SentinelOne bidirectional processes, kill-process, and detection …

…rule updates [ESS] (#5735) * Fix no-op typo in MDX * Draft all the changes from serverless * Remove weird extra spaces * Fix table header row
elastic · Sep 18, 2024 · 9c34da7 · 9c34da7
1 parent 5e7608d
commit 9c34da7
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 10 deletions.
diff --git a/docs/management/admin/response-actions-config.asciidoc b/docs/management/admin/response-actions-config.asciidoc
@@ -113,16 +113,21 @@ IMPORTANT: Do not create more than one SentinelOne connector.
    - **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
 .. Click **Save**.
 
-. **Create and enable a rule to generate {elastic-sec} alerts.** Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts whenever SentinelOne generates alerts. 
+. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<create-custom-rule,detection rules>> to generate {elastic-sec} alerts based on SentinelOne events and data. 
 +
-Use these settings when creating the custom query rule to target the data collected from SentinelOne:
+This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
 +
---
-- **Index patterns**: `logs-sentinel_one.alert*`
-- **Custom query**: `observer.serial_number:*`
---
+When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns:
 +
-NOTE: Do not include any other index patterns or query parameters.
+[cols="1,1"]
+|===
+|Index pattern                 |SentinelOne agent ID field
+
+|`logs-sentinel_one.alert*`    |`sentinel_one.alert.agent.id`
+|`logs-sentinel_one.threat*`   |`sentinel_one.threat.agent.id`
+|`logs-sentinel_one.activity*` |`sentinel_one.activity.agent.id`
+|`logs-sentinel_one.agent*`    |`sentinel_one.agent.agent.id`
+|===
 +
-This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout.
-====
+NOTE: Do not include any other index patterns.
+====
diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
@@ -69,6 +69,7 @@ Example: `release --comment "Release host, everything looks OK"`
 Show information about the host's status, including: {agent} status and version, the {elastic-defend} integration's policy status, and when the host was last active.
 
 [discrete]
+[[processes]]
 === `processes`
 Show a list of all processes running on the host. This action may take a minute or so to complete.
 
@@ -81,7 +82,10 @@ Use this command to get current PID or entity ID values, which are required for
 Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.
 ====
 
+NOTE: Running this command on third-party-protected hosts might return the process list in a different format. Refer to <<third-party-actions>> for more information.
+
 [discrete]
+[[kill-process]]
 === `kill-process`
 
 Terminate a process. You must include one of the following parameters to identify the process to terminate:
@@ -93,6 +97,13 @@ Required privilege: *Process Operations*
 
 Example: `kill-process --pid 123 --comment "Terminate suspicious process"`
 
+[NOTE]
+====
+For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
+
+Example: `kill-process --processName cat --comment "Terminate suspicious process"`
+====
+
 [discrete]
 === `suspend-process`
 

diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
@@ -52,4 +52,15 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r
 +
 NOTE: For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.
 
+* **Get a list of processes running on a host** with the <<processes, `processes` response action>>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.
+
+* **Terminate a process running on a host** with the <<kill-process, `kill-process` response action>>.
++
+[NOTE]
+====
+For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
+
+Example: `kill-process --processName cat --comment "Terminate suspicious process"`
+====
+
 * **View past response action activity** in the <<response-actions-history,response actions history>> log.
diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.mdx b/docs/serverless/endpoint-response-actions/response-actions-config.mdx
@@ -117,7 +117,7 @@ Select a tab below for your endpoint security system:
         | Index pattern                 | SentinelOne agent ID field       |
         | ----------------------------- | -------------------------------- |
         | `logs-sentinel_one.alert*`    | `sentinel_one.alert.agent.id`    |
-        | `logs-sentinel_one.threat*`   |  `sentinel_one.threat.agent.id`  |
+        | `logs-sentinel_one.threat*`   | `sentinel_one.threat.agent.id`   |
         | `logs-sentinel_one.activity*` | `sentinel_one.activity.agent.id` |
         | `logs-sentinel_one.agent*`    | `sentinel_one.agent.agent.id`    |