <DocTab name="CrowdStrike">
     {/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything 
     in this tab, apply the change to the other tabs, too. */}
-    Follow these steps to configure response actions for CrowdStrike-enrolled hosts:
+    To configure response actions for CrowdStrike-enrolled hosts:
 
-    1. **Generate client secrets in CrowdStrike.** You'll need the client secrets in later steps, and they allow ((elastic-sec)) to collect data and perform actions in the system.
+    1. **Create an API client in CrowdStrike.** Refer to CrowdStrike's docs for instructions on creating an API client.
 
-        Create two client secrets in CrowdStrike, and give them the least privilege required by the Elastic components that will use them:
-            - CrowdStrike integration: Permission to read CrowdStrike data.
-            - CrowdStrike connector: Permission to read CrowdStrike data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).<br /><br />
-
-        Refer to CrowdStrike's docs for details on generating client secrets.<br /><br />
+        - Give the API client the least privilege required to read CrowdStrike data and perform actions on enrolled hosts.
+
+        - Take note of the client ID, client secret, and base URL: you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.<br /><br />
 
     1. **Install the CrowdStrike integration and ((agent)).** Elastic's [CrowdStrike integration](((integrations-docs))/crowdstrike) collects and ingests logs into ((elastic-sec)).
         1. Go to **Project Settings** → **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**.
         1. Configure the integration with an **Integration name** and optional **Description**.
-        1. Ensure that **Collect CrowdStrike logs via API** is selected, and enter the required **Settings**:
-            - **Client ID**: Client ID for your CrowdStrike instance.
+        1. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**:
+            - **Client ID**: Client ID for your CrowdStrike API client.
             - **Client Secret**: Client secret allowing you access to CrowdStrike.
             - **URL**: The base URL of the CrowdStrike API.
+        1. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**.
         1. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on ((agent)) configuration settings, refer to [((agent)) policies](((fleet-guide))/agent-policy.html).
         1. Click **Save and continue**.
         1. Select **Add ((agent)) to your hosts** and continue with the <DocLink slug="/serverless/security/install-edr" section="enroll-agent">((agent)) installation steps</DocLink> to install ((agent)) on a resource in your network (such as a server or VM). ((agent)) will act as a bridge collecting data from CrowdStrike and sending it back to ((elastic-sec)).<br /><br />
 
-    1. **Create a CrowdStrike connector.** Elastic's CrowdStrike connector enables ((elastic-sec)) to perform actions on CrowdStrike-enrolled hosts.
+    1. **Create a CrowdStrike connector.** Elastic's [CrowdStrike connector](((kibana-ref))/action-types.html) enables ((elastic-sec)) to perform actions on CrowdStrike-enrolled hosts.
 
         <DocCallOut color="warning" title="Important">
         Do not create more than one CrowdStrike connector.
@@ -61,19 +60,15 @@ Select a tab below for your endpoint security system:
         1. Select the **CrowdStrike** connector.
         1. Enter the configuration information:
             - **Connector name**: A name to identify the connector.
-            - **CrowdStrike API URL**: 
-            - **CrowdStrike Client ID**: 
-            - **Client Secret**: The CrowdStrike client secret you generated previously, with permission to read CrowdStrike data and perform actions on enrolled hosts.
+            - **CrowdStrike API URL**: The base URL of the CrowdStrike API.
+            - **CrowdStrike Client ID**: Client ID for your CrowdStrike API client.
+            - **Client Secret**: Client secret allowing you access to CrowdStrike.
         1. Click **Save**.<br /><br />
 
-    1. **Create and enable a rule to generate ((elastic-sec)) alerts.** Create a <DocLink slug="/serverless/security/rules-create" section="create-custom-rule">custom query detection rule</DocLink> to generate ((elastic-sec)) alerts whenever CrowdStrike generates alerts. 
-
-        Use these settings when creating the custom query rule to target the data collected from CrowdStrike:
-        - **Index patterns**: 
-        - **Custom query**: <br /><br />
+    1. **Create and enable a rule to generate ((elastic-sec)) alerts.** (Optional) Create a <DocLink slug="/serverless/security/rules-create" section="create-custom-rule">custom query detection rule</DocLink> to generate ((elastic-sec)) alerts based on CrowdStrike events and data. Use the index pattern `logs-crowdstrike*`.
 
         <DocCallOut title="Note">
-        Do not include any other index patterns or query parameters.
+        Do not include any other index patterns.
         </DocCallOut>
 
         This gives you visibility into CrowdStrike without needing to leave ((elastic-sec)). You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout.
@@ -82,7 +77,7 @@ Select a tab below for your endpoint security system:
     <DocTab name="SentinelOne">
     {/* NOTE TO CONTRIBUTORS: These DocTabs have very similar content. If you change anything 
     in this tab, apply the change to the other tabs, too. */}
-    Follow these steps to configure response actions for SentinelOne-enrolled hosts:
+    To configure response actions for SentinelOne-enrolled hosts:
 
     1. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow ((elastic-sec)) to collect data and perform actions in SentinelOne.
 
@@ -117,7 +112,7 @@ Select a tab below for your endpoint security system:
                 - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
             1. Click **Save**.<br /><br />
 
-    1. **Create and enable a rule to generate ((elastic-sec)) alerts.** Create a <DocLink slug="/serverless/security/rules-create" section="create-custom-rule">custom query detection rule</DocLink> to generate ((elastic-sec)) alerts whenever SentinelOne generates alerts. 
+    1. **Create and enable a rule to generate ((elastic-sec)) alerts.** (Optional) Create a <DocLink slug="/serverless/security/rules-create" section="create-custom-rule">custom query detection rule</DocLink> to generate ((elastic-sec)) alerts whenever SentinelOne generates alerts. 
 
         Use these settings when creating the custom query rule to target the data collected from SentinelOne:
         - **Index patterns**: `logs-sentinel_one.alert*`

diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx
@@ -1,12 +1,16 @@
 ---
 slug: /serverless/security/third-party-actions
 title: Third-party response actions
-description: Respond to threats on hosts enrolled in third-party systems.
+description: Respond to threats on hosts enrolled in third-party security systems.
 tags: ["serverless","security","defend","reference","manage"]
 ---
 
 <DocBadge template="technical preview" />
 
+<DocCallOut template="technical_preview" />
+
+<div id="third-party-actions"></div>
+
 You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the ((elastic-sec)) UI.
 
 <DocCallOut title="Requirements">