[Request] [EDR] Document the availability of runscript response action for SentinelOne Hosts #2729
Description
Description
Description
Document the availability of runscript response action for SentinelOne Hosts.
The command (which already exists for CrowdStrike and Microsoft Defender hosts) has the following options in the console:
runscript --help
About
Run a script on the host
Usage
runscript --script [--inputParams --comment]
Example
runscript --script="copy.sh" --inputParams="~/logs/log.txt /tmp/log.backup.txt"
Required parameters
--script - The script to run (selected from popup list)
Optional parameters
--inputParams - Input arguments for the selected script
--comment - A comment to go along with the action
Background & resources
- Feature was implemented over several PR
- Implementation issues are referenced in this Meta issue: https://github.com/elastic/security-team/issues/13269
- Point of contact: Paul Tavares ( @paul-tavares )
- Test environments: Create cloud env. and enable feature flag
responseActionsSentinelOneRunScriptEnabled
Which documentation set does this change impact?
ESS and serverless
ESS release
Feature will be included in v9.2.0
Serverless release
Week of September 15 2025
Feature differences
Feature is identical in both ESS and Serverless
API docs impact
OpenAPI docs will be updated by Dev to include new API parameters applicable to runscript for SentinelOne
Prerequisites, privileges, feature flags
- Feature flag (
responseActionsSentinelOneRunScriptEnabled) will be enabled in the next two weeks - just prior to release for Serverless