Red Canary’s email integration allows emails to be sent as part of an automation playbook.

Adding an email automation action

To add an email notification to an automation playbook:

1. Within any playbook, click Add Action.
2. Click Email > Send Email > Add to Playbook.
3. Specify email recipients in the To field by entering comma-separated email addresses. These can be determined dynamically using variables, such as using $Detection.marked_acknowledged_by_user.email to send an email to the user who acknowledged a detection.
4. Specify the Reply To address for the email. This address is used when a recipient clicks the reply button in their email client and is useful for routing responses back to your security or support team.
5. Select a Template (learn more about these below) and fill in any additional message fields supported by the template.
6. Click Save.

What are email templates?

You shouldn’t need to start from scratch every time you want to send an email, so we provide several pre-built templates.

Custom Freeform Email

This template is a completely freeform email. Enter text in the Message field and you will receive an email with exactly that.

Here’s an example, when executed with the following configuration:

You will see an email similar to:

Detection - All Detection Data as JSON

This template is designed for systems that read structured JSON data from emails (ServiceNow is a common recipient for these messages). The triggering/associated detection is sent in JSON format in the email body.

Applicability: This template is only valid for detection-based triggers.

Here’s an example, when executed with the following configuration:

You will see an email similar to:

Detection - Published Notification in HTML

This template sends information about a confirmed threat to users in a condensed / summary format that includes a brief list of identified indicators of compromise.

Applicability: This template is only valid for detection-based triggers.

Here’s an example, when executed with the following configuration:

You will see an email similar to:

Detection - Human Readable HTML with full timeline

This template sends information about a confirmed threat to users in a condensed / summary format with the complete timeline of the detection, including all relevant activity and identified indicators of compromise.

Applicability: This template is only valid for detection-based triggers.

Here’s an example, when executed with the following configuration:

You will see an email similar to: