diff --git a/solutions/security/endpoint-response-actions.md b/solutions/security/endpoint-response-actions.md index 7a9f703523..dac75237ac 100644 --- a/solutions/security/endpoint-response-actions.md +++ b/solutions/security/endpoint-response-actions.md @@ -257,6 +257,9 @@ Run a script on a host. You must include one of the following parameters to iden * `--Raw`: The full script content provided directly as a string. * `--CloudFile`: The name of the script stored in a cloud storage location. + + {applies_to}`serverless: ga` When using this parameter, select from a list of saved custom scripts. + * `--HostPath`: The absolute or relative file path of the script located on the host machine. You can also use these optional parameters: diff --git a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md index 43a88539e1..965579a8b3 100644 --- a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md @@ -38,7 +38,9 @@ Expand a section below for your endpoint security system: * Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. - * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts. + * To isolate and release hosts: `Read` access for `Alerts`, and `Read` and `Write` access for `Hosts`. + + * To run a script on a host: `Read` and `Write` access for `Real time response`; for elevated access, `Write` access for `Real time response (admin)` is also required. * Take note of the client ID, client secret, and base URL; you’ll need them in later steps when you configure {{elastic-sec}} components to access CrowdStrike. * The base URL varies depending on your CrowdStrike account type: