This article outlines the process for tagging endpoints that will be covered by Red Canary Active Remediation within your Red Canary portal. In addition, this article defines the specific process related to each supported EDR.
Supported EDR Sensors:
Carbon Black Cloud
- From the Carbon Black Cloud homepage, click the Enforce dropdown in the navigation pane.
- Click Policies.
- Click +New Policy.
- Enter remediate - [policy name] for your Policy Name.
Note: For existing policies, rename the policy as remediate - [existing policy name].
- Click Save.
Carbon Black Response
- From the Carbon Black Response homepage, click Sensors in the navigation pane.
- Click NEW.
- Enter remediate_[sensor group name] for your Group Name.
- Click Create Group.
Note: Existing sensor groups can be renamed to adhere to this convention.
- Crowdstrike sensor groups are not currently interpreted in Red Canary.
- Crowdstrike customers must tag endpoints within the Red Canary portal to identify Active Remediation endpoints.
Microsoft Defender for Endpoint
- For more information see, Active remediation device group setup in Microsoft Defender for Endpoint
By default, endpoints are placed into a “Default Group” in a respective site and inherit the site policies.
- To create a new endpoint group, navigate to endpoints (Sentinels).
- Click Group, and then click New Group.
- Enter remediate - [group_name] for your group name.
Red Canary–Select your Endpoints for Active Remediation
- From the Red Canary homepage, click Endpoints.
- Select the Endpoints you want to include in the Remediation group.
Note: This can be done by OS, hostname, and a number of other fields.
- Click the Reporting Tags dropdown, and then click Set tag and value.
- Enter a Tag name.
- In the Value field, enter remediate.
- Click Set Reporting Tag.
Note: This tag name and value will need to be set on new endpoints as they are onboarded to Red Canary for those endpoints to be in-scope for Active Remediation.
Please sign in to leave a comment.