Below are explanations of common trigger actions:
- When a user is completely deleted from Red Canary the Audit Log records this action as: "User Destroyed".
- When all roles have been removed from a user for a subdomain, the Audit Log records this action as "User Removed".
- When we sync Endpoints from the EDR server, we assign them a status that aligns with what the server gives us. If we do not understand the status that the server gives us, we mark the status as "Unknown".
- The variables that determine if an Endpoint is classified as "suspended" are different for each EDR provider. For example, when the Carbon Black EDR Sensor sends us a status of "offline" and "power_state=1" we will mark the Endpoint as "suspended". What exactly constitutes a "power_state=1" status is determined by Carbon Black. When the Microsoft Defender for Endpoint Sensor sends a status of "healthStatus=Inactive" we will mark the Endpoint as "suspended".
- For a more complete list of Endpoint Status definitions, please see our article: Monitoring Sensor Health and Connection to Red Canary
- External Alerts are the alert messages that we receive from the Alert Sources that have been configured in the Red Canary > Alerts Sources page. From the Alert Sources page you have the ability to connect your various internal Alert Sources to Red Canary and ship the alerts to us. The alerts are assigned a Severity level of Unknown, Informational, Low, Medium, or High based on the data we received in the alert message.
- If you would like to learn more about Alert Sources, please see our article: Collecting External Alerts.