From 94f22e1b84b809ef3456c0ddabd9470c666530fe Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Fri, 12 Jul 2024 12:38:00 -0400 Subject: [PATCH] First draft of classic version --- .../admin/response-actions-config.asciidoc | 108 ++++++++++++------ .../admin/response-actions.asciidoc | 7 +- .../admin/third-party-actions.asciidoc | 35 ++++-- .../third-party-actions.mdx | 2 +- 4 files changed, 102 insertions(+), 50 deletions(-) diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index 735f6c81b3..bcce5e1e90 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -6,15 +6,14 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [manage] -Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions. +preview::[] -[discrete] -[[configure-sentinelone-response-actions]] -== Configure SentinelOne response actions +You can direct third-party endpoint protection systems to perform response actions on enrolled hosts, such as isolating a suspicious endpoint from your network, without leaving the {elastic-sec} UI. This page explains the configuration steps needed to enable response actions for these third-party systems: -You can direct SentinelOne to perform response actions on protected hosts, such as isolating a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI. +* CrowdStrike +* SentinelOne -preview::[] +Check out <> to learn which response actions are supported for each system. .Prerequisites [sidebar] @@ -25,30 +24,77 @@ preview::[] * <>: **All** for the response action features, such as **Host Isolation**, that you want to perform. -* Endpoints must have actively running SentinelOne agents installed. +* Endpoints must have actively running endpoint agents installed. -- -Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions: +Expand a section below for your endpoint security system: -. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. +.**Set up CrowdStrike response actions** +[%collapsible] +==== +// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything +// in this section, apply the change to the other sections, too. + +. **Create an API client in CrowdStrike.** Refer to CrowdStrike's docs for instructions on creating an API client. ++ +- Give the API client the least privilege required to read CrowdStrike data and perform actions on enrolled hosts. +- Take note of the client ID, client secret, and base URL: you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike. + +. **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] + collects and ingests logs into {elastic-sec}. ++ +.. Go to **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**. +.. Configure the integration with an **Integration name** and optional **Description**. +.. Select **Collect CrowdStrike logs via API**, and enter the required **Settings**: + - **Client ID**: Client ID for your CrowdStrike API client. + - **Client Secret**: Client secret allowing you access to CrowdStrike. + - **URL**: The base URL of the CrowdStrike API. +.. Select the **Falcon Alerts** and **Hosts** sub-options under **Collect CrowdStrike logs via API**. +.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. +.. Click **Save and continue**. +.. Select **Add {agent} to your hosts** and continue with the <> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from CrowdStrike and sending it back to {elastic-sec}. + +. **Create a CrowdStrike connector.** Elastic's {kibana-ref}/action-types.html[CrowdStrike connector] enables {elastic-sec} to perform actions on CrowdStrike-enrolled hosts. + -.Expand for details +IMPORTANT: Do not create more than one CrowdStrike connector. ++ +.. Go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Select the CrowdStrike connector. +.. Enter the configuration information: + - **Connector name**: A name to identify the connector. + - **CrowdStrike API URL**: The base URL of the CrowdStrike API. + - **CrowdStrike Client ID**: Client ID for your CrowdStrike API client. + - **Client Secret**: Client secret allowing you access to CrowdStrike. +.. Click **Save**. + +. **Create and enable a rule to generate {elastic-sec} alerts.** (Optional) Create a <> to generate {elastic-sec} alerts based on CrowdStrike events and data. Use the index pattern `logs-crowdstrike*`. ++ +NOTE: Do not include any other index patterns. ++ +This gives you visibility into CrowdStrike without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. +==== + + +.**Set up SentinelOne response actions** [%collapsible] ==== -Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: +// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything +// in this section, apply the change to the other sections, too. +. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne. ++ +Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them: ++ +-- - SentinelOne integration: Permission to read SentinelOne data. -- SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint). - +- SentinelOne connector: Permission to read SentinelOne data and perform actions on enrolled hosts (for example, isolating and releasing an endpoint). +-- ++ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens. -==== . **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}. + -.Expand for details -[%collapsible] -==== -.. In {kib}, go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. +.. Go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**. .. Configure the integration with an **Integration name** and optional **Description**. .. