Automation is a key part of the Red Canary platform and one of the best ways your team can quickly respond to threats and security events.  We've developed a hybrid approach to automation that offers the speed of an automated response but provides human control over the final execution. You can now add a human approval step for any action you’d like to take within Automate.  

Many playbooks are safer to enable when a simple approval is provided from your team before the action executes. These approvals allow you to more efficiently move playbooks from manually trigger → automatically triggered with approvals → full auto.

You can now elect to Require human approval for every Automate action with the notification options of email, Slack and/or SMS.

Additionally, once an approval request has been received, we've added the option to Deny the request so users can explicitly deny an action rather than just withholding approval:

The Detection Timeline will indicate the status of the automation request approval.  Here's a sample of what a Denied approval request looks like: 

We've also built some additional logic into this process that you should be aware of:

  1. Only one notification will be sent to each unique contact per playbook. For example, if you put in the same email address on 5 actions in the same playbook they will only get a single email (not 5) when the playbook fires. This applies to SMS numbers and unique Slack URLs as well.
  2. We have a monitor that runs on a logarithmic back-off schedule checking for unapproved actions. If the actions aren't approved within a few minutes, another set of notifications is sent. It will continue to happen on a continually less frequent schedule until we've either exhausted all retries (6 tries over ~20 hours) or all actions are approved.
  3. Actions that previously required human approval will still require human approval.

You are now free to move about our automation.

Did this answer your question?