This article outlines the process for tagging endpoints that will be covered by Red Canary Active Remediation within your Red Canary portal. In addition, this article defines the specific process related to each supported EDR.

Supported EDR Sensors:

• Carbon Black Cloud
• Carbon Black Response Active Remediation
• Cortex
• CrowdStrike
• Microsoft Defender for Endpoint
• SentinelOne

Carbon Black Cloud

1. From the Carbon Black Cloud homepage, click the Enforce dropdown in the navigation pane.
2. Click Policies.
3. Click +New Policy.
   
   
4. Enter remediate - [policy name] for your Policy Name.
   Note: For existing policies, rename the policy as remediate - [existing policy name].
5. Click Save. 

Carbon Black Response

1. From the Carbon Black Response homepage, click Sensors in the navigation pane.
   
2. Click NEW.
3. Enter remediate_[sensor group name] for your Group Name.
   
4. Click Create Group.
   Note: Existing sensor groups can be renamed to adhere to this convention.
   

Cortex

By default, endpoints are not placed into a logical group.

1. To create a new Endpoint group, navigate to Endpoints.
2. Click Endpoint Groups, and then click Add Group.
3. Groups should follow the naming convention: remediate - [group_name]
   

CrowdStrike

By default, endpoints are not placed into a logical group.

1. To create a new endpoint group, navigate to Host setup and management.
2. Click Host groups, and then click Add New Group.
3. Groups should follow the naming convention: remediate - [group_name]
   

In addition to creating a new Remediate Host Group, additional configurations may need to be implemented for Response and Prevention Policies.

1. To review your Prevention Policies, navigate to Endpoint Security, and then click Configure.
2. Click Prevention Policies. 
3. Remediate host groups must have the following policy feature enabled in their attached policy for both Windows and OSX:
   1. Custom Blocking
      
4. To review your Response Policies, navigate to Host Setup and Management, and then click Response and Containment.
5. Click Response Policies.
6. Remediate host groups must have the following settings enabled in the attached policy for both Windows and OSX:
   1. Real Time Response
   2. Custom Scripts
   3. Get
   4. Put
   5. Run
      

Microsoft Defender for Endpoint

• For more information see, Active remediation device group setup in Microsoft Defender for Endpoint

SentinelOne

By default, endpoints are placed into a “Default Group” in a respective site and inherit the site policies.

1. To create a new endpoint group, navigate to endpoints (Sentinels).
2. Click Group, and then click New Group.
3. Enter remediate - [group_name] for your group name.
   
   

Red Canary–Select your Endpoints for Active Remediation

1. From the Red Canary homepage, click Endpoints.
2. Select the Endpoints you want to include in the Remediation group.
   Note: This can be done by OS, hostname, and a number of other fields.
3. Click the Reporting Tags dropdown, and then click Set tag and value.
   
4. Enter a Tag name.
5. In the Value field, enter remediate.
6. Click Set Reporting Tag.
   Note: This tag name and value will need to be set on new endpoints as they are onboarded to Red Canary for those endpoints to be in-scope for Active Remediation.