diff --git a/solutions/security/endpoint-response-actions.md b/solutions/security/endpoint-response-actions.md index dac75237ac..f67c53c5cd 100644 --- a/solutions/security/endpoint-response-actions.md +++ b/solutions/security/endpoint-response-actions.md @@ -248,12 +248,11 @@ Scanning can take longer for directories containing a lot of files. ### `runscript` [runscript] -::::{note} -This response action is supported only for [CrowdStrike-enrolled hosts](/solutions/security/endpoint-response-actions/third-party-response-actions.md#crowdstrike-response-actions). -:::: +Run a script on a host. +#### CrowdStrike -Run a script on a host. You must include one of the following parameters to identify the script you want to run: +For CrowdStrike, you must include one of the following parameters to identify the script you want to run: * `--Raw`: The full script content provided directly as a string. * `--CloudFile`: The name of the script stored in a cloud storage location. @@ -280,6 +279,29 @@ Examples: `runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"` +#### Microsoft Defender for Endpoint +```yaml {applies_to} +serverless: +``` + +For Microsoft Defender for Endpoint, you must include the following parameter to identify the script you want to run: + +* `--ScriptName`: The name of the script stored in a cloud storage location. Select from a list of saved custom scripts. + +You can also use this optional parameter: + +* `--Args`: Additional command-line arguments passed to the script to customize its execution. + :::{note} + The response console does not support double-dash (`--`) syntax within the `--Args` parameter. + ::: + +Predefined role: **SOC manager** or **Endpoint operations analyst** + +Required custom role privilege: **Execute Operations** + +Example: `runscript --ScriptName="Script2.sh" --Args="-Verbose true"` + + ## Supporting commands and parameters [supporting-commands-parameters] diff --git a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md index 965579a8b3..22ab969d95 100644 --- a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md @@ -90,10 +90,16 @@ Expand a section below for your endpoint security system: ::::{dropdown} Set up Microsoft Defender for Endpoint response actions -1. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions: +1. **Create API access information in Microsoft Azure.** Create new applications in your Azure domain and grant them the following minimum API permissions: - * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). - * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`). + * To isolate and release hosts: + + * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). + * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Read.All` and `Machine.Isolate`). + + * To run a script on a host: + + * Microsoft Defender for Endpoint connector: Permission to manage live response library files as well as run live response on a specific machine (`Windows Defender ATP: Library.Manage` and `Machine.LiveResponse`) Refer to the [Microsoft Defender for Endpoint integration documentation](https://docs.elastic.co/en/integrations/microsoft_defender_endpoint) or [Microsoft’s documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp) for details on creating a new Azure application. diff --git a/solutions/security/endpoint-response-actions/third-party-response-actions.md b/solutions/security/endpoint-response-actions/third-party-response-actions.md index 05286dfca1..bcf1c690df 100644 --- a/solutions/security/endpoint-response-actions/third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/third-party-response-actions.md @@ -34,7 +34,7 @@ These response actions are supported for CrowdStrike-enrolled hosts: Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. -* **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#runscript). +* **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#crowdstrike). * **View past response action activity** in the [response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md) log. @@ -49,6 +49,7 @@ These response actions are supported for Microsoft Defender for Endpoint–enrol Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. +* **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#microsoft-defender-for-endpoint). ## SentinelOne response actions [sentinelone-response-actions]