[8.x] [Jan 28] Adds new runscript Crowdstrike response action (backport #6435) (#6490)

mergify[bot] · natasha-moore-elastic · github-actions[bot] · web-flow · commit 355221df9123 · 2025-01-28T17:39:47.000Z
* [Jan 28] Adds new runscript Crowdstrike response action (#6435) * Adds new runscript Crowdstrike response action * Add missing information * Updates example * Address feedback * Update example (cherry picked from commit 4a52fe9) # Conflicts: # docs/serverless/endpoint-response-actions/response-actions.asciidoc # docs/serverless/endpoint-response-actions/third-party-actions.asciidoc * Delete docs/serverless directory and its contents --------- Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
@@ -192,6 +192,33 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold
 
 NOTE: Scanning can take longer for directories containing a lot of files.
 
+[discrete]
+[[runscript]]
+=== `runscript`
+
+NOTE: This response action is supported only for <<crowdstrike-response-actions, CrowdStrike-enrolled hosts>>.
+
+Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+
+* `--Raw`: The full script content provided directly as a string.
+* `--CloudFile`: The name of the script stored in a cloud storage location.
+* `--HostPath`: The absolute or relative file path of the script located on the host machine.
+
+You can also use these optional parameters:
+
+* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
+
+Required privilege: **Execute Operations**
+
+Examples:
+
+`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180`
+
+`runscript --Raw=```Get-ChildItem.````
+
+`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters
diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
@@ -35,6 +35,10 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+* **Run a script on a host** with the <<runscript,`runscript` response action>>.
+
+* **View past response action activity** in the <<response-actions-history,response actions history>> log.
+
 [discrete]
 [[sentinelone-response-actions]]
 == SentinelOne response actions
