Document external EDR script picker for CrowdStrike in serverless (#1650)

natasha-moore-elastic · web-flow · commit 1cd6b779303e · 2025-06-11T14:56:11.000+01:00
Contributes to #1498 by documenting the script picker functionality for the `runscript` response action for Crodwstrike in serverless docs. Doc updates for 8.19 and 9.1, and for MS Defender, will be handled separately. Also adds required API permissions for `runscript` when creating an API client in CrowdStrike. Previews: - [Endpoint response actions | Runscript](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/1650/solutions/security/endpoint-response-actions#runscript) - [Configure third-party response actions](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/1650/solutions/security/endpoint-response-actions/configure-third-party-response-actions)
diff --git a/solutions/security/endpoint-response-actions.md b/solutions/security/endpoint-response-actions.md
@@ -257,6 +257,9 @@ Run a script on a host. You must include one of the following parameters to iden
 
 * `--Raw`: The full script content provided directly as a string.
 * `--CloudFile`: The name of the script stored in a cloud storage location.
+
+   {applies_to}`serverless: ga` When using this parameter, select from a list of saved custom scripts.
+
 * `--HostPath`: The absolute or relative file path of the script located on the host machine.
 
 You can also use these optional parameters:
diff --git a/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md b/solutions/security/endpoint-response-actions/configure-third-party-response-actions.md
@@ -38,7 +38,9 @@ Expand a section below for your endpoint security system:
 
     * Give the API client the minimum privilege required to read CrowdStrike data and perform actions on enrolled hosts. Consider creating separate API clients for reading data and performing actions, to limit privileges allowed by each API client.
 
-        * To isolate and release hosts, the API client must have `Read` access for Alerts, and `Read` and `Write` access for Hosts.
+        * To isolate and release hosts: `Read` access for `Alerts`, and `Read` and `Write` access for `Hosts`.
+
+        * To run a script on a host: `Read` and `Write` access for `Real time response`; for elevated access, `Write` access for `Real time response (admin)` is also required.
 
     * Take note of the client ID, client secret, and base URL; you’ll need them in later steps when you configure {{elastic-sec}} components to access CrowdStrike.
     * The base URL varies depending on your CrowdStrike account type:
