Automation playbooks can be triggered by several events in the life cycle of an external alert:
- When an external alert is ingested
- When an external alert validation state changes
- When an external alert hasn't been correlated for 24 hours
These triggers enable powerful workflows that allow your team to best defend your organization.
What automation actions affect the state of external alerts?
A number of automation actions can affect the state of external alerts. These include:
- Comment on Alert in Source Platform
- Update State of Alert in Source Platform
You can find the complete list of actions in your Red Canary portal.
What are examples of automation that begins with external alerts?
Notifying your team when a high-severity alert is ingested from a network security product
You can use Red Canary to fulfill basic SIEM and SOAR use cases, such as notifying your team when any of your network security products identifies what it reports as a high-severity threat:
Notifying your team when an alert could not be correlated to endpoint and process data within 24 hours
You may want to notify your team if Red Canary has been unable to correlate certain alerts with endpoint or process activity within 24 hours so you can investigate that alert yourself.
Automatically closing low / informational severity alerts for certain noisy platforms
Many alert sources generate a high volume of alerts with low severities and do not provide the ability to automatically close or adjudicate those alerts. You can use Red Canary to better operationalize those platforms:
By triggering playbooks that:
- Add a comment on the alert (in the underlying platform) that “This alert is being automatically closed because it is high volume / low value” using the Comment on Alert in Source Platform action.
- Close the alert (in the underlying platform) using the Update State of Alert in Source Platform action.