From 5c3b32bba9a1b8528b4cde6f01899672c51d162d Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Fri, 17 Jan 2025 13:22:45 +0000
Subject: [PATCH 1/5] Adds new runscript Crowdstrike response action

---
 .../admin/response-actions.asciidoc           | 19 +++++++++++++++++
 .../admin/third-party-actions.asciidoc        |  2 ++
 .../response-actions.asciidoc                 | 21 +++++++++++++++++++
 .../third-party-actions.asciidoc              |  2 ++
 4 files changed, 44 insertions(+)

diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index 277cb9e680..0bbd34733c 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -192,6 +192,25 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold
 
 NOTE: Scanning can take longer for directories containing a lot of files.
 
+[discrete]
+[[runscript]]
+=== `runscript`
+
+Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+
+* `--Raw`: The full script content provided directly as a string.
+* `--CloudFile`: The name of the script stored in a cloud storage location.
+* `--HostPath`: The absolute or relative file path of the script located on the host machine.
+
+You can also use these optional parameters:
+
+* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to TBD.
+
+Required privilege: TBD
+
+Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true"` 
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters
diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
index c2367a16f3..eb0650f511 100644
--- a/docs/management/admin/third-party-actions.asciidoc
+++ b/docs/management/admin/third-party-actions.asciidoc
@@ -35,6 +35,8 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+* **Run a script on a host** with the <<runscript,`runscript` response action>>.
+
 [discrete]
 [[sentinelone-response-actions]]
 == SentinelOne response actions
diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
index 82012f892a..646d2377b3 100644
--- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
@@ -241,6 +241,27 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold
 Scanning can take longer for directories containing a lot of files.
 ====
 
+[discrete]
+[[runscript]]
+=== `runscript`
+
+Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+
+* `--Raw`: The full script content provided directly as a string.
+* `--CloudFile`: The name of the script stored in a cloud storage location.
+* `--HostPath`: The absolute or relative file path of the script located on the host machine.
+
+You can also use these optional parameters:
+
+* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to TBD.
+
+Predefined role: TBD
+
+Custom role privilege: TBD
+
+Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true"` 
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters
diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
index 9963946888..950f4fbce9 100644
--- a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
@@ -44,6 +44,8 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+* **Run a script on a host** with the <<runscript,`runscript` response action>>.
+
 ++++
   </div>
   <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-sentinelone-panel" aria-labelledby="endpoint-response-actions-third-party-actions-sentinelone-button" hidden="">

From 59d9d73831c3abfa1953d5cfb3d9509490b0c5ca Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 20 Jan 2025 11:51:34 +0000
Subject: [PATCH 2/5] Add missing information

---
 docs/management/admin/response-actions.asciidoc             | 4 ++--
 .../endpoint-response-actions/response-actions.asciidoc     | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index 0bbd34733c..cac556ff69 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -205,9 +205,9 @@ Run a script on a host. You must include one of the following parameters to iden
 You can also use these optional parameters:
 
 * `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
-* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to TBD.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
 
-Required privilege: TBD
+Required privilege: **Execute Operations**
 
 Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true"` 
 
diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
index 646d2377b3..fab0f3448d 100644
--- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
@@ -254,11 +254,11 @@ Run a script on a host. You must include one of the following parameters to iden
 You can also use these optional parameters:
 
 * `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
-* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to TBD.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
 
-Predefined role: TBD
+Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst**
 
-Custom role privilege: TBD
+Custom role privilege: **Execute Operations**
 
 Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true"` 
 

From 9e7adb7bb3415be25607eee3646933641f22236f Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Mon, 20 Jan 2025 13:55:27 +0000
Subject: [PATCH 3/5] Updates example

---
 docs/management/admin/response-actions.asciidoc                 | 2 +-
 .../endpoint-response-actions/response-actions.asciidoc         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index cac556ff69..4c87a7e36d 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -209,7 +209,7 @@ You can also use these optional parameters:
 
 Required privilege: **Execute Operations**
 
-Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true"` 
+Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
 
 [discrete]
 [[supporting-commands-parameters]]
diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
index fab0f3448d..49954519ea 100644
--- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
@@ -260,7 +260,7 @@ Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations a
 
 Custom role privilege: **Execute Operations**
 
-Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true"` 
+Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
 
