We're introducing a "Scan" command in the response console in 8.15. The command will allow users to perform an on-demand scan of files in a directory. Once the action is submitted, the endpoint will run a scan of the files in that directory. The scan will proceed according to the policy settings associated with the endpoint - i.e. detect or prevent (or off), user blocklist on/off, etc - and will produce normal alerts to the alerts data stream (though without any process.* info since there is no acting process).
Command syntax: scan --path
Path is required; must be a string.
The scan can and may run for an extended period of time, based on directory being scanned.
[ESS] Ability to run the Scan command will require specific scan privileges, configured in Kibana feature privileges
No feature differences; however, only specific Serverless roles can take response actions today. (I don't think capabilities for each role are explicitly documented anywhere - but just in case:)
caitlinbetz
commented
1 week ago
Description
We're introducing a "Scan" command in the response console in 8.15. The command will allow users to perform an on-demand scan of files in a directory. Once the action is submitted, the endpoint will run a scan of the files in that directory. The scan will proceed according to the policy settings associated with the endpoint - i.e. detect or prevent (or off), user blocklist on/off, etc - and will produce normal alerts to the alerts data stream (though without any process.* info since there is no acting process).
Background & resources
Which documentation set does this change impact?
ESS and serverless
ESS release
8.15
Serverless release
Week of July 8, 2024
Feature differences
No feature differences; however, only specific Serverless roles can take response actions today. (I don't think capabilities for each role are explicitly documented anywhere - but just in case:)
API docs impact
https://github.com/elastic/security-team/issues/8991
Prerequisites, privileges, feature flags