diff --git a/docs/serverless/endpoint-response-actions/response-actions.mdx b/docs/serverless/endpoint-response-actions/response-actions.mdx index cae21136ac..0229a22c5e 100644 --- a/docs/serverless/endpoint-response-actions/response-actions.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions.mdx @@ -106,10 +106,17 @@ Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations ana Example: `suspend-process --pid 123 --comment "Suspend suspicious process"` +
### `get-file` Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment. + +Files retrieved from third-party-protected hosts require a different password. Refer to the following: + +- SentinelOne response actions + + You must include the following parameter to specify the file's location on the host: * `--path` : The file's full path (including the file name). diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx index b12d4d04b5..f2874aece6 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx +++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx @@ -13,6 +13,12 @@ tags: ["serverless","security","defend","reference","manage"] You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior configuration is required to connect ((elastic-sec)) with SentinelOne. + + +Third-party response actions require the Endpoint Protection Complete , and each response action type has its own user role privilege requirements. Refer to for more information. + + + The following response actions and related features are supported for SentinelOne-protected hosts: - **Isolate and release a host** using any of these methods: @@ -21,4 +27,9 @@ The following response actions and related features are supported for SentinelOn Refer to the instructions on isolating and releasing hosts for more details. +- **Retrieve a file from a host** with the `get-file` response action. + + For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file. + + - **View past response action activity** in the response actions history log.