[Request] Crowdstrike additional third-party response actions

[raqueltabuyo]

What can we change to make the docs better?

Description
We are adding new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through Elastic Security.

This is similar to the functionality (and docs) we previously added for Sentinel One and Crowdstrike: https://www.elastic.co/guide/en/security/current/third-party-actions.html

Background & resources
PRs:

• [EDR Workflows] Initialize CrowdStrike session API kibana#201420
• [EDR Workflows] Add RunScript CS Command - UI kibana#202012
• [EDR Workflows] Add RunScript API route (supporting CrowdStrike) kibana#203101
• [EDR Workflows] CrowdStrike RTR connector's sub actions kibana#203420
• [EDR Workflows] CrowdStrike RunScript: Log Actions and UI Output kibana#204044

Issues/metas: https://github.com/elastic/security-team/issues/10873
Point of contact: @caitlinbetz @tomsonpl @raqueltabuyo @ashokaditya @paul-tavares
Test environments:

Doc URL

This is similar to the functionality (and docs) we previously added for Sentinel One and Crowdstrike: https://www.elastic.co/guide/en/security/current/third-party-actions.html
Github issue link(s)/Other resources:
https://github.com/elastic/security-team/issues/10873

Which documentation set needs improvement?

ESS and serverless

Software version

ESS release
8.18

Serverless release
January 27, 2025

Feature differences
Feature will be the same in serverless/ESS

ESS release: 8.18

API docs impact
TBD

Prerequisites, privileges, feature flags
ESS & Serverless, Kibana privileges:

Security solution privilege: TBD

Actions and Connectors privilege:: EDR Connectors

[tomsonpl]

@natasha-moore-elastic Hey 👋
I tried to leave as much details as possible in the PRs' description, but please reach out if there's something you'd like to talk about :)

[natasha-moore-elastic]

Hi @tomsonpl! I have a few questions to start with:

• Is there an environment you could share that we can use for testing out this feature?
• This [EDR Workflows] Add RunScript CS Command - UI kibana#202012 seems to be the main PR that introduces the runscript response action command. Are there any other new commands that we need to document?
• I’m not familiar with the concept of sub actions (mentioned in [EDR Workflows] CrowdStrike RTR connector's sub actions kibana#203420), and I don’t see any sub actions documented in our current docs. Is this a new concept and do we need to start documenting those?
• Is [EDR Workflows] Add RunScript API route (supporting CrowdStrike) kibana#203101 a public API? If so, it would need to be documented in our OAS API reference docs.

[tomsonpl]

Hey 👋

1. I am working on the env as of this moment and will send you the details asap 👍 However, it's not gonna be fully operational since I can't share credentials to access CrowdStrike (needed to return successful results)
2. No, just runscript this time :)
3. I don't think we need to mention sub-actions at all, it's an internal detail.
4. You're right, it's a public API. It wasn't included in OAS docs by coincidence. I am working on the fix [EDR Workflows] Add Runscript openApi schema  kibana#206044 so it will be included 👍

[tomsonpl]

Ok, I prepared both cloud and serverless environments, details below:
https://p.elstc.co/paste/267wQ-uV#1cF9ukTQ9jb8zXQQQsYd4mEviL3xtTxMJUXO1PihePm

In order to see CrowdStrike alert, please go to Security Alerts and change lookup time for 1 year (it's a pretty old alert). There will be just one created. Then use respond take action button to open Response Console.

Unfortunately we are limited with CrowdStrike access so the functionality will always return error, but you should be able to see the UI and --help.

If you'd prefer to have some Success results, I can arrange that (I'll provide screenshots).

Sorry for the inconvenience, and thanks for the help, hope this is enough :)