elastic · natasha-moore-elastic · Jul 2, 2025 · Jun 20, 2025 · Jun 23, 2025 · Jul 2, 2025
@@ -248,12 +248,11 @@ Scanning can take longer for directories containing a lot of files.
 
 ### `runscript` [runscript]
 
-::::{note}
-This response action is supported only for [CrowdStrike-enrolled hosts](/solutions/security/endpoint-response-actions/third-party-response-actions.md#crowdstrike-response-actions).
-::::
+Run a script on a host. 
 
+#### CrowdStrike
 
-Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+For CrowdStrike, you must include one of the following parameters to identify the script you want to run:
 
 * `--Raw`: The full script content provided directly as a string.
 * `--CloudFile`: The name of the script stored in a cloud storage location.
@@ -280,6 +279,29 @@ Examples:
 `runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
 
 
+#### Microsoft Defender for Endpoint
+```yaml {applies_to}
+serverless:
+```
+
+For Microsoft Defender for Endpoint, you must include the following parameter to identify the script you want to run:
+
+* `--ScriptName`: The name of the script stored in a cloud storage location. Select from a list of saved custom scripts.
+
+You can also use this optional parameter:
+
+* `--Args`: Additional command-line arguments passed to the script to customize its execution.
+  :::{note}
+  The response console does not support double-dash (`--`) syntax within the `--Args` parameter.
+  :::
+
+Predefined role: **SOC manager** or **Endpoint operations analyst**
+
+Required custom role privilege: **Execute Operations**
+
+Example: `runscript --ScriptName="Script2.sh" --Args="-Verbose true"`
+
+
 ## Supporting commands and parameters [supporting-commands-parameters]
 
 

@@ -90,10 +90,16 @@ Expand a section below for your endpoint security system:
 
 
 ::::{dropdown} Set up Microsoft Defender for Endpoint response actions
-1. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions:
+1. **Create API access information in Microsoft Azure.** Create new applications in your Azure domain and grant them the following minimum API permissions:
 
-    * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
-    * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`).
+    * To isolate and release hosts:
+
+        * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
+        * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Read.All` and `Machine.Isolate`).
+
+    * To run a script on a host:
+
+        * Microsoft Defender for Endpoint connector: Permission to  manage live response library files as well as run live response on a specific machine (`Windows Defender ATP: Library.Manage` and `Machine.LiveResponse`)
 
     Refer to the [Microsoft Defender for Endpoint integration documentation](https://docs.elastic.co/en/integrations/microsoft_defender_endpoint) or [Microsoft’s documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp) for details on creating a new Azure application.
 

@@ -34,7 +34,7 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 
     Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details.
 
-* **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#runscript).
+* **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#crowdstrike).
 * **View past response action activity** in the [response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md) log.
 
 
@@ -49,6 +49,7 @@ These response actions are supported for Microsoft Defender for Endpoint–enrol
 
     Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details.
 
+* **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#microsoft-defender-for-endpoint).
 
 ## SentinelOne response actions [sentinelone-response-actions]