First draft of classic version

docs/management/admin/response-actions-config.asciidoc

@@ -6,15 +6,14 @@
 :frontmatter-tags-content-type: [how-to]
 :frontmatter-tags-user-goals: [manage]
 
-Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions.
+preview::[]
 
-[discrete]
-[[configure-sentinelone-response-actions]]
-== Configure SentinelOne response actions
+You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems:
 
-You can direct SentinelOne to perform response actions on protected hosts, such as isolating a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI.
+* CrowdStrike
+* SentinelOne
 
-preview::[]
+Check out <<third-party-actions>> to learn which response actions are supported for each system.
 
 .Prerequisites
 [sidebar]
@@ -25,66 +24,107 @@ preview::[]
 
 * <<endpoint-management-req,{elastic-sec} feature privileges>>: **All** for the response action features, such as **Host Isolation**, that you want to perform.
 
-* Endpoints must have actively running SentinelOne agents installed.
+* Endpoints must have actively running endpoint agents installed.
 --
 
-Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions:
+Expand a section below for your endpoint security system:
 
-. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. 
+.**Set up CrowdStrike response actions**
+[%collapsible]
+====
+// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything 
+// in this section, apply the change to the other sections, too.
+
+. **Create an API client in CrowdStrike.** Refer to CrowdStrike's docs for instructions on creating an API client.
++
+- Give the API client the least privilege required to read CrowdStrike data and perform actions on enrolled hosts.
+- Take note of the client ID, client secret, and base URL: you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.
+
+. **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration]
+ collects and ingests logs into {elastic-sec}.
++
+.. Go to **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**.
+.. Configure the integration with an **Integration name** and optional **Description**.
+.. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**:
+   - **Client ID**: Client ID for your CrowdStrike API client.
+   - **Client Secret**: Client secret allowing you access to CrowdStrike.
+   - **URL**: The base URL of the CrowdStrike API.
+.. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**.
+.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+.. Click **Save and continue**.
+.. Select **Add {agent} to your hosts** and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from CrowdStrike and sending it back to {elastic-sec}.
+
+. **Create a CrowdStrike connector.** Elastic's {kibana-ref}/action-types.html[CrowdStrike connector] enables {elastic-sec} to perform actions on CrowdStrike-enrolled hosts.
 +
-.Expand for details
+IMPORTANT: Do not create more than one CrowdStrike connector.
++
+.. Go to **Stack Management** → **Connectors**, then select **Create connector**.
+.. Select the CrowdStrike connector.
+.. Enter the configuration information:
+   - **Connector name**: A name to identify the connector.
+   - **CrowdStrike API URL**: The base URL of the CrowdStrike API.
+   - **CrowdStrike Client ID**: Client ID for your CrowdStrike API client.
+   - **Client Secret**: Client secret allowing you access to CrowdStrike.
+.. Click **Save**.
+
+. **Create and enable a rule to generate {elastic-sec} alerts.** (Optional) Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts based on CrowdStrike events and data. Use the index pattern `logs-crowdstrike*`.
++
+NOTE: Do not include any other index patterns.
++
+This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout.
+====
+
+
+.**Set up SentinelOne response actions**
 [%collapsible]
 ====
-Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them:
+// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything 
+// in this section, apply the change to the other sections, too.
 
+. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. 
++
+Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them:
++
+--
 - SentinelOne integration: Permission to read SentinelOne data.
-- SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint).
-
+- SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint).
+--
++
 Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens.
-====
 
 . **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}.
 +
-.Expand for details
-[%collapsible]
-====
-.. In {kib}, go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**.
+.. Go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**.
 .. Configure the integration with an **Integration name** and optional **Description**.
 .. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**:
    - **URL**: The SentinelOne console URL.
    - **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data.
 .. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
 .. Click **Save and continue**.
 .. Select *Add {agent} to your hosts* and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it to {elastic-sec}.
-====
 
-. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-protected hosts.
+. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-enrolled hosts.
 +
-.Expand for details
-[%collapsible]
-====
 IMPORTANT: Do not create more than one SentinelOne connector.
 
