Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Request] Document the availability of processes response actions for SentinelOne hosts #5638

Closed
paul-tavares opened this issue Aug 1, 2024 · 0 comments
Closed

[Request] Document the availability of processes response actions for SentinelOne hosts #5638

paul-tavares opened this issue Aug 1, 2024 · 0 comments
Assignees
@joepeeples
Labels
Effort: Medium Issues that take moderate but not substantial time to complete Feature: Response actions also includes response console Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.16.0

Comments

@paul-tavares
Copy link
Contributor

paul-tavares commented Aug 1, 2024
edited by joepeeples
Loading

Description

The processes response action is being enabled for SentinelOne Hosts and thus we need to add/update documentation to indicate support for this EDR system.

Background & resources

To test, create a cloud env. from latest SNAPSHOT and enable the responseActionsSentinelOneProcessesEnabled feature flag

Which documentation set does this change impact?

ESS and serverless

ESS release

8.16

Serverless release

Week of August 20 — tracked in PR #5659 (Serverless-pub field emptied on this issue to avoid duplicating)

Feature differences

The processes response action has the same input as the one for Endpoint. However, the response displayed when the command is successful is different - specifically:

  1. For SentinelOne, the output of the processes response action command will not be displayed in the console's output. Instead, a file download link will be provided (just like in SentinelOne) that allows the user to download the action's results and look at the output.
  2. The file download for a SentinelOne processes command does not need a passcode to access the contents of the zip file, thus one will not be displayed in the UI next to the download button.

API docs impact

processes response console command will now be available for use against SentinelOne hosts

Prerequisites, privileges, feature flags

No response
@paul-tavares paul-tavares added Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management Feature: Response actions also includes response console v8.16.0 labels Aug 1, 2024
@joepeeples joepeeples self-assigned this Aug 1, 2024
joepeeples added a commit that referenced this issue Aug 2, 2024
@joepeeples
Draft the S1 processes action
e8c83be 
Contributes to #5638
@joepeeples joepeeples mentioned this issue Aug 2, 2024
Merged
joepeeples added a commit that referenced this issue Aug 20, 2024
@joepeeples @nastasha-solomon
SentinelOne bidirectional processes, kill-process, and detection …
86b0fbb 
…rule updates [serverless] (#5659)

* Incomplete first draft, serverless only

* Fills in config details, edits

* First draft of classic version

* Apply suggestions from Nastasha's review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Revise link to CrowdStrike connector docs

* Revise API client guidelines

* Revise detection rule guidelines

* Update serverless with revisions from feedback

* Draft the S1 `processes` action

Contributes to #5638

* Draft the S1 `kill-process` action

* Draft the new SIEM rule instructions

---------

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
@joepeeples joepeeples mentioned this issue Aug 22, 2024
Merged
@mergify mergify bot mentioned this issue Sep 18, 2024
Merged
@joepeeples joepeeples added the Effort: Medium Issues that take moderate but not substantial time to complete label Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joepeeples joepeeples

Labels
Effort: Medium Issues that take moderate but not substantial time to complete Feature: Response actions also includes response console Team: EDR Workflows Formerly Defend Workflows, Onboarding and Lifecycle Management v8.16.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paul-tavares @joepeeples