Skip to main content
Red Canary help

Taking action on detections with automation

  • Updated .

Automation is the key to quickly remediating threats and minimizing your time to remediation. You can configure automation playbooks to be triggered by several events in the life cycle of a confirmed threat:

  • When a detection is published
  • When a detection is marked as remediated
  • When a detection is marked as not remediated
  • When a detection is acknowledged

Responding to a confirmed threat

You can configure an automation playbook to execute during a detection’s life cycle.

To trigger automation playbooks when a detection is published:

  1. Click Automations in the site navigation.
  2. Click New Trigger and select When a Detection is published.
  3. Customize the trigger to meet your needs.
  4. Associate one or more playbooks to the trigger.

What automation actions affect the state of detections?

A number of automation actions can affect the state of a detection in the Red Canary platform. These include:

  • Marking a detection as acknowledged
  • Marking a detection as not remediated (with a specific reason)
  • Marking a detection as remediated

You can find the complete list of actions in your Red Canary portal.

What are examples of automation that begins with detections?

Notifying your incident response team when a threat is confirmed

Notify your team whenever a detection with a specific severity is published:

mceclip0.png

By triggering playbooks that:

  • Create a ticket in your incident management system with the Webhook/API action.
  • Email an incident response mailing list with the Send Email action.
  • Post a message in a Slack/Teams channel with the Send Slack Message or Send Microsoft Teams Message action.
  • Trigger a PagerDuty incident for your security response team using the Create PagerDuty Incident action.
  • Call a phone tree using the Call Phone Numbers action.

Isolating and remediating workstations affected by malicious software

Activate network isolation / containment for workstation (non-server) endpoints that are affected by malicious software detections:

mceclip1.png

By triggering playbooks that:

  • Enqueue endpoint isolation using the Isolate the Endpoint action.
  • Disable network communications with a device management system triggered with the Webhook/API action.
  • Record a number of forensics artifacts using the Collect forensics package action.
  • Remediate infections using the Kill Processes, Delete/Capture Files, etc. actions.