diff --git a/docs/serverless/endpoint-response-actions/response-actions.mdx b/docs/serverless/endpoint-response-actions/response-actions.mdx
index cae21136ac..0229a22c5e 100644
--- a/docs/serverless/endpoint-response-actions/response-actions.mdx
+++ b/docs/serverless/endpoint-response-actions/response-actions.mdx
@@ -106,10 +106,17 @@ Required role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations ana
Example: `suspend-process --pid 123 --comment "Suspend suspicious process"`
+
### `get-file`
Retrieve a file from a host. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment.
+
+Files retrieved from third-party-protected hosts require a different password. Refer to the following:
+
+- SentinelOne response actions
+
+
You must include the following parameter to specify the file's location on the host:
* `--path` : The file's full path (including the file name).
diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx
index b12d4d04b5..f2874aece6 100644
--- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx
+++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx
@@ -13,6 +13,12 @@ tags: ["serverless","security","defend","reference","manage"]
You can direct SentinelOne to perform response actions on protected hosts without leaving the ((elastic-sec)) UI. Prior configuration is required to connect ((elastic-sec)) with SentinelOne.
+
+
+Third-party response actions require the Endpoint Protection Complete , and each response action type has its own user role privilege requirements. Refer to for more information.
+
+
+
The following response actions and related features are supported for SentinelOne-protected hosts:
- **Isolate and release a host** using any of these methods:
@@ -21,4 +27,9 @@ The following response actions and related features are supported for SentinelOn
Refer to the instructions on isolating and releasing hosts for more details.
+- **Retrieve a file from a host** with the `get-file` response action.
+
+ For SentinelOne-protected hosts, you must use the password `Elastic@123` to open the retrieved file.
+
+
- **View past response action activity** in the response actions history log.