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**: - **URL**: The SentinelOne console URL. @@ -56,35 +102,29 @@ Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or S .. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies]. .. Click **Save and continue**. .. Select *Add {agent} to your hosts* and continue with the <> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it to {elastic-sec}. -==== -. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-protected hosts. +. **Create a SentinelOne connector.** Elastic's {kibana-ref}/sentinelone-action-type.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-enrolled hosts. + -.Expand for details -[%collapsible] -==== IMPORTANT: Do not create more than one SentinelOne connector. -.. In {kib}, go to **Stack Management** → **Connectors**, then select **Create connector**. +.. Go to **Stack Management** → **Connectors**, then select **Create connector**. .. Select the **SentinelOne** connector. .. Enter the configuration information: - **Connector name**: A name to identify the connector. - **SentinelOne tenant URL**: The SentinelOne tenant URL. - - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts. + - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts. .. Click **Save**. -==== . **Create and enable a rule to generate {elastic-sec} alerts.** Create a <> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. + -.Expand for details -[%collapsible] -==== Use these settings when creating the custom query rule to target the data collected from SentinelOne: - ++ +-- - **Index patterns**: `logs-sentinel_one.alert*` - **Custom query**: `observer.serial_number:*` - +-- ++ NOTE: Do not include any other index patterns or query parameters. - -This rule will give you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. -==== ++ +This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout. +==== \ No newline at end of file diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc index 821034bbb9..13bc1d5eca 100644 --- a/docs/management/admin/response-actions.asciidoc +++ b/docs/management/admin/response-actions.asciidoc @@ -111,12 +111,7 @@ Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. -[NOTE] -==== -Files retrieved from third-party-protected hosts require a different password. Refer to the following: - -* <> -==== +NOTE: Files retrieved from third-party-protected hosts require a different password. Refer to <> for your system's password. You must include the following parameter to specify the file's location on the host: diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index a544666a75..4daea36693 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -1,26 +1,43 @@ [[third-party-actions]] = Third-party response actions -:frontmatter-description: Perform response actions on hosts protected by third-party endpoint security systems. +:frontmatter-description: Respond to threats on hosts enrolled in third-party security systems. :frontmatter-tags-products: [security] :frontmatter-tags-content-type: [reference] :frontmatter-tags-user-goals: [manage] preview::[] -[discrete] -[[sentinelone-response-actions]] -== SentinelOne response actions - -You can direct SentinelOne to perform response actions on protected hosts without leaving the {elastic-sec} UI. Prior <> is required to connect {elastic-sec} with SentinelOne. +You can perform response actions on hosts enrolled in other third-party endpoint protection systems, such as CrowdStrike or SentinelOne. For example, you can direct the other system to isolate a suspicious endpoint from your network, without leaving the {elastic-sec} UI. .Requirements [sidebar] -- -Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription], and each response action type has its own user role privilege requirements. Refer to <> for more information. +* Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription]. + +* Each response action type has its own user role privilege requirements. Find an action's role requirements at <>. -- -The following response actions and related features are supported for SentinelOne-protected hosts: +[discrete] +[[crowdstrike-response-actions]] +== CrowdStrike response actions + +These response actions are supported for CrowdStrike-enrolled hosts: + +* **Isolate and release a host** using any of these methods: ++ +-- +** From a detection alert +** From the response console +-- ++ +Refer to the instructions on <> and <> hosts for more details. + +[discrete] +[[sentinelone-response-actions]] +== SentinelOne response actions + +These response actions are supported for SentinelOne-enrolled hosts: * **Isolate and release a host** using any of these methods: + @@ -33,6 +50,6 @@ Refer to the instructions on <> and <>. + -NOTE: For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. +NOTE: For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file. * **View past response action activity** in the <> log. diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx index f39eb754b3..7ff2c49d68 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx +++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx @@ -23,7 +23,7 @@ You can perform response actions on hosts enrolled in other third-party endpoint ## Supported systems and response actions -Third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with ((elastic-sec)). +The following third-party response actions are supported for CrowdStrike and SentinelOne. Prior configuration is required to connect each system with ((elastic-sec)).