elastic · joepeeples · Sep 18, 2024 · Sep 20, 2024 · Sep 24, 2024
@@ -38,8 +38,16 @@ Expand a section below for your endpoint security system:
 . **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.
 +
 - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
+   * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
+
 - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure {elastic-sec} components to access CrowdStrike.
 
+- The base URL varies depending on your CrowdStrike account type:
+   * US-1:  `https://api.crowdstrike.com`
+   * US-2: `https://api.us-2.crowdstrike.com`
+   * EU-1: `https://api.eu-1.crowdstrike.com`
+   * US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`
+
 . **Install the CrowdStrike integration and {agent}.** Elastic's {integrations-docs}/crowdstrike[CrowdStrike integration]
  collects and ingests logs into {elastic-sec}.
 +

@@ -16,6 +16,8 @@ You can perform response actions on hosts enrolled in other third-party endpoint
 * Third-party response actions require an https://www.elastic.co/pricing[Enterprise subscription].
 
 * Each response action type has its own user role privilege requirements. Find an action's role requirements at <<response-actions>>.
+
+* Additional <<response-actions-config,configuration>> is required to connect {elastic-sec} with the third-party system.
 --
 
 [discrete]

@@ -108,6 +108,20 @@ On September 5, 2024, this issue was resolved.
 ====
 // end::known-issue-14686[]
 
+// tag::known-issue-crowdstrike-response-actions[]
+[discrete]
+.CrowdStrike response actions (isolate and release host) not working
+[%collapsible]
+====
+*Details* +
+A bug prevented third-party response actions with CrowdStrike from working.
+
+*Workaround* +
+Upgrade to 8.15.1 or later.
+
+====
+// end::known-issue-crowdstrike-response-actions[]
+
 [discrete]
 [[breaking-changes-8.15.0]]
 ==== Breaking changes

@@ -35,8 +35,15 @@ Select a tab below for your endpoint security system:
     1. **Enable API access in CrowdStrike.** Create an API client in CrowdStrike to allow access to the system. Refer to CrowdStrike's docs for instructions.
 
         - Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
+            * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
 
-        - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.<br /><br />
+        - Take note of the client ID, client secret, and base URL; you'll need them in later steps when you configure ((elastic-sec)) components to access CrowdStrike.
+
+        - The base URL varies depending on your CrowdStrike account type:
+            * US-1:  `https://api.crowdstrike.com`
+            * US-2: `https://api.us-2.crowdstrike.com`
+            * EU-1: `https://api.eu-1.crowdstrike.com`
+            * US-GOV-1: `https://api.laggar.gcw.crowdstrike.com`<br /><br />
 
     1. **Install the CrowdStrike integration and ((agent)).** Elastic's [CrowdStrike integration](((integrations-docs))/crowdstrike) collects and ingests logs into ((elastic-sec)).
         1. Go to **Project Settings** → **Integrations**, search for and select **CrowdStrike**, then select **Add CrowdStrike**.

@@ -19,6 +19,8 @@ You can perform response actions on hosts enrolled in other third-party endpoint
 
 * Each response action type has its own user role privilege requirements. Find an action's role requirements at <DocLink slug="/serverless/security/response-actions" />.
 
+* Additional <DocLink slug="/serverless/security/response-actions-config">configuration</DocLink> is required to connect ((elastic-sec)) with the third-party system.
+
 </DocCallOut>
 
 ## Supported systems and response actions