Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. That’s not surprising—most security products have a high false positive rate that makes it impossible to allow an aggressive response.
Red Canary’s accuracy rates are much higher, but it can still take you weeks or months to get comfortable. There are also situations in which any action taken on specific endpoints (domain controllers for example) would be too impactful for your business to be allowed.
We designed action approvals for these very situations. Allowing certain actions to require approval by your team is a smart way to begin using automation.
When an action requiring approval is executed, the configured recipients will receive a message stating that approval is required. The recipient must log into Red Canary and approve or deny the action.
Require approval for an action
You can require approval before any playbook action is executed.
To require approval before an action is executed:
- From any playbook, click the ICON_PENCIL icon next the action you want to require approval.
- Check Require approval.
- Click the method that Red Canary should use to notify your team about the action that requires approval and complete the resulting form.
- Click Save.
What if multiple actions in a playbook require approval?
Only one notification will be sent to each unique contact per playbook. For example, if you put in the same email address, SMS number, or Slack URL on five actions in the same playbook, they will only get a single approval email (not five) when the playbook fires.
What if I don’t approve an action?
If an action that requires approval is not approved within a few minutes, another set of notifications is sent. These notifications will continue on a less frequent schedule until we've either exhausted all retries (six tries over ~20 hours) or all actions are approved.