This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Detect potential threats (performed by Red Canary)
- Investigate potential threats (performed by Red Canary)
- Respond to threats using automation
Estimated reading time: 5 minutes
The role of automation in security operations
Use automation in Red Canary to take fast and consistent action when security-related events happen in your organization. Automation is essential to every security program, and Red Canary designed automation to be easy and safe to configure and implement.
Automation consists of:
- Actions by the automation, such as sending an email, calling a phone number, changing a firewall rule, or sending an alert to your SIEM.
- Playbooks, which are groups of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation”).
- Triggers, which dictate when automation should begin. Triggers begin with an event (such as When a detection is published or When an Endpoint status changes) and can be limited by conditions such as the threat’s severity level is high.
The Automations view lists your automation triggers and associated playbooks and is where you can manage all things automation.
Configure a notification playbook
When you are getting started with Red Canary, your initial automation using Red Canary’s default playbooks will be highly notification-based. For example, these playbooks are set up to notify incident response teams or call 24x7 phone trees.
Get started by creating a trigger for threats being published and, optionally, limited by specific severities. Once the trigger is created, associate a playbook that emails or sends an SMS to your InfoSec or Incident Response team.
Configure a remediation playbook
As your response capability matures, more comprehensive automations help you reduce your time to remediation. Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. We designed an action called approvals for these situations.
Get started with this next level of remediation by creating a trigger for malicious software detections being published on workstations. Then associate a playbook that bans binaries marked as Indicators of Compromise (IOC) and isolate those endpoints.
When configuring the playbook actions, enable approvals so that you receive a notification requesting your approval before the action executes.
Report on time to remediate threats
Your timely response is critical whenever Red Canary identifies a threat in your environment. Your median time to remediation is an important measure of your program’s effectiveness. This measure is so important that we present the median time to remediation in our platform report Detected Threats: How timely were we at remediating them?
That’s our brief overview of Red Canary! There are many more features throughout the platform that are designed to educate you and improve your security operations.
The Red Canary Help Center has other guides, feature descriptions, and how-to articles covering additional features and functionality. Enjoy your time getting to know Red Canary, and reach out anytime if you need help or deeper explanations.