[Jan 28] Adds new runscript Crowdstrike response action (#6435)

* Adds new runscript Crowdstrike response action * Add missing information * Updates example * Address feedback * Update example
elastic · Jan 28, 2025 · 4a52fe9 · 4a52fe9
1 parent 285d9d3
commit 4a52fe9
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 0 deletions.
diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
@@ -192,6 +192,33 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold
 
 NOTE: Scanning can take longer for directories containing a lot of files.
 
+[discrete]
+[[runscript]]
+=== `runscript`
+
+NOTE: This response action is supported only for <<crowdstrike-response-actions, CrowdStrike-enrolled hosts>>.
+
+Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+
+* `--Raw`: The full script content provided directly as a string.
+* `--CloudFile`: The name of the script stored in a cloud storage location.
+* `--HostPath`: The absolute or relative file path of the script located on the host machine.
+
+You can also use these optional parameters:
+
+* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
+
+Required privilege: **Execute Operations**
+
+Examples:
+
+`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180`
+
+`runscript --Raw=```Get-ChildItem.````
+
+`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters

diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
@@ -33,6 +33,10 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+* **Run a script on a host** with the <<runscript,`runscript` response action>>.
+
+* **View past response action activity** in the <<response-actions-history,response actions history>> log.
+
 [discrete]
 [[defender-response-actions]]
 == Microsoft Defender for Endpoint response actions

diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
@@ -241,6 +241,35 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold
 Scanning can take longer for directories containing a lot of files.
 ====
 
+[discrete]
+[[runscript]]
+=== `runscript`
+
+NOTE: This response action is supported only for <<security-third-party-actions-supported-systems-and-response-actions, CrowdStrike-enrolled hosts>>.
+
+Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+
+* `--Raw`: The full script content provided directly as a string.
+* `--CloudFile`: The name of the script stored in a cloud storage location.
+* `--HostPath`: The absolute or relative file path of the script located on the host machine.
+
+You can also use these optional parameters:
+
+* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
+
+Predefined role: **SOC manager** or **Endpoint operations analyst**
+
+Custom role privilege: **Execute Operations**
+
+Examples:
+
+`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
+
+`runscript --Raw=```Get-ChildItem.````
+
+`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters

diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
@@ -45,6 +45,10 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+* **Run a script on a host** with the <<runscript,`runscript` response action>>.
+
+* **View past response action activity** in the <<security-response-actions-history,response actions history>> log.
+
 ++++
   </div>
   <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-defender-panel" aria-labelledby="endpoint-response-actions-third-party-actions-defender-button" hidden="">