-
Notifications
You must be signed in to change notification settings - Fork 191
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create new page for automated response actions
- Loading branch information
1 parent
daf5aba
commit ef32b76
Showing
2 changed files
with
43 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| [[automated-response-actions]] | ||
| = Automated response actions | ||
|
|
||
| :frontmatter-description: Automatically respond to events with endpoint response actions triggered by detection rules. | ||
| :frontmatter-tags-products: [security] | ||
| :frontmatter-tags-content-type: [how-to] | ||
| :frontmatter-tags-user-goals: [manage] | ||
|
|
||
| Add {elastic-defend}'s <<response-actions,response actions>> to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. | ||
|
|
||
| .Requirements | ||
| [sidebar] | ||
| -- | ||
| * Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription]. | ||
| * Hosts must have {agent} installed with the {elastic-defend} integration. | ||
| * Your user role must have the ability to create detection rules and the <<endpoint-management-req,privilege>> to perform specific response actions (for example, the **Host Isolation** privilege to isolate hosts). | ||
| * You can only add automated response actions to custom query rules. | ||
| -- | ||
|
|
||
| You can add automated response actions to a new or existing custom query rule. | ||
|
|
||
| . Do one of the following: | ||
| * *New rule*: On the last step of <<create-custom-rule,custom query rule>> creation, go to the **Response Actions** section and select **{elastic-defend}**. | ||
| * *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section. | ||
|
|
||
| . Select an option in the **Response action** field: | ||
| + | ||
| -- | ||
| * **Isolate**: <<host-isolation-ov,Isolate the host>>, blocking communication with other hosts on the network. | ||
| * **Kill process**: Terminate a process on the host. | ||
| * **Suspend process**: Temporarily suspend a process on the host. | ||
| -- | ||
| + | ||
| IMPORTANT: Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes. | ||
|
|
||
| . For process actions, specify how to identify the process you want to terminate or suspend: | ||
| * Turn on the toggle to use the alert's **process.pid** value as the identifier. | ||
| * To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**. | ||
|
|
||
| . Enter a comment describing why you’re performing the action on the host (optional). | ||
|
|
||
| . To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters