From 56f71acae3e481fa6afb6a6b4a8dd9ac9f5e4f98 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 18 Sep 2024 17:50:06 -0400 Subject: [PATCH] First draft --- .../admin/response-actions-config.asciidoc | 8 ++++++++ docs/management/admin/third-party-actions.asciidoc | 2 ++ docs/release-notes/8.15.asciidoc | 14 ++++++++++++++ .../response-actions-config.mdx | 9 ++++++++- .../third-party-actions.mdx | 2 ++ 5 files changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc index e38ab3022a..52a556fb51 100644 --- a/docs/management/admin/response-actions-config.asciidoc +++ b/docs/management/admin/response-actions-config.asciidoc @@ -38,8 +38,16 @@ Expand a section below for your endpoint security system: . **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions. + - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. + * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts. + - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike. +- The base URL varies depending on your CrowdStrike account type: + * US-1: `https://api.crowdstrike.com` + * US-2: `https://api.us-2.crowdstrike.com` + * EU-1: `https://api.eu-1.crowdstrike.com` + * US-GOV-1: `https://api.laggar.gcw.crowdstrike.com` + . **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration] collects and ingests logs into {elastic-sec}. + diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc index 27dece4a79..91e994eb3c 100644 --- a/docs/management/admin/third-party-actions.asciidoc +++ b/docs/management/admin/third-party-actions.asciidoc @@ -16,6 +16,8 @@ You can perform response actions on hosts enrolled in other third-party endpoint * Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription]. * Each response action type has its own user role privilege requirements. Find an action's role requirements at <>. + +* Additional <> is required to connect {elastic-sec} with the third-party system. -- [discrete] diff --git a/docs/release-notes/8.15.asciidoc b/docs/release-notes/8.15.asciidoc index 343c5f758f..2edf77873e 100644 --- a/docs/release-notes/8.15.asciidoc +++ b/docs/release-notes/8.15.asciidoc @@ -108,6 +108,20 @@ On September 5, 2024, this issue was resolved. ==== // end::known-issue-14686[] +// tag::known-issue-crowdstrike-response-actions[] +[discrete] +.CrowdStrike response actions (isolate and release host) not working +[%collapsible] +==== +*Details* + +A bug prevented third-party response actions with CrowdStrike from working. + +*Workaround* + +Upgrade to 8.15.1 or later. + +==== +// end::known-issue-crowdstrike-response-actions[] + [discrete] [[breaking-changes-8.15.0]] ==== Breaking changes diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx index 983060651e..f760e4a602 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-config.mdx +++ b/docs/serverless/endpoint-response-actions/response-actions-config.mdx @@ -35,8 +35,15 @@ Select a tab below for your endpoint security system: 1. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions. - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client. + * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts. - - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.

+ - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike. + + - The base URL varies depending on your CrowdStrike account type: + * US-1: `https://api.crowdstrike.com` + * US-2: `https://api.us-2.crowdstrike.com` + * EU-1: `https://api.eu-1.crowdstrike.com` + * US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`

1. **Install the CrowdStrike integration and ((agent)).** Elastic's [CrowdStrike integration](((integrations-docs))/crowdstrike) collects and ingests logs into ((elastic-sec)). 1. Go to **Project Settings** → **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**. diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.mdx b/docs/serverless/endpoint-response-actions/third-party-actions.mdx index edf2841e27..7d1dd9ec01 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.mdx +++ b/docs/serverless/endpoint-response-actions/third-party-actions.mdx @@ -19,6 +19,8 @@ You can perform response actions on hosts enrolled in other third-party endpoint * Each response action type has its own user role privilege requirements. Find an action's role requirements at . +* Additional configuration is required to connect ((elastic-sec)) with the third-party system. + ## Supported systems and response actions