Scan response action [serverless] (#5566)

* Update response actions page (serverless) * Apply suggestions from Nastasha's review Co-authored-by: Nastasha Solomon <[email protected]> * Update image: help panel * Edit description * Fix screenshots Whoops, updated the wrong image --------- Co-authored-by: Nastasha Solomon <[email protected]>
elastic · Aug 13, 2024 · c195f96 · c195f96
1 parent 0fa35f1
commit c195f96
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 1 deletion.
diff --git a/docs/management/admin/images/response-console-help-panel.png b/docs/management/admin/images/response-console-help-panel.png
diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
@@ -171,7 +171,7 @@ NOTE: The default file size maximum is 25 MB, configurable in `kibana.yml` with
 [discrete]
 === `scan`
 
-Scan a specific file or directory on the host for malware. The scan uses the <<malware-protection,malware protection settings>> (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host's associated {elastic-defend} integration policy. Use these parameters:
+Scan a specific file or directory on the host for malware. This uses the <<malware-protection,malware protection settings>> (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host's associated {elastic-defend} integration policy. Use these parameters:
 
 * `--path` : (Required) The absolute path to a file or directory to be scanned.
 

diff --git a/docs/serverless/endpoint-response-actions/response-actions.mdx b/docs/serverless/endpoint-response-actions/response-actions.mdx
@@ -177,6 +177,20 @@ You can follow this with the `execute` response action to upload and run scripts
 The default file size maximum is 25 MB, configurable in `kibana.yml` with the `maxUploadResponseActionFileBytes` setting. You must enter the value in bytes (the maximum is `104857600` bytes, or 100 MB).
 </DocCallOut>
 
+### `scan`
+
+Scan a specific file or directory on the host for malware. This uses the <DocLink slug="/serverless/security/configure-endpoint-integration-policy" section="malware-protection">malware protection settings</DocLink> (such as **Detect** or **Prevent** options, or enabling the blocklist) as configured in the host's associated ((elastic-defend)) integration policy. Use these parameters:
+
+* `--path` : (Required) The absolute path to a file or directory to be scanned.
+
+Required role: **Tier 3 Analyst**, **SOC Manager**, or **Endpoint Operations Analyst**
+
+Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads folder for malware"`
+
+<DocCallOut title="Note">
+    Scanning can take longer for directories containing a lot of files.
+</DocCallOut>
+
 <div id="supporting-commands-parameters"></div>
 
 ## Supporting commands and parameters

diff --git a/...rless/images/response-actions/-management-admin-response-console-help-panel.png b/...rless/images/response-actions/-management-admin-response-console-help-panel.png