From 355221df9123a4a46e2ba5a7a925bbfc8bd6e786 Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Tue, 28 Jan 2025 17:39:47 +0000
Subject: [PATCH] [8.x] [Jan 28] Adds new runscript Crowdstrike response action
 (backport #6435) (#6490)

* [Jan 28] Adds new runscript Crowdstrike response action (#6435)

* Adds new runscript Crowdstrike response action

* Add missing information

* Updates example

* Address feedback

* Update example

(cherry picked from commit 4a52fe95423a9e3482cd8516b0847fed5f3cf719)

# Conflicts:
#	docs/serverless/endpoint-response-actions/response-actions.asciidoc
#	docs/serverless/endpoint-response-actions/third-party-actions.asciidoc

* Delete docs/serverless directory and its contents

---------

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
---
 .../admin/response-actions.asciidoc           | 27 +++++++++++++++++++
 .../admin/third-party-actions.asciidoc        |  4 +++
 2 files changed, 31 insertions(+)

diff --git a/docs/management/admin/response-actions.asciidoc b/docs/management/admin/response-actions.asciidoc
index 277cb9e680..56428764cb 100644
--- a/docs/management/admin/response-actions.asciidoc
+++ b/docs/management/admin/response-actions.asciidoc
@@ -192,6 +192,33 @@ Example: `scan --path "/Users/username/Downloads" --comment "Scan Downloads fold
 
 NOTE: Scanning can take longer for directories containing a lot of files.
 
+[discrete]
+[[runscript]]
+=== `runscript`
+
+NOTE: This response action is supported only for <<crowdstrike-response-actions, CrowdStrike-enrolled hosts>>.
+
+Run a script on a host. You must include one of the following parameters to identify the script you want to run:
+
+* `--Raw`: The full script content provided directly as a string.
+* `--CloudFile`: The name of the script stored in a cloud storage location.
+* `--HostPath`: The absolute or relative file path of the script located on the host machine.
+
+You can also use these optional parameters:
+
+* `--CommandLine`: Additional command-line arguments passed to the script to customize its execution.
+* `--Timeout`: The maximum duration, in seconds, that the script can run before it's forcibly stopped. If no timeout is specified, it defaults to 60 seconds.
+
+Required privilege: **Execute Operations**
+
+Examples:
+
+`runscript --CloudFile="CloudScript1.ps1" --CommandLine="-Verbose true" --Timeout=180`
+
+`runscript --Raw=```Get-ChildItem.````
+
+`runscript --HostPath="C:\temp\LocalScript.ps1" --CommandLine="-Verbose true"`
+
 [discrete]
 [[supporting-commands-parameters]]
 == Supporting commands and parameters
diff --git a/docs/management/admin/third-party-actions.asciidoc b/docs/management/admin/third-party-actions.asciidoc
index c2367a16f3..7cfa088d9c 100644
--- a/docs/management/admin/third-party-actions.asciidoc
+++ b/docs/management/admin/third-party-actions.asciidoc
@@ -35,6 +35,10 @@ These response actions are supported for CrowdStrike-enrolled hosts:
 +
 Refer to the instructions on <<isolate-a-host,isolating>> and <<release-a-host,releasing>> hosts for more details.
 
+* **Run a script on a host** with the <<runscript,`runscript` response action>>.
+
+* **View past response action activity** in the <<response-actions-history,response actions history>> log.
+
 [discrete]
 [[sentinelone-response-actions]]
 == SentinelOne response actions