From 48674c9a72d14b8fee22842adf520858d8399192 Mon Sep 17 00:00:00 2001 From: Denise Date: Fri, 29 May 2026 11:30:40 +0200 Subject: [PATCH 1/4] docs: update executor configuration to UI-based (Catalog) - Remove environment variable / property columns from all executor config tables - Update instructions to configure via Integrations > Executors UI - Add migration info note for users previously using env vars - Applies to: Tanium, CrowdStrike, SentinelOne, Palo Alto Cortex, Caldera Closes #252 --- docs/deployment/ecosystem/executors.md | 158 ++++++++++++++----------- 1 file changed, 87 insertions(+), 71 deletions(-) diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md index bd80a272..cdb72444 100644 --- a/docs/deployment/ecosystem/executors.md +++ b/docs/deployment/ecosystem/executors.md @@ -76,20 +76,20 @@ Once configured and imported, retrieve the package IDs from the URL: ### Configure the OpenAEV Platform -To use the Tanium executor, fill the following configuration in the Integrations (Executors) tab from OpenAEV menu. - -| Parameter | Environment variable | Default value | Description | -|:------------------------------------------------------|:------------------------------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| executor.tanium.enable | EXECUTOR_TANIUM_ENABLE | `false` | Enable the Tanium executor | -| executor.tanium.url | EXECUTOR_TANIUM_URL | | Tanium API URL | -| executor.tanium.api-key | EXECUTOR_TANIUM_API-KEY | | Tanium API key | -| executor.tanium.api-register-interval | EXECUTOR_TANIUM_API_REGISTER_INTERVAL | 1200 | Tanium API interval to register/update the computer groups/endpoints in OpenAEV (in seconds) | -| executor.tanium.api-batch-execution-action-pagination | EXECUTOR_TANIUM_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Tanium API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a threat arsenal action) | -| executor.tanium.clean-implant-interval | EXECUTOR_TANIUM_CLEAN_IMPLANT_INTERVAL | 8 | Tanium clean old implant interval (in hours) | -| executor.tanium.computer-group-id | EXECUTOR_TANIUM_COMPUTER_GROUP_ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas | -| executor.tanium.action-group-id | EXECUTOR_TANIUM_ACTION_GROUP_ID | `4` | Tanium Action Group to apply actions to | -| executor.tanium.windows-package-id | EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID | | ID of the OpenAEV Tanium Windows package | -| executor.tanium.unix-package-id | EXECUTOR_TANIUM_UNIX_PACKAGE_ID | | ID of the OpenAEV Tanium Unix package | +To configure the Tanium executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Tanium integration settings. + +| Parameter | Default value | Description | +|:-----------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Enable | `false` | Enable the Tanium executor | +| URL | | Tanium API URL | +| API Key | | Tanium API key | +| API Register Interval | 1200 | Interval to register/update the computer groups/endpoints in OpenAEV (in seconds) | +| Batch Execution Action Pagination | 100 | Pagination per 5 seconds for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a threat arsenal action) | +| Clean Implant Interval | 8 | Clean old implant interval (in hours) | +| Computer Group ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas | +| Action Group ID | `4` | Tanium Action Group to apply actions to | +| Windows Package ID | | ID of the OpenAEV Tanium Windows package | +| Unix Package ID | | ID of the OpenAEV Tanium Unix package | !!! note "Tanium API Key" @@ -97,6 +97,10 @@ To use the Tanium executor, fill the following configuration in the Integrations - Retrieve the endpoint list from the Tanium GraphQL API - Launch packages on endpoints +!!! info "Migrating from environment variables" + + If you previously configured this executor using environment variables or platform properties, these values have been **automatically migrated** to the database on first startup. After migration, changes to environment variables or properties are no longer taken into account — all configuration is now managed through the UI. + --- ### Checks @@ -249,21 +253,24 @@ applied. Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response. -To use the CrowdStrike executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV -menu. - -| Parameter | Environment variable | Default value | Description | -|:-----------------------------------------------------------|:-----------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| executor.crowdstrike.enable | EXECUTOR_CROWDSTRIKE_ENABLE | `false` | Enable the Crowdstrike executor | -| executor.crowdstrike.api-url | EXECUTOR_CROWDSTRIKE_API_URL | `https://api.us-2.crowdstrike.com` | Crowdstrike API url | -| executor.crowdstrike.api-register-interval | EXECUTOR_CROWDSTRIKE_API_REGISTER_INTERVAL | 1200 | Crowdstrike API interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) | -| executor.crowdstrike.api-batch-execution-action-pagination | EXECUTOR_CROWDSTRIKE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | Crowdstrike API pagination per 5 seconds to set for hosts batch executions (number of hosts sent per 5 seconds to Crowdstrike to execute a threat arsenal action) | -| executor.crowdstrike.clean-implant-interval | EXECUTOR_CROWDSTRIKE_CLEAN_IMPLANT_INTERVAL | 8 | Crowdstrike clean old implant interval (in hours) | -| executor.crowdstrike.client-id | EXECUTOR_CROWDSTRIKE_CLIENT_ID | | Crowdstrike client id | -| executor.crowdstrike.client-secret | EXECUTOR_CROWDSTRIKE_CLIENT_SECRET | | Crowdstrike client secret | -| executor.crowdstrike.host-group | EXECUTOR_CROWDSTRIKE_HOST_GROUP | | Crowdstrike host group id or hosts groups ids separated with commas | -| executor.crowdstrike.windows-script-name | EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV Crowdstrike windows script | -| executor.crowdstrike.unix-script-name | EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV Crowdstrike unix script | +To configure the CrowdStrike executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the CrowdStrike integration settings. + +| Parameter | Default value | Description | +|:-----------------------------------|:-----------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Enable | `false` | Enable the CrowdStrike executor | +| API URL | `https://api.us-2.crowdstrike.com` | CrowdStrike API URL | +| API Register Interval | 1200 | Interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) | +| Batch Execution Action Pagination | 2500 | Pagination per 5 seconds for hosts batch executions (number of hosts sent per 5 seconds to CrowdStrike to execute a threat arsenal action) | +| Clean Implant Interval | 8 | Clean old implant interval (in hours) | +| Client ID | | CrowdStrike client ID | +| Client Secret | | CrowdStrike client secret | +| Host Group | | CrowdStrike host group ID or host group IDs separated with commas | +| Windows Script Name | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV CrowdStrike Windows script | +| Unix Script Name | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV CrowdStrike Unix script | + +!!! info "Migrating from environment variables" + + If you previously configured this executor using environment variables or platform properties, these values have been **automatically migrated** to the database on first startup. After migration, changes to environment variables or properties are no longer taken into account — all configuration is now managed through the UI. ### Checks @@ -338,23 +345,26 @@ To create a group, go to `Inventory` > `Endpoints` > `Groups`. !!! warning "Palo Alto Cortex API Key" - Please note that the Palo Alto Cortex API key created in "Settings/Configurations/API Keys" should have the following minimum role: “Instance Administrator” and security level: "Standard". + Please note that the Palo Alto Cortex API key created in "Settings/Configurations/API Keys" should have the following minimum role: "Instance Administrator" and security level: "Standard". + +To configure the Palo Alto Cortex executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Palo Alto Cortex integration settings. + +| Parameter | Default value | Description | +|:-----------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Enable | `false` | Enable the Palo Alto Cortex executor | +| URL | | Palo Alto Cortex URL, the API version used is the v1 | +| API Register Interval | 1200 | Interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | +| Batch Execution Action Pagination | 100 | Pagination per 5 seconds for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a threat arsenal action) | +| Clean Implant Interval | 8 | Clean old implant interval (in hours) | +| API Key ID | | Palo Alto Cortex API key ID | +| API Key | | Palo Alto Cortex API key | +| Group Name | | Palo Alto Cortex group name or group names separated with commas | +| Windows Script UID | | UID of the OpenAEV Palo Alto Cortex Windows script | +| Unix Script UID | | UID of the OpenAEV Palo Alto Cortex Unix script | -To use the Palo Alto Cortex executor, just fill the following configuration in the Integrations (Executors) tab from -OpenAEV menu. +!!! info "Migrating from environment