Red Canary’s email integration allows emails to be sent as part of an automation playbook.
Adding an email automation action
To add an email notification to an automation playbook:
- Within any playbook, click Add Action.
- Click Email > Send Email > Add to Playbook.
- Specify email recipients in the To field by entering comma-separated email addresses. These can be determined dynamically using variables, such as using
$Detection.marked_acknowledged_by_user.email
to send an email to the user who acknowledged a detection. - Specify the Reply To address for the email. This address is used when a recipient clicks the reply button in their email client and is useful for routing responses back to your security or support team.
- Select a Template (learn more about these below) and fill in any additional message fields supported by the template.
- Click Save.
What are email templates?
You shouldn’t need to start from scratch every time you want to send an email, so we provide several pre-built templates.
Custom Freeform Email
This template is a completely freeform email. Enter text in the Message field and you will receive an email with exactly that.
Here’s an example, when executed with the following configuration:
You will see an email similar to:
Detection - All Detection Data as JSON
This template is designed for systems that read structured JSON data from emails (ServiceNow is a common recipient for these messages). The triggering/associated detection is sent in JSON format in the email body.
Applicability: This template is only valid for detection-based triggers.
Here’s an example, when executed with the following configuration:
You will see an email similar to:
Detection - Published Notification in HTML
This template sends information about a confirmed threat to users in a condensed / summary format that includes a brief list of identified indicators of compromise.
Applicability: This template is only valid for detection-based triggers.
Here’s an example, when executed with the following configuration:
You will see an email similar to:
Detection - Human Readable HTML with full timeline
This template sends information about a confirmed threat to users in a condensed / summary format with the complete timeline of the detection, including all relevant activity and identified indicators of compromise.
Applicability: This template is only valid for detection-based triggers.
Here’s an example, when executed with the following configuration:
You will see an email similar to: