Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.12] Bidirectional integration response actions (SentinelOne) — Classic docs (backport #4593) #4622

Merged
merged 1 commit into from
Jan 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/getting-started/install-endpoint.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -95,14 +95,14 @@ If you have upgraded to an {stack} version that includes {fleet-server} 7.13.0 o
[[enroll-agent]]
=== Add the {agent}

. Go to *{fleet}* -> *Agents* -> **Add agent**.
. If you're in the process of installing an {agent} integration (such as {elastic-defend}), the **Add agent** UI opens automatically. Otherwise, go to *{fleet}* -> *Agents* -> **Add agent**.
+
[role="screenshot"]
image::images/install-endpoint/endpoint-cloud-sec-add-agent.png[Add agent flyout on the Fleet page.]

. Select an agent policy for the {agent}. You can select an existing policy, or select **Create new agent policy** to create a new one. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
+
The selected agent policy should include {elastic-defend}.
The selected agent policy should include the integration you want to install on the hosts covered by the agent policy (in this example, {elastic-defend}).
+
[role="screenshot"]
image::images/install-endpoint/endpoint-cloud-sec-add-agent-detail.png[Add agent flyout with {elastic-defend} integration highlighted.,575]
Expand Down
82 changes: 80 additions & 2 deletions docs/management/admin/response-actions-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,86 @@
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [manage]

Endpoint response actions involving third-party systems require additional configuration. This page explains the high-level steps you'll need to take to enable these response actions.

[discrete]
[[configure-sentinelone-response-actions]]
== Configure SentinelOne response actions

SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI.

preview::[]

.Prerequisites
[sidebar]
--
[.text-center]
**This is a placeholder for future documentation.**
* https://www.elastic.co/pricing[Subscription level]: Enterprise

* {kibana-ref}/kibana-role-management.html#adding_kibana_privileges[{kib} feature privilege]: **Actions and Connectors : All**.

* <<endpoint-management-req,{elastic-sec} feature privileges>>: **All** for the response action features, such as **Host Isolation**, that you want to perform.

* Endpoints must have actively running SentinelOne agents installed.
--

Configuration requires the following general steps. Expand the steps and follow the links for detailed instructions:

. **Generate API access tokens in SentinelOne.** You'll need these tokens in later steps, and they allow {elastic-sec} to collect data and perform actions in SentinelOne.
+
.Expand for details
[%collapsible]
====
Create two API tokens in SentinelOne, and give them the least privilege required by the Elastic components that will use them:

- SentinelOne integration: Permission to read SentinelOne data.
- SentinelOne connector: Permission to read SentinelOne data and perform actions on SentinelOne-protected hosts (for example, isolating and releasing an endpoint).

Refer to the {integrations-docs}/sentinel_one[SentinelOne integration docs] or SentinelOne's docs for details on generating API tokens.
====

. **Install the SentinelOne integration and {agent}.** Elastic's {integrations-docs}/sentinel_one[SentinelOne integration] collects and ingests logs into {elastic-sec}.
+
.Expand for details
[%collapsible]
====
.. In {kib}, go to **Integrations**, search for and select **SentinelOne**, then select **Add SentinelOne**.
.. Configure the integration with an **Integration name** and optional **Description**.
.. Ensure that **Collect SentinelOne logs via API** is selected, and enter the required **Settings**:
- **URL**: The SentinelOne console URL.
- **API Token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data.
.. Scroll down and enter a name for the agent policy in **New agent policy name**. If other agent policies already exist, you can click the **Existing hosts** tab and select an existing policy instead. For more details on {agent} configuration settings, refer to {fleet-guide}/agent-policy.html[{agent} policies].
.. Click **Save and continue**.
.. Select *Add {agent} to your hosts* and continue with the <<enroll-agent,{agent} installation steps>> to install {agent} on a resource in your network (such as a server or VM). {agent} will act as a bridge collecting data from SentinelOne and sending it to {elastic-sec}.
====

. **Create a SentinelOne connector.** Elastic's {kibana-ref}/action-types.html[SentinelOne connector] enables {elastic-sec} to perform actions on SentinelOne-protected hosts.
// TODO: Update link above to sentinelone-action-type.html once that page is published.
+
.Expand for details
[%collapsible]
====
IMPORTANT: Do not create more than one SentinelOne connector.

.. In {kib}, go to **Stack Management** → **Connectors**, then select **Create connector**.
.. Select the **SentinelOne** connector.
.. Enter the configuration information:
- **Connector name**: A name to identify the connector.
- **SentinelOne tenant URL**: The SentinelOne tenant URL.
- **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on SentinelOne-protected hosts.
.. Click **Save**.
====

. **Create and enable a rule to generate {elastic-sec} alerts.** Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts whenever SentinelOne generates alerts.
+
.Expand for details
[%collapsible]
====
Use these settings when creating the custom query rule to target the data collected from SentinelOne:

- **Index patterns**: `logs-sentinel_one.alert*`
- **Custom query**: `observer.serial_number:*`

NOTE: Do not include any other index patterns or query parameters.

This rule will give you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu on the alert details flyout.
====