Skip to content

Document external EDR script picker for CrowdStrike in serverless #1650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 11, 2025
Merged

Document external EDR script picker for CrowdStrike in serverless #1650

merged 4 commits into from
Jun 11, 2025

Conversation

natasha-moore-elastic
Copy link
Contributor

@natasha-moore-elastic natasha-moore-elastic commented Jun 9, 2025
edited
Loading

Contributes to #1498 by documenting the script picker functionality for the runscript response action for Crodwstrike in serverless docs. Doc updates for 8.19 and 9.1, and for MS Defender, will be handled separately.

Also adds required API permissions for runscript when creating an API client in CrowdStrike.

Previews:

@natasha-moore-elastic natasha-moore-elastic added Serverless Improvements and changes to the Serverless Docs Team:Experience Issues owned by the Experience Docs Team labels Jun 9, 2025
@natasha-moore-elastic natasha-moore-elastic self-assigned this Jun 9, 2025
@natasha-moore-elastic natasha-moore-elastic mentioned this pull request Jun 9, 2025
Closed
@natasha-moore-elastic natasha-moore-elastic marked this pull request as ready for review June 9, 2025 13:51
@natasha-moore-elastic natasha-moore-elastic requested a review from a team as a code owner June 9, 2025 13:51
@natasha-moore-elastic natasha-moore-elastic changed the title Document external EDR script picker for CrodwStrike in serverless Document external EDR script picker for CrowdStrike in serverless Jun 9, 2025
@raqueltabuyo
Copy link

raqueltabuyo commented Jun 10, 2025
edited
Loading

@natasha-moore-elastic Hey! We noticed that we need to update the docs regarding the API access as runscript requires RTR privileges. Currently, it states "To isolate and release hosts, the API client must have Read access for Alerts, and Read and Write access for Hosts.", we have to cover as well runscript. CC: @tomsonpl

@tomsonpl
Copy link

Thanks @raqueltabuyo

The needed permissions for RTR (currently only runscript) in CrowdStrike are:
Read and Write for Real time response and additionally Write for Real time response (admin)

@natasha-moore-elastic
Copy link
Contributor Author

natasha-moore-elastic commented Jun 10, 2025
edited
Loading

Thanks @raqueltabuyo

The needed permissions for RTR (currently only runscript) in CrowdStrike are: Read and Write for Real time response and additionally Write for Real time response (admin)

Thanks both, I've updated the PR. If it looks good, I'll make the same update in 8.18 docs.

@natasha-moore-elastic natasha-moore-elastic mentioned this pull request Jun 11, 2025
Merged
@natasha-moore-elastic natasha-moore-elastic merged commit 1cd6b77 into main Jun 11, 2025
6 checks passed
@natasha-moore-elastic natasha-moore-elastic deleted the issue-1498-script-picker-cwd branch June 11, 2025 13:56
@mergify mergify bot mentioned this pull request Jun 11, 2025
Merged
@natasha-moore-elastic natasha-moore-elastic mentioned this pull request Jun 20, 2025
Merged
@natasha-moore-elastic natasha-moore-elastic mentioned this pull request Jul 25, 2025
Merged
natasha-moore-elastic added a commit that referenced this pull request Jul 28, 2025
@natasha-moore-elastic
[Security] Runscript for MS Defender + script picker (#2278)
6e01750 
Resolves #1498 and
#1532.
Adds the appropriate 9.1 'applies' labels for the MS Defender
`runscript` response action and the script picker functionality.

### Related PRs

MS Defender `runscript`:
* #1820
* elastic/security-docs#6903

Script picker:
* #1650
* elastic/security-docs#6896
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomsonpl tomsonpl tomsonpl approved these changes

@mdbirnstiehl mdbirnstiehl mdbirnstiehl approved these changes

Assignees

@natasha-moore-elastic natasha-moore-elastic

Labels

Serverless Improvements and changes to the Serverless Docs Team:Experience Issues owned by the Experience Docs Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@natasha-moore-elastic @raqueltabuyo @tomsonpl @mdbirnstiehl