Skip to content

Commit

Permalink
[8.16] Known Issues + Access requirements for Crowdstrike Connector (…
Browse files Browse the repository at this point in the history
…backport #5848) (#6112)

* Known Issues + Access requirements for Crowdstrike Connector (#5848)

* First draft

* mdx to asciidoc

* Apply suggestions from Nastasha's review

Co-authored-by: Nastasha Solomon <[email protected]>

---------

Co-authored-by: Colleen McGinnis <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>
(cherry picked from commit 8b7467f)

# Conflicts:
#	docs/serverless/endpoint-response-actions/response-actions-config.asciidoc
#	docs/serverless/endpoint-response-actions/third-party-actions.asciidoc

* Delete docs/serverless directory and its contents

---------

Co-authored-by: Joe Peeples <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
  • Loading branch information
3 people authored Nov 11, 2024
1 parent 54359c5 commit d267579
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 4 deletions.
8 changes: 8 additions & 0 deletions docs/management/admin/response-actions-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,16 @@ Expand a section below for your endpoint security system:
. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.
+
- Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
* To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
- Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.
- The base URL varies depending on your CrowdStrike account type:
* US-1: `https://api.crowdstrike.com`
* US-2: `https://api.us-2.crowdstrike.com`
* EU-1: `https://api.eu-1.crowdstrike.com`
* US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`
. **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration]
collects and ingests logs into {elastic-sec}.
+
Expand Down
2 changes: 2 additions & 0 deletions docs/management/admin/third-party-actions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ You can perform response actions on hosts enrolled in other third-party endpoint
* Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription].

* Each response action type has its own user role privilege requirements. Find an action's role requirements at <<response-actions>>.

* Additional <<response-actions-config,configuration>> is required to connect {elastic-sec} with a third-party system.
--

[discrete]
Expand Down
22 changes: 18 additions & 4 deletions docs/release-notes/8.15.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ On October 17, 2024, this issue was resolved.
==== Bug fixes

* Fixes an {elastic-defend} bug that affected CPU usage for Windows process events where the same executable is repeatedly launched, for example, during compilation workloads. With this fix, CPU usage is improved.
* Fixes an {elastic-defend} bug that sometimes caused malware scan response actions to crash when they attempted to scan an inaccessible directory.
* Fixes an {elastic-defend} bug that sometimes caused malware scan response actions to crash when they attempted to scan an inaccessible directory.
* Fixes an {elastic-defend} bug that sometimes caused {elastic-endpoint} to report an incorrect version if it used an independent {agent} release.
* Fixes an {elastic-defend} bug where the `process.thread.Ext.call_stack_final_user_module.protection_provenance_path` field might be populated with a non-path value. This fix is for Windows endpoints only.
* Fixes an {elastic-defend} bug that can lead to {elastic-endpoint} reporting `STATUS_ACCESS_DENIED` when attempting to open files for `GENERIC_READ`. {elastic-endpoint} almost always recovered from this issue, but with this fix, it succeeds on the first try. This fix is for Windows endpoints only.
Expand Down Expand Up @@ -196,7 +196,7 @@ On August 1, 2024, it was discovered that Elastic AI Assistant's responses when
[%collapsible]
====
*Details* +
On August 20, 2024, it was discovered that the bulk actions menu on the Rules page erroneously had the option to manually run multiple rules.
On August 20, 2024, it was discovered that the bulk actions menu on the Rules page erroneously had the option to manually run multiple rules.
*Workaround* +
Upgrade to 8.15.1.
Expand Down Expand Up @@ -224,6 +224,20 @@ On September 5, 2024, this issue was resolved.
====
// end::known-issue-14686[]

// tag::known-issue-crowdstrike-response-actions[]
[discrete]
.CrowdStrike response actions (isolate and release host) not working
[%collapsible]
====
*Details* +
A bug prevented third-party response actions with CrowdStrike from working.
*Workaround* +
Upgrade to 8.15.1 or later.
====
// end::known-issue-crowdstrike-response-actions[]

// tag::known-issue-192084[]
[discrete]
.Alerts wrongfully inherit previously-selected tags
Expand Down Expand Up @@ -267,7 +281,7 @@ On October 17, 2024, this issue was resolved.
* Adds an API that allows you to perform paginated KQL searches through asset criticality records ({kibana-pull}186568[#186568]).
* Adds public APIs for managing asset criticality ({kibana-pull}186169[#186169]).
* Allows you to edit the `max_signals`, `related_integrations`, and `required_fields` fields for custom rules ({kibana-pull}179680[#179680], {kibana-pull}178295[#178295], {kibana-pull}180682[#180682]).
* Provides help from AI Assistant when you're correcting rule query errors ({kibana-pull}179091[#179091]).
* Provides help from AI Assistant when you're correcting rule query errors ({kibana-pull}179091[#179091]).
* Allows you to bulk update custom highlighted fields for rules ({kibana-pull}179312[#179312]).
* Adds alert suppression for {ml} and {esql} rules ({kibana-pull}181926[#181926], {kibana-pull}180927[#180927]).
* Provides previews of hosts, users, and alerts that you're examining in the alert details flyout ({kibana-pull}186850[#186850], {kibana-pull}186857[#186857]).
Expand All @@ -293,7 +307,7 @@ On October 17, 2024, this issue was resolved.
* Updates the copy for bulk assigning asset criticality to multiple entities ({kibana-pull}181390[#181390]).
* Improves visual and logic issues in the Findings table ({kibana-pull}184185[#184185]).
* Enables the expandable alert details flyout by default and replaces the `securitySolution:enableExpandableFlyout` advanced setting with a feature flag that allows you to revert to the old flyout version ({kibana-pull}184169[#184169]).
* Improves the UI design and copy of various places in the alert details flyout ({kibana-pull}187430[#187430], {kibana-pull}187920[#187920]).
* Improves the UI design and copy of various places in the alert details flyout ({kibana-pull}187430[#187430], {kibana-pull}187920[#187920]).
* Updates the MITRE ATT&CK framework to version 15.1 ({kibana-pull}183463[#183463]).
* Improves the warning message about rule actions being unavailable after a rule ran ({kibana-pull}182741[#182741]).
* Enables the `xMatters` and `Server Log connectors` rule actions ({kibana-pull}172933[#172933]).
Expand Down

0 comments on commit d267579

Please sign in to comment.