-.. In {kib}, go to **Stack Management** → **Connectors**, then select **Create connector**.
+.. Go to **Stack Management** → **Connectors**, then select **Create connector**.
 .. Select the **SentinelOne** connector.
 .. Enter the configuration information:
    - **Connector name**: A name to identify the connector.
    - **SentinelOne tenant URL**: The SentinelOne tenant URL.
-   - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts.
+   - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
 .. Click **Save**.
-====
 
 . **Create and enable a rule to generate {elastic-sec} alerts.** Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. 
 +
-.Expand for details
-[%collapsible]
-====
 Use these settings when creating the custom query rule to target the data collected from SentinelOne:
-
++
+--
 - **Index patterns**: `logs-sentinel_one.alert*`
 - **Custom query**: `observer.serial_number:*`
-
+--
++
 NOTE: Do not include any other index patterns or query parameters.
-
-This rule will give you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout.
-====
++
+This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout.
+====

docs/management/admin/response-actions.asciidoc

@@ -111,12 +111,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"`
 
 Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment.
 
-[NOTE]
-====
-Files retrieved from third-party-protected hosts require a different password. Refer to the following:
-
-* <<sentinelone-response-actions>>
-====
+NOTE: Files retrieved from third-party-protected hosts require a different password. Refer to <<third-party-actions>> for your system's password.
 
 You must include the following parameter to specify the file's location on the host:
 

docs/management/admin/third-party-actions.asciidoc

@@ -1,26 +1,43 @@
 [[third-party-actions]]
 = Third-party response actions
 
-:frontmatter-description: Perform response actions on hosts protected by third-party endpoint security systems.
+:frontmatter-description: Respond to threats on hosts enrolled in third-party security systems.
 :frontmatter-tags-products: [security]
 :frontmatter-tags-content-type: [reference]
 :frontmatter-tags-user-goals: [manage]
 
 preview::[]
 
-[discrete]
-[[sentinelone-response-actions]]
-== SentinelOne response actions
-
-You can direct SentinelOne to perform response actions on protected hosts without leaving the {elastic-sec} UI. Prior <<response-actions-config,configuration>> is required to connect {elastic-sec} with SentinelOne.
+You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI.
 
 .Requirements
 [sidebar]
 --
-Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription], and each response action type has its own user role privilege requirements. Refer to <<response-actions>> for more information.
+* Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription].
+
+* Each response action type has its own user role privilege requirements. Find an action's role requirements at <<response-actions>>.
 --
 
-The following response actions and related features are supported for SentinelOne-protected hosts:
+[discrete]
+[[crowdstrike-response-actions]]
+== CrowdStrike response actions
+
+These response actions are supported for CrowdStrike-enrolled hosts:
+
+* **Isolate and release a host** using any of these methods:
++
+--
+** From a detection alert
+** From the response console
+--
++
+Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
+
+[discrete]
+[[sentinelone-response-actions]]
+== SentinelOne response actions
+
+These response actions are supported for SentinelOne-enrolled hosts:
 
 * **Isolate and release a host** using any of these methods:
 +
@@ -33,6 +50,6 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r
 
 * **Retrieve a file from a host** with the <<get-file,`get-file` response action>>.
 +
-NOTE: For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file.
+NOTE: For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.
 
 * **View past response action activity** in the <<response-actions-history,response actions history>> log.

docs/serverless/endpoint-response-actions/third-party-actions.mdx

@@ -23,7 +23,7 @@ You can perform response actions on hosts enrolled in other third-party endpoint
 
 ## Supported systems and response actions
 
-Third-party response actions are supported for CrowdStrike and SentinelOne. <DocLink slug="/serverless/security/response-actions-config">Prior configuration is required</DocLink> to connect each system with ((elastic-sec)).
+The following third-party response actions are supported for CrowdStrike and SentinelOne. <DocLink slug="/serverless/security/response-actions-config">Prior configuration is required</DocLink> to connect each system with ((elastic-sec)).
 
 <DocTabs>
    <DocTab name="CrowdStrike">