Active Remediation is a security orchestration, automation, and response (SOAR) applied product, meaning that we require a handful of automations to perform initial triage and containment of Threats. These automations only take effect against hosts in a remediate sensor group. Automations that are Red Canary Managed are not modifiable by your team.
High Severity Threat Published and Active Remediation (AR) - Medium Severity Threat Published (Red Canary Managed)
- These automations fire on either a High or Medium severity Threat and will automatically isolate the affected host in the Threat. The automations also notify our Threat Response Engineers (TREs) via Slack and PagerDuty.
- TREs take an isolate-first approach to limit the risk of malware propagation or lateral movement. Similarly, this approach gives the team time to log into your environment and investigate.
IOC Response (Red Canary Managed)
- This automation attempts to perform initial triage of the Threat by actioning Indicators of compromise (IOCs). Red Canary views IOCs as artifacts the team has determined as malicious and safe to act against.
- Actions will vary based on the supported capabilities of your EDR platform. They can include the following actions:
- ban hash
- kill process
- delete binary
- delete registry key
- ban domain
- quarantine file
Notify Customer of New Note
- Upon completion of remediation, a TRE will provide a summary of your Threat timeline that covers actions performed and any outstanding actions for your team.
- This automation emails specific email addresses to notify you that remediation is complete.
- This automation is customizable by your team and can be altered to send Slack, Teams, SMS, PagerDuty, Voice, Webhook, or Syslog notifications.
Remediation Requested (Red Canary Managed)
- When the Request Remediation function is utilized, this automation fires notifications to the TRE team via Slack and PagerDuty.
Notify TRE of New Note (Red Canary Managed)
- When your team leverages the Add Comment functionality on a Threat, the automation fires notifications to the TRE team via Slack and PagerDuty,
- This automation helps provide context when your team has additional information about the observed activity, including expected admin or developer behavior.
Unsupported OS Detected
- This automation fires an email to specified email addresses when a Linux endpoint is placed in a Remediate Sensor Group.
Note: Automations leveraging PagerDuty for TRE workflows only contain the following information: Threat URL, Threat Severity, and Threat Classification.