There are some Automate Trigger Conditions that require further explanation.
This is by no means an exhaustive list. If you are looking for a good overview of what Automate is and how it is used in Red Canary, please see the below articles:
- Getting started with automation
- Taking action on threats with automation
- Taking action on external alerts with automation
- Taking action with playbooks and actions
- Automate: Actioning Indicators of Compromise (IOCs)
The below are explanations of common trigger actions:
- When a user is completely deleted from Red Canary the Audit Log records this action as: "User Destroyed."
- When all roles have been removed from a user for a subdomain, the Audit Log records this action as "User Removed."
- When we sync Endpoints from the EDR server, we assign them a status that aligns with what the Server gives us. If we do not understand the status that the server gives us, we mark the status as "Unknown."
- The variables that determine if an Endpoint is classified as "suspended" are different for each EDR provider. For example, when the Carbon Black EDR Sensor sends us a status of "offline" and "power_state=1" we will mark the Endpoint as "suspended." What exactly constitutes a "power_state=1" status is determined by Carbon Black. When the Microsoft Defender for Endpoint Sensor sends us a status of "healthStatus=Inactive" we will mark the Endpoint as "suspended."
- For a more complete list of Endpoint Status definitions, please see our article: Monitoring Sensor Health and Connection to Red Canary
- We classify an endpoint as "Protected" when we confirm that we are actively receiving telemetry from the EDR Sensor. We base this confirmation on the EDR Sensor's Last Activity time versus its Last Checkin time. If the Sensor's Last Activity time is either (a) within 3 hours prior to the Sensor's Last Checkin time, or (b) any time after the Sensor's Last Checkin time.
- If you would like to learn more about the Red Canary "Protected" status, please see our article: What Does "Protected by Red Canary" mean?
- External Alerts are the alert messages that we receive from the Alert Sources that have been configured in the Red Canary > Alerts Sources page. From the Alert Sources page you have the ability to connect your various internal Alert Sources to Red Canary and ship the alerts to us. The alerts are assigned a Severity level of Unknown, Informational, Low, Medium, or High based on the data we received in the alert message.
- If you would like to learn more about Alert Sources, please see our article: Collecting External Alerts.