variables" -| Parameter | Environment variable | Default value | Description | -|:--------------------------------------------------------------|:--------------------------------------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| executor.paloaltocortex.enable | EXECUTOR_PALOALTOCORTEX_ENABLE | `false` | Enable the Palo Alto Cortex executor | -| executor.paloaltocortex.url | EXECUTOR_PALOALTOCORTEX_URL | | Palo Alto Cortex URL, the API version used is the v1 | -| executor.paloaltocortex.api-register-interval | EXECUTOR_PALOALTOCORTEX_API_REGISTER_INTERVAL | 1200 | Palo Alto Cortex API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | -| executor.paloaltocortex.api-batch-execution-action-pagination | EXECUTOR_PALOALTOCORTEX_API_BATCH_EXECUTION_ACTION_PAGINATION | 100 | Palo Alto Cortex API pagination per 5 seconds to set for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a threat arsenal action) | -| executor.paloaltocortex.clean-implant-interval | EXECUTOR_PALOALTOCORTEX_CLEAN_IMPLANT_INTERVAL | 8 | Palo Alto Cortex clean old implant interval (in hours) | -| executor.paloaltocortex.api-key-id | EXECUTOR_PALOALTOCORTEX_API_KEY_ID | | Palo Alto Cortex API key id | -| executor.paloaltocortex.api-key | EXECUTOR_PALOALTOCORTEX_API_KEY | | Palo Alto Cortex API key | -| executor.paloaltocortex.group-name | EXECUTOR_PALOALTOCORTEX_GROUP_ID | | Palo Alto Cortex group name or groups names separated with commas | -| executor.paloaltocortex.windows-script-uid | EXECUTOR_PALOALTOCORTEX_WINDOWS_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Windows script | -| executor.paloaltocortex.unix-script-uid | EXECUTOR_PALOALTOCORTEX_UNIX_SCRIPT_UID | | Uid of the OpenAEV Palo Alto Cortex Unix script | + If you previously configured this executor using environment variables or platform properties, these values have been **automatically migrated** to the database on first startup. After migration, changes to environment variables or properties are no longer taken into account — all configuration is now managed through the UI. ### Checks @@ -388,7 +398,7 @@ according to the [OpenAEV architecture](https://docs.openaev.io/latest/deploymen !!! warning "SentinelOne" - Please note that the SentinelOne license with add-on “remote script orchestration” is required to launch SentinelOne scripts with OpenAEV → see in SentinelOne/Settings/Configuration/Add-ons + Please note that the SentinelOne license with add-on "remote script orchestration" is required to launch SentinelOne scripts with OpenAEV → see in SentinelOne/Settings/Configuration/Add-ons ### Configure the SentinelOne Platform @@ -434,24 +444,27 @@ To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`. !!! warning "SentinelOne API Key" - Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: “IR Team”. The API key and the scripts must be created for and with the same user and the required account/site. - -To use the SentinelOne executor, just fill the following configuration in the Integrations (Executors) tab from OpenAEV -menu. - -| Parameter | Environment variable | Default value | Description | -|:-----------------------------------------------------------|:-----------------------------------------------------------|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| executor.sentinelone.enable | EXECUTOR_SENTINELONE_ENABLE | `false` | Enable the SentinelOne executor | -| executor.sentinelone.url | EXECUTOR_SENTINELONE_URL | | SentinelOne URL, the API version used is the 2.1 | -| executor.sentinelone.api-register-interval | EXECUTOR_SENTINELONE_API_REGISTER_INTERVAL | 1200 | SentinelOne API interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | -| executor.sentinelone.api-batch-execution-action-pagination | EXECUTOR_SENTINELONE_API_BATCH_EXECUTION_ACTION_PAGINATION | 2500 | SentinelOne API pagination per 5 seconds to set for agents batch executions (number of agents sent per 5 seconds to SentinelOne to execute a threat arsenal action) | -| executor.sentinelone.clean-implant-interval | EXECUTOR_SENTINELONE_CLEAN_IMPLANT_INTERVAL | 8 | SentinelOne clean old implant interval (in hours) | -| executor.sentinelone.api-key | EXECUTOR_SENTINELONE_API_KEY | | SentinelOne API key | -| executor.sentinelone.account-id | EXECUTOR_SENTINELONE_ACCOUNT_ID | | SentinelOne account id or accounts ids separated with commas (optional if site or group is filled) | -| executor.sentinelone.site-id | EXECUTOR_SENTINELONE_SITE_ID | | SentinelOne site id or sites ids separated with commas (optional if account or group is filled) | -| executor.sentinelone.group-id | EXECUTOR_SENTINELONE_GROUP_ID | | SentinelOne group id or groups ids separated with commas (optional if site or account is filled) | -| executor.sentinelone.windows-script-id | EXECUTOR_SENTINELONE_WINDOWS_SCRIPT_ID | | Id of the OpenAEV SentinelOne Windows script | -| executor.sentinelone.unix-script-id | EXECUTOR_SENTINELONE_UNIX_SCRIPT_ID | | Id of the OpenAEV SentinelOne Unix script | + Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: "IR Team". The API key and the scripts must be created for and with the same user and the required account/site. + +To configure the SentinelOne executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the SentinelOne integration settings. + +| Parameter | Default value | Description | +|:-----------------------------------|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Enable | `false` | Enable the SentinelOne executor | +| URL | | SentinelOne URL, the API version used is the 2.1 | +| API Register Interval | 1200 | Interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | +| Batch Execution Action Pagination | 2500 | Pagination per 5 seconds for agents batch executions (number of agents sent per 5 seconds to SentinelOne to execute a threat arsenal action) | +| Clean Implant Interval | 8 | Clean old implant interval (in hours) | +| API Key | | SentinelOne API key | +| Account ID | | SentinelOne account ID or account IDs separated with commas (optional if site or group is filled) | +| Site ID | | SentinelOne site ID or site IDs separated with commas (optional if account or group is filled) | +| Group ID | | SentinelOne group ID or group IDs separated with commas (optional if site or account is filled) | +| Windows Script ID | | ID of the OpenAEV SentinelOne Windows script | +| Unix Script ID | | ID of the OpenAEV SentinelOne Unix script | + +!!! info "Migrating from environment variables" + + If you previously configured this executor using environment variables or platform properties, these values have been **automatically migrated** to the database on first startup. After migration, changes to environment variables or properties are no longer taken into account — all configuration is now managed through the UI. ### Checks @@ -536,14 +549,18 @@ docker compose up -d ### OpenAEV configuration -Then, just change the OpenAEV configuration as follow: +To configure the Caldera executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Caldera integration settings. -| Parameter | Environment variable | Default value | Description | -|:----------------------------|:----------------------------|:--------------|:---------------------------------------------------------------------------------------------| -| executor.caldera.enable | EXECUTOR_CALDERA_ENABLE | `false` | Enable the Caldera executor | -| executor.caldera.url | EXECUTOR_CALDERA_URL | | Caldera URL | -| executor.caldera.public-url | EXECUTOR_CALDERA_PUBLIC-URL | | Caldera URL accessible from endpoints (ex: http://caldera.myopenaev.myorganization.com:8888) | -| executor.caldera.api-key | EXECUTOR_CALDERA_API-KEY | | Caldera API key | +| Parameter | Default value | Description | +|:----------------------------|:--------------|:---------------------------------------------------------------------------------------------| +| Enable | `false` | Enable the Caldera executor | +| URL | | Caldera URL | +| Public URL | | Caldera URL accessible from endpoints (ex: http://caldera.myopenaev.myorganization.com:8888) | +| API Key | | Caldera API key | + +!!! info "Migrating from environment variables" + + If you previously configured this executor using environment variables or platform properties, these values have been **automatically migrated** to the database on first startup. After migration, changes to environment variables or properties are no longer taken into account — all configuration is now managed through the UI. ### Agents @@ -591,4 +608,3 @@ Old implant directories are periodically cleaned up by the platform. At the inte !!! note "OpenAEV Agent" The OpenAEV Agent has its own built-in garbage collector with different thresholds. See the [OpenAEV Agent documentation](../../usage/openaev-agent.md) for details. - From 98ab08faf5130647a3a3e629f2cc3e16e95eb844 Mon Sep 17 00:00:00 2001 From: Denise Date: Fri, 29 May 2026 12:21:15 +0200 Subject: [PATCH 2/4] fix: correct Palo Alto Cortex documentation errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix API version: "v1" → "1.0" (matches code) - Fix Register Interval description: "accounts/sites/groups/agents" → "groups/endpoints" (matches code) - Remove migration info block for Palo Alto (never had env vars, no migration class exists) --- docs/deployment/ecosystem/executors.