There are some Automate Trigger Conditions that require further explanation.
This is by no means an exhaustive list. If you are looking for a good overview of what Automate is and how it is used in Red Canary, please see the below articles:
- Getting started with automation
- Taking action on detections with automation
- Taking action on external alerts with automation
- Taking action with playbooks and actions
- Automate: Actioning Indicators of Compromise (IOCs)
The below are explanations of common trigger actions:
- When a user is completely deleted from Red Canary the Audit Log records this action as: "User Destroyed."
- When all roles have been removed from a user for a subdomain, the Audit Log records this action as "User Removed."
- When we sync Endpoints from the EDR server, we assign them a status that aligns with what the Server gives us. If we do not understand the status that the server gives us, we mark the status as "Unknown."