Adds required API permissions for runscript

natasha-moore-elastic · natasha-moore-elastic · commit 89bff8367540 · 2025-06-11T14:47:59.000+01:00
diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc
@@ -37,7 +37,8 @@ Expand a section below for your endpoint security system:
 . **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.
 +
 - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
-   * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
+   * To isolate and release hosts: `Read` access for `Alerts`, and `Read` and `Write` access for `Hosts`.
+   * To run a script on a host: `Read` and `Write` access for `Real time response`; for elevated access, `Write` access for `Real time response (admin)` is also required.
 
 - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.
 

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,8 @@ Expand a section below for your endpoint security system:`
`37`	`37`	`. Enable API access in CrowdStrike. Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.`
`38`	`38`	`+`
`39`	`39`	`- Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.`
`40`		- * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
	`40`	+ * To isolate and release hosts: `Read` access for `Alerts`, and `Read` and `Write` access for `Hosts`.
	`41`	+ * To run a script on a host: `Read` and `Write` access for `Real time response`; for elevated access, `Write` access for `Real time response (admin)` is also required.
`41`	`42`
`42`	`43`	`- Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.`
`43`	`44`