Draft the S1 processes action

Contributes to #5638

docs/serverless/endpoint-response-actions/response-actions.mdx

@@ -71,6 +71,7 @@ Example: `release --comment "Release host, everything looks OK"`
 ### `status`
 Show information about the host's status, including: ((agent)) status and version, the ((elastic-defend)) integration's policy status, and when the host was last active.
 
+<div id="processes"></div>
 ### `processes`
 Show a list of all processes running on the host. This action may take a minute or so to complete.
 
@@ -84,6 +85,10 @@ Entity IDs may be more reliable than PIDs, because entity IDs are unique values
 
 </DocCallOut>
 
+<DocCallOut title="Note">
+    Running this command on third-party-protected hosts might return the process list in a different format. Refer to <DocLink slug="/serverless/security/third-party-actions" /> for more information.
+</DocCallOut>
+
 ### `kill-process`
 
 Terminate a process. You must include one of the following parameters to identify the process to terminate:

docs/serverless/endpoint-response-actions/third-party-actions.mdx

@@ -50,6 +50,8 @@ The following third-party response actions are supported for CrowdStrike and Sen
       For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.
       </DocCallOut>
 
-   - **View past response action activity** in the <DocLink slug="/serverless/security/response-actions-history">response actions history</DocLink> log.
+   - **Get a list of processes running on a host** with the <DocLink slug="/serverless/security/response-actions" section="processes">`processes` response action</DocLink>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.<br /><br />
+
+    - **View past response action activity** in the <DocLink slug="/serverless/security/response-actions-history">response actions history</DocLink> log.
    </DocTab>
 </DocTabs>