Data Flow Validation

Whether you're a new or long-standing Red Canary customer, it's always good to have reassurance that data is flowing properly from your endpoints to us for investigations.
You may be familiar with EICAR test files used by many security vendors to validate that the product is working. Red Canary has a similar way to test for data flow validation by executing one of the following commands:

cmd.exe /c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar

bash -c echo rccar-18a09226892986f3d468c75379580043be58c90a09e858f6c4e9b827e5fd961a-rccar

Once you issue this command, it should be inspected by your endpoint detection and response sensor, sent to Red Canary's investigation platform, and returned to you in the form of a detection verifying the data was received. The detection will have a low severity so it doesn't get mixed in with other (hopefully few) high-priority detections in your environment.

Generate a test to validate an Automate trigger

Customers often use Automate to take action when a new detection is published. You may want to generate a test detection to check that Automate triggers are working as expected. Red Canary has specific test strings that will create a low, medium, or high severity detection. To generate a test detection, open a new Command Prompt or Terminal session, enter one of the following commands, and close the window.  To ensure you receive a new detection, mark all previous test detections for the endpoint as remediated.

Warning: These strings will create real Red Canary detections.  If your organization has an active Automate trigger for published detections, the corresponding playbook will run against your machine. Please be careful when executing these tests.

Low Severity:

cmd  /c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar

bash -c echo rccar-low-64c5c0c5b4dfc0b5402fecc29bf7eda74477f4ca865c7ea57ebc2837f1070c78-rccar

Medium Severity:

cmd  /c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar

bash -c echo rccar-med-6818b515dccebcc0b0a24d56eb7b03520ae9de8268ae5607b5b2be9156146e4e-rccar

High Severity:

cmd  /c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar

bash -c echo rccar-high-041e84e8b3bbde7ffc139ff324fc9740f360a923a1af5f7bf568938e93701d85-rccar

Events generated by these strings will bypass our CIRT team and detections will be sent to you as soon as we receive and process the telemetry.

Did this answer your question?