From 5d8d8e89c2bae39d53b92b6451bf7de65552fef3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 2 Jun 2025 16:41:30 -0400 Subject: [PATCH 1/7] First draft --- solutions/security/endpoint-response-actions.md | 5 +++++ .../security/endpoint-response-actions/isolate-host.md | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/solutions/security/endpoint-response-actions.md b/solutions/security/endpoint-response-actions.md index a60000d96a..7a9f703523 100644 --- a/solutions/security/endpoint-response-actions.md +++ b/solutions/security/endpoint-response-actions.md @@ -40,6 +40,11 @@ Launch the response console from any of the following places in {{elastic-sec}}: * **Endpoints** page → **Actions** menu (**…**) → **Respond** * Endpoint details flyout → **Take action** → **Respond** * Alert details flyout → **Take action** → **Respond** + + ::::{note} + In {{serverless-short}}, you can also launch the response console from the event details flyout (event details flyout → **Take action** → **Respond**). + :::: + * Host details page → **Respond** To perform an action on the endpoint, enter a [response action command](/solutions/security/endpoint-response-actions.md#response-action-commands) in the input area at the bottom of the console, then press **Return**. Output from the action is displayed in the console. diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index 15ec18313a..ef97891b31 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -120,9 +120,9 @@ After the host is successfully isolated, an **Isolated** status is added to the ## Release a host [release-a-host] -::::{dropdown} Release a host from a detection alert -1. Open a detection alert: - +::::{dropdown} Release a host from an event ({{serverless-short only}}) or detection alert +1. Open an event ({{serverless-short}} only) or a detection alert: + * From the event analyzer view: Click an event. ({{serverless-short}} only) * From the Alerts table or Timeline: Click **View details** (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")). * From a case with an attached alert: Click **Show alert details** (**>**). @@ -132,7 +132,7 @@ After the host is successfully isolated, an **Isolated** status is added to the :::: -::::{dropdown} Release a host from an endpoint +::::{dropdown} Release a host from an event ({{serverless-short only}}) or detection alert 1. Find **Endpoints** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then either: * Select the appropriate endpoint in the **Endpoint** column, and click **Take action → Release host** in the endpoint details flyout. From 7a3648241f70c2f9865ba4f39c06a600089bf1f8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Tue, 3 Jun 2025 08:41:45 -0400 Subject: [PATCH 2/7] Replace variable --- .../security/endpoint-response-actions/isolate-host.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index ef97891b31..0b5b733ac0 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -120,9 +120,9 @@ After the host is successfully isolated, an **Isolated** status is added to the ## Release a host [release-a-host] -::::{dropdown} Release a host from an event ({{serverless-short only}}) or detection alert -1. Open an event ({{serverless-short}} only) or a detection alert: - * From the event analyzer view: Click an event. ({{serverless-short}} only) +::::{dropdown} Release a host from an event (Serverless only) or detection alert +1. Open an event (Serverless-short only) or a detection alert: + * From the event analyzer view: Click an event. (Serverless only) * From the Alerts table or Timeline: Click **View details** (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")). * From a case with an attached alert: Click **Show alert details** (**>**). From ca9f4d910764734d6ef5420b9780f506d4dab5b4 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 5 Jun 2025 12:36:42 -0400 Subject: [PATCH 3/7] Update solutions/security/endpoint-response-actions/isolate-host.md Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- solutions/security/endpoint-response-actions/isolate-host.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index 0b5b733ac0..e3207dfd5f 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -121,7 +121,7 @@ After the host is successfully isolated, an **Isolated** status is added to the ## Release a host [release-a-host] ::::{dropdown} Release a host from an event (Serverless only) or detection alert -1. Open an event (Serverless-short only) or a detection alert: +1. Open an event ({{serverless-short}} only) or a detection alert: * From the event analyzer view: Click an event. (Serverless only) * From the Alerts table or Timeline: Click **View details** (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")). * From a case with an attached alert: Click **Show alert details** (**>**). From e3fcfce117cc51b5210f20adf999004acad15c6c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 5 Jun 2025 12:39:43 -0400 Subject: [PATCH 4/7] Update solutions/security/endpoint-response-actions/isolate-host.md Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- solutions/security/endpoint-response-actions/isolate-host.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index e3207dfd5f..dfcacba426 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -122,7 +122,7 @@ After the host is successfully isolated, an **Isolated** status is added to the ::::{dropdown} Release a host from an event (Serverless only) or detection alert 1. Open an event ({{serverless-short}} only) or a detection alert: - * From the event analyzer view: Click an event. (Serverless only) + * From the event analyzer view: Click an event. ({{serverless-short}} only) * From the Alerts table or Timeline: Click **View details** (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")). * From a case with an attached alert: Click **Show alert details** (**>**). From 8ce8e2051062436e241bebedf98ee5dd846f3069 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 5 Jun 2025 12:41:41 -0400 Subject: [PATCH 5/7] Update solutions/security/endpoint-response-actions/isolate-host.md --- solutions/security/endpoint-response-actions/isolate-host.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index dfcacba426..765da637a5 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -132,7 +132,7 @@ After the host is successfully isolated, an **Isolated** status is added to the :::: -::::{dropdown} Release a host from an event ({{serverless-short only}}) or detection alert +::::{dropdown} Release a host from an endpoint 1. Find **Endpoints** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then either: * Select the appropriate endpoint in the **Endpoint** column, and click **Take action → Release host** in the endpoint details flyout. From 4aeb5081714942d279ed2c96bd9e4d5995e82577 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 5 Jun 2025 12:43:51 -0400 Subject: [PATCH 6/7] Moved change --- .../security/endpoint-response-actions/isolate-host.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index 765da637a5..d08b9c2a61 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -49,9 +49,9 @@ All actions executed on a host are tracked in the host’s response actions hist ## Isolate a host [isolate-a-host] -::::{dropdown} Isolate a host from a detection alert -1. Open a detection alert: - +::::{dropdown} Isolate a host from an event (Serverless only) or detection alert +1. Open an event ({{serverless-short}} only) or a detection alert: + * From the event analyzer view: Click an event. ({{serverless-short}} only) * From the Alerts table or Timeline: Click **View details** (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")). * From a case with an attached alert: Click **Show alert details** (**>**). From edb807cdc43bd78040d59c92a7beded7291b5727 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Thu, 5 Jun 2025 12:50:55 -0400 Subject: [PATCH 7/7] a --- solutions/security/endpoint-response-actions/isolate-host.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/endpoint-response-actions/isolate-host.md b/solutions/security/endpoint-response-actions/isolate-host.md index d08b9c2a61..9477ff65cf 100644 --- a/solutions/security/endpoint-response-actions/isolate-host.md +++ b/solutions/security/endpoint-response-actions/isolate-host.md @@ -49,7 +49,7 @@ All actions executed on a host are tracked in the host’s response actions hist ## Isolate a host [isolate-a-host] -::::{dropdown} Isolate a host from an event (Serverless only) or detection alert +::::{dropdown} Isolate a host from an event (Serverless only) or a detection alert 1. Open an event ({{serverless-short}} only) or a detection alert: * From the event analyzer view: Click an event. ({{serverless-short}} only) * From the Alerts table or Timeline: Click **View details** (![View details icon](/solutions/images/security-view-details-icon.png "title =20x20")).