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md index cdb72444..68a91f30 100644 --- a/docs/deployment/ecosystem/executors.md +++ b/docs/deployment/ecosystem/executors.md @@ -352,8 +352,8 @@ To configure the Palo Alto Cortex executor, navigate to the **Integrations > Exe | Parameter | Default value | Description | |:-----------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Enable | `false` | Enable the Palo Alto Cortex executor | -| URL | | Palo Alto Cortex URL, the API version used is the v1 | -| API Register Interval | 1200 | Interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | +| URL | | Palo Alto Cortex URL, the API version used is the 1.0 | +| API Register Interval | 1200 | Interval to register/update the groups/endpoints in OpenAEV (in seconds) | | Batch Execution Action Pagination | 100 | Pagination per 5 seconds for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a threat arsenal action) | | Clean Implant Interval | 8 | Clean old implant interval (in hours) | | API Key ID | | Palo Alto Cortex API key ID | @@ -362,10 +362,6 @@ To configure the Palo Alto Cortex executor, navigate to the **Integrations > Exe | Windows Script UID | | UID of the OpenAEV Palo Alto Cortex Windows script | | Unix Script UID | | UID of the OpenAEV Palo Alto Cortex Unix script | -!!! info "Migrating from environment variables" - - If you previously configured this executor using environment variables or platform properties, these values have been **automatically migrated** to the database on first startup. After migration, changes to environment variables or properties are no longer taken into account — all configuration is now managed through the UI. - ### Checks Once enabled, you should see Palo Alto Cortex available in your `Install agents` section From 674fb9d081d101eaa4ce115156cd89f56004e51c Mon Sep 17 00:00:00 2001 From: Denise Date: Fri, 29 May 2026 12:36:03 +0200 Subject: [PATCH 3/4] =?UTF-8?q?docs:=20remove=20all=20parameter=20tables?= =?UTF-8?q?=20=E2=80=94=20point=20users=20to=20UI=20directly?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Option A: remove all executor configuration parameter tables to avoid maintenance issues as executors evolve. Users are now directed to configure executors directly from the Integrations > Executors UI. Migration notes are kept for Tanium, CrowdStrike, SentinelOne, and Caldera (executors that had env vars before the Catalog system). Palo Alto Cortex has no migration note (added after Catalog). --- docs/deployment/ecosystem/executors.md | 70 ++------------------------ 1 file changed, 5 insertions(+), 65 deletions(-) diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md index 68a91f30..4870259e 100644 --- a/docs/deployment/ecosystem/executors.md +++ b/docs/deployment/ecosystem/executors.md @@ -76,20 +76,7 @@ Once configured and imported, retrieve the package IDs from the URL: ### Configure the OpenAEV Platform -To configure the Tanium executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Tanium integration settings. - -| Parameter | Default value | Description | -|:-----------------------------------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Enable | `false` | Enable the Tanium executor | -| URL | | Tanium API URL | -| API Key | | Tanium API key | -| API Register Interval | 1200 | Interval to register/update the computer groups/endpoints in OpenAEV (in seconds) | -| Batch Execution Action Pagination | 100 | Pagination per 5 seconds for endpoints batch executions (number of endpoints sent per 5 seconds to Tanium to execute a threat arsenal action) | -| Clean Implant Interval | 8 | Clean old implant interval (in hours) | -| Computer Group ID | `1` | Tanium Computer Group or Computer Groups to be used in simulations separated with commas | -| Action Group ID | `4` | Tanium Action Group to apply actions to | -| Windows Package ID | | ID of the OpenAEV Tanium Windows package | -| Unix Package ID | | ID of the OpenAEV Tanium Unix package | +To configure the Tanium executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Tanium integration settings directly from the UI. !!! note "Tanium API Key" @@ -253,20 +240,7 @@ applied. Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response. -To configure the CrowdStrike executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the CrowdStrike integration settings. - -| Parameter | Default value | Description | -|:-----------------------------------|:-----------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Enable | `false` | Enable the CrowdStrike executor | -| API URL | `https://api.us-2.crowdstrike.com` | CrowdStrike API URL | -| API Register Interval | 1200 | Interval to register/update the host groups/hosts/agents in OpenAEV (in seconds) | -| Batch Execution Action Pagination | 2500 | Pagination per 5 seconds for hosts batch executions (number of hosts sent per 5 seconds to CrowdStrike to execute a threat arsenal action) | -| Clean Implant Interval | 8 | Clean old implant interval (in hours) | -| Client ID | | CrowdStrike client ID | -| Client Secret | | CrowdStrike client secret | -| Host Group | | CrowdStrike host group ID or host group IDs separated with commas | -| Windows Script Name | `OpenAEV Subprocessor (Windows)` | Name of the OpenAEV CrowdStrike Windows script | -| Unix Script Name | `OpenAEV Subprocessor (Unix)` | Name of the OpenAEV CrowdStrike Unix script | +To configure the CrowdStrike executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the CrowdStrike integration settings directly from the UI. !!! info "Migrating from environment variables" @@ -347,20 +321,7 @@ To create a group, go to `Inventory` > `Endpoints` > `Groups`. Please note that the Palo Alto Cortex API key created in "Settings/Configurations/API Keys" should have the following minimum role: "Instance Administrator" and security level: "Standard". -To configure the Palo Alto Cortex executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Palo Alto Cortex integration settings. - -| Parameter | Default value | Description | -|:-----------------------------------|:--------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Enable | `false` | Enable the Palo Alto Cortex executor | -| URL | | Palo Alto Cortex URL, the API version used is the 1.0 | -| API Register Interval | 1200 | Interval to register/update the groups/endpoints in OpenAEV (in seconds) | -| Batch Execution Action Pagination | 100 | Pagination per 5 seconds for endpoints batch executions (number of endpoints sent per 5 seconds to Palo Alto Cortex to execute a threat arsenal action) | -| Clean Implant Interval | 8 | Clean old implant interval (in hours) | -| API Key ID | | Palo Alto Cortex API key ID | -| API Key | | Palo Alto Cortex API key | -| Group Name | | Palo Alto Cortex group name or group names separated with commas | -| Windows Script UID | | UID of the OpenAEV Palo Alto Cortex Windows script | -| Unix Script UID | | UID of the OpenAEV Palo Alto Cortex Unix script | +To configure the Palo Alto Cortex executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Palo Alto Cortex integration settings directly from the UI. ### Checks @@ -442,21 +403,7 @@ To create a wrapper (account/site/group), go to `Settings` > `Accounts/Sites`. Please note that the SentinelOne API key created in "Settings/Users/Service Users" should have the following minimum role: "IR Team". The API key and the scripts must be created for and with the same user and the required account/site. -To configure the SentinelOne executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the SentinelOne integration settings. - -| Parameter | Default value | Description | -|:-----------------------------------|:--------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Enable | `false` | Enable the SentinelOne executor | -| URL | | SentinelOne URL, the API version used is the 2.1 | -| API Register Interval | 1200 | Interval to register/update the accounts/sites/groups/agents in OpenAEV (in seconds) | -| Batch Execution Action Pagination | 2500 | Pagination per 5 seconds for agents batch executions (number of agents sent per 5 seconds to SentinelOne to execute a threat arsenal action) | -| Clean Implant Interval | 8 | Clean old implant interval (in hours) | -| API Key | | SentinelOne API key | -| Account ID | | SentinelOne account ID or account IDs separated with commas (optional if site or group is filled) | -| Site ID | | SentinelOne site ID or site IDs separated with commas (optional if account or group is filled) | -| Group ID | | SentinelOne group ID or group IDs separated with commas (optional if site or account is filled) | -| Windows Script ID | | ID of the OpenAEV SentinelOne Windows script | -| Unix Script ID | | ID of the OpenAEV SentinelOne Unix script | +To configure the SentinelOne executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the SentinelOne integration settings directly from the UI. !!! info "Migrating from environment variables" @@ -545,14 +492,7 @@ docker compose up -d ### OpenAEV configuration -To configure the Caldera executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Caldera integration settings. - -| Parameter | Default value | Description | -|:----------------------------|:--------------|:---------------------------------------------------------------------------------------------| -| Enable | `false` | Enable the Caldera executor | -| URL | | Caldera URL | -| Public URL | | Caldera URL accessible from endpoints (ex: http://caldera.myopenaev.myorganization.com:8888) | -| API Key | | Caldera API key | +To configure the Caldera executor, navigate to the **Integrations > Executors** section in the OpenAEV menu and fill in the Caldera integration settings directly from the UI. !!! info "Migrating from environment variables" From ab4c851c365e23aa8cadfc2956940e6ce68a3f88 Mon Sep 17 00:00:00 2001 From: Denise Date: Fri, 29 May 2026 13:03:15 +0200 Subject: [PATCH 4/4] fix: CrowdStrike branding + SentinelOne alt texts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix intro table: "Crowdstrike" → "CrowdStrike" (capital S, official branding) - Fix 3 SentinelOne image alt texts: - "unix script1" → "unix script2" (for sentinelone-unix-script2.png) - "unix script1" → "windows script1" (for sentinelone-windows-script1.png) - "unix script1" → "windows script2" (for sentinelone-windows-script2.png) --- docs/deployment/ecosystem/executors.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/deployment/ecosystem/executors.md b/docs/deployment/ecosystem/executors.md index 4870259e..cb8c2d17 100644 --- a/docs/deployment/ecosystem/executors.md +++ b/docs/deployment/ecosystem/executors.md @@ -12,7 +12,7 @@ architectures. This table below summarizes the information about each agent. |:-----------------------------------|:--------------|:--------------------------------------------------|:------------------|:---------------------------------------|:-----------------------------------------------|:-------------------------------------------------| | **OpenAEV Agent (native/default)** | Open source | As a user session, user service or system service | Script | A standard or admin background process | As a user standard, user admin or system admin | Yes, depending on the user and installation mode | | **Tanium Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | -| **Crowdstrike Falcon Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | +| **CrowdStrike Falcon Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | | **SentinelOne Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | | **Palo Alto Cortex Agent** | Under license | As a system service | Executable | An admin background process | As a system admin | No, always the same agent | | **Caldera Agent** | Open source | As a user session | Script | An admin background process | As a user admin | Yes, depending on the user | @@ -162,7 +162,7 @@ Put the following Input schema: } ``` -![Crowdstrike unix script](../assets/crowdstrike-unix-script.png) +![CrowdStrike unix script](../assets/crowdstrike-unix-script.png) *Windows script* @@ -250,12 +250,12 @@ To configure the CrowdStrike executor, navigate to the **Integrations > Executor Once enabled, you should see CrowdStrike available in your `Install agents` section -![Crowdstrike available agent](../assets/agents.png) +![CrowdStrike available agent](../assets/agents.png) Also, the assets and the asset groups in the selected computer groups should now be available in the endpoints and asset groups sections in OpenAEV: -![Crowdstrike Endpoints](../assets/crowdstrike-endpoints.png) +![CrowdStrike Endpoints](../assets/crowdstrike-endpoints.png) NB : An Asset can only have one CrowdStrike agent installed due to the uniqueness of the MAC address parameters. If you try to install again a CrowdStrike agent on a platform, it will overwrite the actual one and you will always see one @@ -376,7 +376,7 @@ Upload the following script (encoded for Unix): Put the following Input schema: ![SentinelOne unix script1](../assets/sentinelone-unix-script1.png) -![SentinelOne unix script1](../assets/sentinelone-unix-script2.png) +![SentinelOne unix script2](../assets/sentinelone-unix-script2.png) *Windows script* @@ -386,8 +386,8 @@ Upload the following script (encoded for Windows): Put the following Input schema: -![SentinelOne unix script1](../assets/sentinelone-windows-script1.png) -![SentinelOne unix script1](../assets/sentinelone-windows-script2.png) +![SentinelOne windows script1](../assets/sentinelone-windows-script1.png) +![SentinelOne windows script2](../assets/sentinelone-windows-script2.png) Once created, your Remote Ops scripts should have something like this: