Automation is a key part of the Red Canary platform and one of the best ways your team can quickly respond to threats and security events. We've developed a hybrid approach to automation that offers the speed of an automated response but provides human control over the final execution. You can now add a human approval step for any action you’d like to take within Automate.
Many playbooks are safer to enable when a simple approval is provided from your team before the action executes. These approvals allow you to more efficiently move playbooks from manually trigger → automatically triggered with approvals → full auto.
You can now elect to Require human approval for every Automate action with the notification options of email, Slack and/or SMS.
Additionally, once an approval request has been received, we've added the option to Deny the request so users can explicitly deny an action rather than just withholding approval:
The Detection Timeline will indicate the status of the automation request approval. Here's a sample of what a Denied approval request looks like:
We've also built some additional logic into this process that you should be aware of:
- Only one notification will be sent to each unique contact per playbook. For example, if you put in the same email address on 5 actions in the same playbook they will only get a single email (not 5) when the playbook fires. This applies to SMS numbers and unique Slack URLs as well.
- We have a monitor that runs on a logarithmic back-off schedule checking for unapproved actions. If the actions aren't approved within a few minutes, another set of notifications is sent. It will continue to happen on a continually less frequent schedule until we've either exhausted all retries (6 tries over ~20 hours) or all actions are approved.
- Actions that previously required human approval will still require human approval.
You are now free to move about our automation.