Skip to main content
Red Canary help

Add an email automate action

  • Updated .

Integrating with email or mailing lists allows Red Canary to send emails as part of an automation playbook.

Estimated procedure time: 10 minutes

  1. Within any playbook, click Add Action.
  2. Click Email, Send Email, and then click Add to Playbook.
  3. Specify email recipients in the To field by entering comma-separated email addresses. These can be determined dynamically using variables, such as using $Detection.marked_acknowledged_by_user.email to send an email to the user who acknowledged a detection.
  4. Specify the Reply To address for the email. This address is used when a recipient clicks the reply button in their email client and is useful for routing responses back to your security or support team.
  5. Select a Template and fill in any additional message fields supported by the template.
  6. Click Save.

Email templates

You shouldn’t need to start from scratch every time you want to send an email, so we provide several pre-built templates.

Custom Freeform Email

This template is a completely freeform email. Enter text in the Message field and you will receive an email with exactly that.

Here’s an example:

mceclip0.png

Which produces this email:

mceclip1.png

Detection: All detection data as JSON

This template is designed for systems that read structured JSON data from emails; ServiceNow is a common recipient for these messages. The associated threat is sent in JSON format in the email body.

Note: This template is only valid for threat-based triggers.

Here’s an example:

mceclip2.png

Which produces this email:

mceclip3.png

Detection: Published notification in HTML

This template sends information about a threat to users in a condensed, summary format that includes a brief list of identified indicators of compromise.

Note: This template is only valid for threat-based triggers.

Here’s an example:

mceclip4.png

Which produces this email:

mceclip5.png

Detection: Human-readable HTML with full timeline

This template sends information about a threat to users in a condensed, summary format with the complete timeline of the threat, including all relevant activity and identified indicators of compromise.

Note: This template is only valid for threat-based triggers.

Here’s an example:

mceclip6.png

Which produces this email:

mceclip7.png

Comments

0 comments

Please sign in to leave a comment.