diff --git a/solutions/security/endpoint-response-actions.md b/solutions/security/endpoint-response-actions.md index f93d6b952c..da5cd983dc 100644 --- a/solutions/security/endpoint-response-actions.md +++ b/solutions/security/endpoint-response-actions.md @@ -41,7 +41,7 @@ Launch the response console from any of the following places in {{elastic-sec}}: * Endpoint details flyout → **Take action** → **Respond** * Alert details flyout → **Take action** → **Respond** * Host details page → **Respond** -* {applies_to}`stack: ga 9.1` Event details flyout → **Take action** → **Respond** +* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` Event details flyout → **Take action** → **Respond** To perform an action on the endpoint, enter a [response action command](/solutions/security/endpoint-response-actions.md#response-action-commands) in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. @@ -253,7 +253,7 @@ For CrowdStrike, you must include one of the following parameters to identify th * `--Raw`: The full script content provided directly as a string. * `--CloudFile`: The name of the script stored in a cloud storage location. - {applies_to}`stack: ga 9.1` When using this parameter, select from a list of saved custom scripts. + {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` When using this parameter, select from a list of saved custom scripts. * `--HostPath`: The absolute or relative file path of the script located on the host machine. @@ -278,6 +278,7 @@ Examples: #### Microsoft Defender for Endpoint ```yaml {applies_to} stack: ga 9.1 +serverless: ga ``` For Microsoft Defender for Endpoint, you must include the following parameter to identify the script you want to run: @@ -300,6 +301,7 @@ Example: `runscript --ScriptName="Script2.sh" --Args="-Verbose true"` #### SentinelOne ```yaml {applies_to} stack: ga 9.2 +serverless: ga ``` For SentinelOne, you must include the following parameter to identify the script you want to run: @@ -315,6 +317,26 @@ Required privilege (in {{stack}}) or custom role privilege (in {{serverless-shor Example: `runscript --script="copy.sh" --inputParams="~/logs/log.txt /tmp/log.backup.txt"` +### `cancel` [cancel] +```yaml {applies_to} +stack: ga 9.2 +serverless: ga +``` + +::::{note} +This response action is supported only for [Microsoft Defender for Endpoint–enrolled hosts](/solutions/security/endpoint-response-actions/third-party-response-actions.md#defender-response-actions). +:::: + +Cancel an ongoing action on the host. This allows you to force-cancel actions that are stuck in a pending state, unblocking further use of the response console. + +You must include the following parameter to identify the action to cancel: + +* `--action`: The response action to cancel. Select from a list of pending actions. + +Required role or privilege: `cancel` doesn't have its own required role or privilege. To use it, you must have the same role or privilege that's required for the action you're canceling. For example, canceling a `runscript` action requires the **Execute Operations** privilege. + +Example: `cancel --action="copy.sh" --comment="Canceled because it is stuck"` + ## Supporting commands and parameters [supporting-commands-parameters] diff --git a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md index a5d6e5f23f..de748a0236 100644 --- a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md @@ -97,10 +97,12 @@ Expand a section below for your endpoint security system: * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`). * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Read.All` and `Machine.Isolate`). - * {applies_to}`stack: ga 9.1` To run a script on a host: + * {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` To run a script on a host: * Microsoft Defender for Endpoint connector: Permission to manage live response library files as well as run live response on a specific machine (`Windows Defender ATP: Library.Manage` and `Machine.LiveResponse`) + * {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` To cancel an ongoing action on a host, you need the same permissions that are required for the action you're canceling. + Refer to the [Microsoft Defender for Endpoint integration documentation](https://docs.elastic.co/en/integrations/microsoft_defender_endpoint) or [Microsoft’s documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp) for details on creating a new Azure application. After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you’ll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint. diff --git a/solutions/security/endpoint-response-actions/third-party-response-actions.md b/solutions/security/endpoint-response-actions/third-party-response-actions.md index 687501dfef..5b4c62f9a4 100644 --- a/solutions/security/endpoint-response-actions/third-party-response-actions.md +++ b/solutions/security/endpoint-response-actions/third-party-response-actions.md @@ -49,7 +49,9 @@ These response actions are supported for Microsoft Defender for Endpoint–enrol Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details. -* {applies_to}`stack: ga 9.1` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#microsoft-defender-for-endpoint). +* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#microsoft-defender-for-endpoint). + +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Cancel an ongoing action on a host** with the [`cancel` response action](/solutions/security/endpoint-response-actions.md#cancel). ## SentinelOne response actions [sentinelone-response-actions] @@ -79,4 +81,4 @@ These response actions are supported for SentinelOne-enrolled hosts: * **View past response action activity** in the [response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md) log. -* {applies_to}`stack: ga 9.2` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#sentinelone). +* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#sentinelone).