Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automated endpoint response actions on rules (kill/suspend process) #4890

Merged
merged 6 commits into from
Mar 18, 2024
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified docs/detections/images/available-response-actions.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 3 additions & 3 deletions docs/detections/rules-ui-create.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -681,11 +681,11 @@ Example using the mustache "current element" notation `{{.}}` to output all the
[float]
[[rule-response-action]]
=== Set up response actions (optional)
Use Response Actions to set up additional functionality that will run whenever a rule executes.
Use Response Actions to set up additional functionality that will run whenever a rule executes:

The Osquery Response Action allows you to include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to <<osquery-response-action>> to learn more.
* **Osquery**: Include live Osquery queries with a custom query rule. When an alert is generated, Osquery automatically collects data on the system related to the alert. Refer to <<osquery-response-action>> to learn more.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

The Endpoint Security response action allows you to automatically run response actions on an endpoint when rule conditions are met. Refer to <<isolate-a-host>> to learn more.
* **{elastic-defend}**: Automatically run response actions on an endpoint when rule conditions are met. For example, you can automatically isolate a host or terminate a process when specific activity or events are detected on the host. Refer to <<automated-response-actions>> to learn more.
joepeeples marked this conversation as resolved.
Show resolved Hide resolved

IMPORTANT: Host isolation involves quarantining a host from the network to prevent further spread of threats and limit potential damage. Be aware that automatic host isolation can cause unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.

Expand Down
42 changes: 42 additions & 0 deletions docs/management/admin/automated-response-actions.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
[[automated-response-actions]]
= Automated response actions

:frontmatter-description: Automatically respond to events with endpoint response actions triggered by detection rules.
:frontmatter-tags-products: [security]
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [manage]

Add {elastic-defend}'s <<response-actions,response actions>> to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events.

.Requirements
[sidebar]
--
* Automated response actions require an https://www.elastic.co/pricing[Enterprise subscription].
* Hosts must have {agent} installed with the {elastic-defend} integration.
* Your user role must have the ability to create detection rules and the <<endpoint-management-req,privilege>> to perform specific response actions (for example, the **Host Isolation** privilege to isolate hosts).
* You can only add automated response actions to custom query rules.
--

You can add automated response actions to a new or existing custom query rule.

. Do one of the following:
* *New rule*: On the last step of <<create-custom-rule,custom query rule>> creation, go to the **Response Actions** section and select **{elastic-defend}**.
* *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section.

. Select an option in the **Response action** field:
+
--
* **Isolate**: <<host-isolation-ov,Isolate the host>>, blocking communication with other hosts on the network.
* **Kill process**: Terminate a process on the host.
* **Suspend process**: Temporarily suspend a process on the host.
--
+
IMPORTANT: Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.

. For process actions, specify how to identify the process you want to terminate or suspend:
* Turn on the toggle to use the alert's **process.pid** value as the identifier.
* To use a different alert field value to identify the process, turn off the toggle and enter the **Custom field name**.

. Enter a comment describing why you’re performing the action on the host (optional).

. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules).
6 changes: 3 additions & 3 deletions docs/management/admin/host-isolation-ov.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,9 @@ NOTE: The host isolation endpoint response action is an https://www.elastic.co/p
IMPORTANT: Be aware that automatic host isolation can result in unintended consequences, such as disrupting legitimate user activities or blocking critical business processes.

. Add an endpoint response action to a new or existing custom query rule. The endpoint response action will run whenever rule conditions are met:
** *New rule*: On the last step of <<create-custom-rule,custom query rule>> creation, go to the Response Actions section and click the *Endpoint Security* icon.
** *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, click the *Endpoint Security* icon under the Response Actions section.
. Click the **Response action** field, then select **Isolate**.
** *New rule*: On the last step of <<create-custom-rule,custom query rule>> creation, go to the **Response Actions** section and select **{elastic-defend}**.
** *Existing rule*: Edit the rule's settings, then go to the *Actions* tab. In the tab, select **{elastic-defend}** under the **Response Actions** section.
. In the **Response action** field, select **Isolate**.
. Enter a comment describing why you’re isolating the host (optional).
. To finish adding the response action, click **Create & enable rule** (for a new rule) or **Save changes** (for existing rules).
====
Expand Down
1 change: 1 addition & 0 deletions docs/management/manage-intro.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ The following section provides an overview of the management tools admins can us

include::{security-docs-root}/docs/management/admin/admin-pg-ov.asciidoc[leveloffset=+1]
include::{security-docs-root}/docs/management/admin/response-actions.asciidoc[leveloffset=+2]
include::{security-docs-root}/docs/management/admin/automated-response-actions.asciidoc[leveloffset=+2]
include::{security-docs-root}/docs/management/admin/response-actions-history.asciidoc[leveloffset=+2]
include::{security-docs-root}/docs/management/admin/host-isolation-ov.asciidoc[leveloffset=+2]
include::{security-docs-root}/docs/management/admin/response-actions-config.asciidoc[leveloffset=+2]
Expand Down