elastic · natasha-moore-elastic · Oct 8, 2025 · Sep 30, 2025 · Oct 8, 2025 · Oct 8, 2025
@@ -41,7 +41,7 @@ Launch the response console from any of the following places in {{elastic-sec}}:
 * Endpoint details flyout → **Take action** → **Respond**
 * Alert details flyout → **Take action** → **Respond**
 * Host details page → **Respond**
-* {applies_to}`stack: ga 9.1` Event details flyout → **Take action** → **Respond** 
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` Event details flyout → **Take action** → **Respond** 
 
 To perform an action on the endpoint, enter a [response action command](/solutions/security/endpoint-response-actions.md#response-action-commands) in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console.
 
@@ -253,7 +253,7 @@ For CrowdStrike, you must include one of the following parameters to identify th
 * `--Raw`: The full script content provided directly as a string.
 * `--CloudFile`: The name of the script stored in a cloud storage location.
 
-   {applies_to}`stack: ga 9.1` When using this parameter, select from a list of saved custom scripts.
+   {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` When using this parameter, select from a list of saved custom scripts.
 
 * `--HostPath`: The absolute or relative file path of the script located on the host machine.
 
@@ -278,6 +278,7 @@ Examples:
 #### Microsoft Defender for Endpoint
 ```yaml {applies_to}
 stack: ga 9.1
+serverless: ga
 ```
 
 For Microsoft Defender for Endpoint, you must include the following parameter to identify the script you want to run:
@@ -300,6 +301,7 @@ Example: `runscript --ScriptName="Script2.sh" --Args="-Verbose true"`
 #### SentinelOne
 ```yaml {applies_to}
 stack: ga 9.2
+serverless: ga
 ```
 For SentinelOne, you must include the following parameter to identify the script you want to run:
 
@@ -315,6 +317,26 @@ Required privilege (in {{stack}}) or custom role privilege (in {{serverless-shor
 
 Example: `runscript --script="copy.sh" --inputParams="~/logs/log.txt /tmp/log.backup.txt"`
 
+### `cancel` [cancel]
+```yaml {applies_to}
+stack: ga 9.2
+serverless: ga
+```
+
+::::{note}
+This response action is supported only for [Microsoft Defender for Endpoint–enrolled hosts](/solutions/security/endpoint-response-actions/third-party-response-actions.md#defender-response-actions).
+::::
+
+Cancel an ongoing action on the host. This allows you to force-cancel actions that are stuck in a pending state, unblocking further use of the response console.
+
+You must include the following parameter to identify the action to cancel:
+
+* `--action`: The response action to cancel. Select from a list of pending actions.
+
+Required role or privilege: `cancel` doesn't have its own required role or privilege. To use it, you must have the same role or privilege that's required for the action you're canceling. For example, canceling a `runscript` action requires the **Execute Operations** privilege.
+
+Example: `cancel --action="copy.sh" --comment="Canceled because it is stuck"`
+
 ## Supporting commands and parameters [supporting-commands-parameters]
 
 

@@ -97,10 +97,12 @@ Expand a section below for your endpoint security system:
         * Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
         * Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Read.All` and `Machine.Isolate`).
 
-    * {applies_to}`stack: ga 9.1` To run a script on a host:
+    * {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` To run a script on a host:
 
         * Microsoft Defender for Endpoint connector: Permission to  manage live response library files as well as run live response on a specific machine (`Windows Defender ATP: Library.Manage` and `Machine.LiveResponse`)
 
+    * {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` To cancel an ongoing action on a host, you need the same permissions that are required for the action you're canceling.
+
     Refer to the [Microsoft Defender for Endpoint integration documentation](https://docs.elastic.co/en/integrations/microsoft_defender_endpoint) or [Microsoft’s documentation](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp) for details on creating a new Azure application.
 
     After you create the applications, take note of the client ID, client secret, and tenant ID for each one; you’ll need them in later steps when you configure Elastic Security components to access Microsoft Defender for Endpoint.

@@ -49,7 +49,9 @@ These response actions are supported for Microsoft Defender for Endpoint–enrol
 
     Refer to the instructions on [isolating](/solutions/security/endpoint-response-actions/isolate-host.md#isolate-a-host) and [releasing](/solutions/security/endpoint-response-actions/isolate-host.md#release-a-host) hosts for more details.
 
-* {applies_to}`stack: ga 9.1` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#microsoft-defender-for-endpoint).
+* {applies_to}`stack: ga 9.1` {applies_to}`serverless: ga` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#microsoft-defender-for-endpoint).
+
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Cancel an ongoing action on a host** with the [`cancel` response action](/solutions/security/endpoint-response-actions.md#cancel).
 
 ## SentinelOne response actions [sentinelone-response-actions]
 
@@ -79,4 +81,4 @@ These response actions are supported for SentinelOne-enrolled hosts:
 
 * **View past response action activity** in the [response actions history](/solutions/security/endpoint-response-actions/response-actions-history.md) log.
 
-* {applies_to}`stack: ga 9.2` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#sentinelone).
+* {applies_to}`stack: ga 9.2` {applies_to}`serverless: ga` **Run a script on a host** with the [`runscript` response action](/solutions/security/endpoint-response-actions.md#sentinelone).