There are some Automate Trigger Conditions that require further explanation.
This is by no means an exhaustive list. If you are looking for a good overview of what Automate is and how it is used in Red Canary, please see the below articles:
- Getting started with automation
- Taking action on detections with automation
- Taking action on external alerts with automation
- Taking action with playbooks and actions
- Automate: Actioning Indicators of Compromise (IOCs)
The below are explanations of common trigger actions:
- When a user is completely deleted from Red Canary the Audit Log records this action as: "User Destroyed."
- When all roles have been removed from a user for a subdomain, the Audit Log records this action as "User Removed."
- When we sync Endpoints from the EDR server, we assign them a status that aligns with what the Server gives us. If we do not understand the status that the server gives us, we mark the status as "Unknown."
- The variables that determine if an Endpoint is classified as "suspended" are different for each EDR provider. For example, when the Carbon Black EDR Sensor sends us a status of "offline" and "power_state=1" we will mark the Endpoint as "suspended." What exactly constitutes a "power_state=1" status is determined by Carbon Black. When the Microsoft Defender for Endpoint Sensor sends us a status of "healthStatus=Inactive" we will mark the Endpoint as "suspended."
- For a more complete list of Endpoint Status definitions, please see our article: Monitoring Sensor Health and Connection to Red Canary