 [discrete]
 [[supporting-commands-parameters]]

From cf499ea91bd5174a09a14c22353eec761cf53c6a Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Tue, 21 Jan 2025 10:57:57 +0000
Subject: [PATCH 4/5] Address feedback

---
 docs/management/admin/response-actions.asciidoc      | 10 +++++++++-
 docs/management/admin/third-party-actions.asciidoc   |  2 ++
 .../response-actions.asciidoc                        | 12 ++++++++++--
 .../third-party-actions.asciidoc                     |  2 ++
 4 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index 4c87a7e36d..8fbbd0c481 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -196,6 +196,8 @@ NOTE: Scanning can take longer for directories containing a lot of files.
 [[runscript]]
 === `runscript`
 
+NOTE: This response action is supported only for <<crowdstrike-response-actions, CrowdStrike-enrolled hosts>>.
+
 Run a script on a host. You must include one of the following parameters to identify the script you want to run:
 
 * `--Raw`: The full script content provided directly as a string.
@@ -209,7 +211,13 @@ You can also use these optional parameters:
 
 Required privilege: **Execute Operations**
 
-Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
+Examples:
+
+`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180`
+
+`runscript --Raw="Get-ChildItem."`
+
+`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
 
 [discrete]
 [[supporting-commands-parameters]]
diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
index eb0650f511..7cfa088d9c 100644
--- a/docs/management/admin/third-party-actions.asciidoc
+++ b/docs/management/admin/third-party-actions.asciidoc
@@ -37,6 +37,8 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r
 
 * **Run a script on a host** with the <<runscript,`runscript` response action>>.
 
+* **View past response action activity** in the <<response-actions-history,response actions history>> log.
+
 [discrete]
 [[sentinelone-response-actions]]
 == SentinelOne response actions
diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
index 49954519ea..1cb14815e5 100644
--- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
@@ -245,6 +245,8 @@ Scanning can take longer for directories containing a lot of files.
 [[runscript]]
 === `runscript`
 
+NOTE: This response action is supported only for <<security-third-party-actions-supported-systems-and-response-actions, CrowdStrike-enrolled hosts>>.
+
 Run a script on a host. You must include one of the following parameters to identify the script you want to run:
 
 * `--Raw`: The full script content provided directly as a string.
@@ -256,11 +258,17 @@ You can also use these optional parameters:
 * `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
 * `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
 
-Predefined role: **Tier 3 analyst**, **SOC manager**, or **Endpoint operations analyst**
+Predefined role: **SOC manager** or **Endpoint operations analyst**
 
 Custom role privilege: **Execute Operations**
 
-Example: `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
+Examples:
+
+`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
+
+`runscript --Raw="Get-ChildItem."`
+
+`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
 
 [discrete]
 [[supporting-commands-parameters]]
diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
index 950f4fbce9..e239575bd2 100644
--- a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc
@@ -46,6 +46,8 @@ Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,r
 
 * **Run a script on a host** with the <<runscript,`runscript` response action>>.
 
+* **View past response action activity** in the <<security-response-actions-history,response actions history>> log.
+
 ++++
   </div>
   <div tabindex="0" role="tabpanel" id="endpoint-response-actions-third-party-actions-sentinelone-panel" aria-labelledby="endpoint-response-actions-third-party-actions-sentinelone-button" hidden="">

From 9ed81fa303923ac14d375570e69f4cf1d2d55f22 Mon Sep 17 00:00:00 2001
From: natasha-moore-elastic <natasha.moore@elastic.co>
Date: Tue, 21 Jan 2025 11:51:06 +0000
Subject: [PATCH 5/5] Update example

---
 docs/management/admin/response-actions.asciidoc                 | 2 +-
 .../endpoint-response-actions/response-actions.asciidoc         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index 8fbbd0c481..56428764cb 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -215,7 +215,7 @@ Examples:
 
 `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180`
 
-`runscript --Raw="Get-ChildItem."`
+`runscript --Raw=```Get-ChildItem.````
 
 `runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
 
diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
index 1cb14815e5..5194588b20 100644
--- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc
+++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc
@@ -266,7 +266,7 @@ Examples:
 
 `runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180` 
 
-`runscript --Raw="Get-ChildItem."`
+`runscript --Raw=```Get-ChildItem.````
 
 `runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`