Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SentinelOne bidirectional processes, kill-process, and detection rule updates [ESS] #5735

Merged
merged 6 commits into from
Sep 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 14 additions & 9 deletions docs/management/admin/response-actions-config.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -113,16 +113,21 @@ IMPORTANT: Do not create more than one SentinelOne connector.
- **API token**: The SentinelOne API access token you generated previously, with permission to read SentinelOne data and perform actions on enrolled hosts.
.. Click **Save**.
. **Create and enable a rule to generate {elastic-sec} alerts.** Create a <<create-custom-rule,custom query detection rule>> to generate {elastic-sec} alerts whenever SentinelOne generates alerts.
. **Create and enable detection rules to generate {elastic-sec} alerts.** Create <<create-custom-rule,detection rules>> to generate {elastic-sec} alerts based on SentinelOne events and data.
+
Use these settings when creating the custom query rule to target the data collected from SentinelOne:
This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that a rule creates, by using the **Take action** menu in the alert details flyout.
+
--
- **Index patterns**: `logs-sentinel_one.alert*`
- **Custom query**: `observer.serial_number:*`
--
When creating a rule, you can target any event containing a SentinelOne agent ID field. Use one or more of these index patterns:
+
NOTE: Do not include any other index patterns or query parameters.
[cols="1,1"]
|===
|Index pattern |SentinelOne agent ID field
|`logs-sentinel_one.alert*` |`sentinel_one.alert.agent.id`
|`logs-sentinel_one.threat*` |`sentinel_one.threat.agent.id`
|`logs-sentinel_one.activity*` |`sentinel_one.activity.agent.id`
|`logs-sentinel_one.agent*` |`sentinel_one.agent.agent.id`
|===
+
This gives you visibility into SentinelOne without needing to leave {elastic-sec}. You can perform supported endpoint response actions directly from alerts that the rule creates, by using the **Take action** menu in the alert details flyout.
====
NOTE: Do not include any other index patterns.
====
11 changes: 11 additions & 0 deletions docs/management/admin/response-actions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ Example: `release --comment "Release host, everything looks OK"`
Show information about the host's status, including: {agent} status and version, the {elastic-defend} integration's policy status, and when the host was last active.

[discrete]
[[processes]]
=== `processes`
Show a list of all processes running on the host. This action may take a minute or so to complete.

Expand All @@ -81,7 +82,10 @@ Use this command to get current PID or entity ID values, which are required for
Entity IDs may be more reliable than PIDs, because entity IDs are unique values on the host, while PID values can be reused by the operating system.
====

NOTE: Running this command on third-party-protected hosts might return the process list in a different format. Refer to <<third-party-actions>> for more information.

[discrete]
[[kill-process]]
=== `kill-process`

Terminate a process. You must include one of the following parameters to identify the process to terminate:
Expand All @@ -93,6 +97,13 @@ Required privilege: *Process Operations*

Example: `kill-process --pid 123 --comment "Terminate suspicious process"`

[NOTE]
====
For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
Example: `kill-process --processName cat --comment "Terminate suspicious process"`
====

[discrete]
=== `suspend-process`

Expand Down
11 changes: 11 additions & 0 deletions docs/management/admin/third-party-actions.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,15 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r
+
NOTE: For SentinelOne-enrolled hosts, you must use the password `Elastic@123` to open the retrieved file.

* **Get a list of processes running on a host** with the <<processes, `processes` response action>>. For SentinelOne-enrolled hosts, this command returns a link for downloading the process list in a file.

* **Terminate a process running on a host** with the <<kill-process, `kill-process` response action>>.
+
[NOTE]
====
For SentinelOne-enrolled hosts, you must use the parameter `--processName` to identify the process to terminate. `--pid` and `--entityId` are not supported.
Example: `kill-process --processName cat --comment "Terminate suspicious process"`
====

* **View past response action activity** in the <<response-actions-history,response actions history>> log.
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ Select a tab below for your endpoint security system:
| Index pattern | SentinelOne agent ID field |
| ----------------------------- | -------------------------------- |
| `logs-sentinel_one.alert*` | `sentinel_one.alert.agent.id` |
| `logs-sentinel_one.threat*` | `sentinel_one.threat.agent.id` |
| `logs-sentinel_one.threat*` | `sentinel_one.threat.agent.id` |
| `logs-sentinel_one.activity*` | `sentinel_one.activity.agent.id` |
| `logs-sentinel_one.agent*` | `sentinel_one.agent.agent.id` |

Expand Down