Data Flow Validation
Whether you're a new or long-standing Red Canary customer, it's always good to have reassurance that data is flowing properly from your endpoints to us for investigations.
You may be familiar with EICAR test files used by many security vendors to validate that the product is working. Red Canary has a similar way to test for data flow validation by executing one of the following commands:
cmd.exe /c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar
bash -c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar
Once you issue this command, it should be inspected by your endpoint detection and response sensor, sent to Red Canary's investigation platform, and returned to you in the form of a detection verifying the data was received. The detection will have a low severity so it doesn't get mixed in with other (hopefully few) high-priority detections in your environment.
Generate a test to validate an Automate trigger
Customers often use Automate to take action when a new detection is published. You may want to generate a test detection to check that Automate triggers are working as expected. Red Canary has specific test strings that will create a low, medium, or high severity detection. To generate a test detection, open a new Command Prompt or Terminal session, enter one of the following commands, and close the window. To ensure you receive a new detection, mark all previous test detections for the endpoint as remediated.
Warning: These strings will create real Red Canary detections. If your organization has an active Automate trigger for published detections, the corresponding playbook will run against your machine. Please be careful when executing these tests.
cmd /c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar
bash -c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar
cmd /c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar
bash -c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar
cmd /c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar
bash -c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar
Events generated by these strings will bypass our CIRT team and detections will be sent to you as soon as we receive and process the telemetry.