Skip to content

[8.19] Runscript for MS Defender #6903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 27, 2025
Merged

[8.19] Runscript for MS Defender #6903

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8ed990
Runscript for MS Defender
natasha-moore-elastic Jun 27, 2025
684eea1
Merge branch '8.x' into issue-1532-md-runscript
natasha-moore-elastic Jun 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions docs/management/admin/response-actions-config.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,11 +86,14 @@ This gives you visibility into CrowdStrike without needing to leave {elastic-sec
// NOTE TO CONTRIBUTORS: These sections have very similar content. If you change anything
// in this section, apply the change to the other sections, too.

. **Create API access information in Microsoft Azure.** Create two new applications in your Azure domain and grant them the following minimum API permissions:
. **Create API access information in Microsoft Azure.** Create new applications in your Azure domain and grant them the following minimum API permissions:
+
--
- Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
- Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Isolate and Machine.Read.All`).
- To isolate and release hosts:
* Microsoft Defender for Endpoint Fleet integration policy: Permission to read alert data (`Windows Defender ATP: Alert.Read.All`).
* Microsoft Defender for Endpoint connector: Permission to read machine information as well as isolate and release a machine (`Windows Defender ATP: Machine.Read.All` and `Machine.Isolate`).
- To run a script on a host:
* Microsoft Defender for Endpoint connector: Permission to manage live response library files as well as run live response on a specific machine (`Windows Defender ATP: Library.Manage` and `Machine.LiveResponse`)
--
+
Refer to the {integrations-docs}/microsoft_defender_endpoint[Microsoft Defender for Endpoint integration documentation] or https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-create-app-webapp[Microsoft's documentation] for details on creating a new Azure application.
Expand Down
27 changes: 25 additions & 2 deletions docs/management/admin/response-actions.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,9 +198,13 @@ NOTE: Scanning can take longer for directories containing a lot of files.
[[runscript]]
=== `runscript`

NOTE: This response action is supported only for <<crowdstrike-response-actions, CrowdStrike-enrolled hosts>>.
Run a script on a host.

Run a script on a host. You must include one of the following parameters to identify the script you want to run:
[discrete]
[[runscript-crwd]]
==== CrowdStrike

For CrowdStrike, you must include one of the following parameters to identify the script you want to run:

* `--Raw`: The full script content provided directly as a string.
* `--CloudFile`: The name of the script stored in a cloud storage location.
Expand All @@ -221,6 +225,25 @@ Examples:

`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`

[discrete]
[[runscript-mde]]
==== Microsoft Defender for Endpoint

For Microsoft Defender for Endpoint, you must include the following parameter to identify the script you want to run:

* `--ScriptName`: The name of the script stored in a cloud storage location. Select from a list of saved custom scripts.

You can also use this optional parameter:

* `--Args`: Additional command-line arguments passed to the script to customize its execution.
+
NOTE: The response console does not support double-dash (`--`) syntax within the `--Args` parameter.

Required privilege: **Execute Operations**

Example: `runscript --ScriptName="Script2.sh" --Args="-Verbose true"`


[discrete]
[[supporting-commands-parameters]]
== Supporting commands and parameters
Expand Down
4 changes: 3 additions & 1 deletion docs/management/admin/third-party-actions.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ These response actions are supported for CrowdStrike-enrolled hosts:
+
Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.

* **Run a script on a host** with the <<runscript,`runscript` response action>>.
* **Run a script on a host** with the <<runscript-crwd,`runscript` response action>>.

* **View past response action activity** in the <<response-actions-history,response actions history>> log.

Expand All @@ -52,6 +52,8 @@ These response actions are supported for Microsoft Defender for Endpoint–enrol
+
Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.

* **Run a script on a host** with the <<runscript-mde,`runscript` response action>>.

[discrete]
[[sentinelone-response-actions]]
== SentinelOne response actions
Expand Down