Skip to main content
Red Canary help

Use automation to combat threats

  • Updated .

Automation is the key to quickly remediating threats and minimizing your time to remediation. You can configure automation playbooks to be triggered by several events in the life cycle of a confirmed threat:

  • When a threat is published
  • When a threat is marked as remediated
  • When a threat is marked as not remediated
  • When a threat is acknowledged

Respond to a threat

You can configure an automation playbook to execute during a threat's life cycle.

  1. From the navigation menu, click Automation.
  2. Click Configure new trigger and select When a Threat is published.
  3. Customize the trigger to meet your needs.
  4. Associate one or more playbooks to the trigger.

What automation actions affect the state of threats?

A number of automation actions can affect the state of a threat in Red Canary. These include,

  • Marking a threat as acknowledged
  • Marking a threat as not remediated (with a specific reason)
  • Marking a threat as remediated

You can find the complete list of actions in Red Canary.

What are examples of automation that begin with threats?

Notifying your incident response team when a threat is confirmed

Threat_severity_high_medium_new.png

Notify your team whenever a threat with a specific severity is published, by triggering playbooks that:

  • Create a ticket in your incident management system with the Webhook or API action.
  • Email an incident response mailing list with the Send Email action.
  • Post a message in a Slack/Teams channel with the Send Slack Message or Send Microsoft Teams Message action.
  • Trigger a PagerDuty incident for your security response team using the Create PagerDuty Incident action.
  • Call a phone tree using the Call Phone Numbers action.

Isolate and remediate workstations affected by malicious software

Threat_workstation.png

Activate network isolation / containment for workstation (non-server) endpoints that are affected by malicious software detections, by triggering playbooks that:

  • Enqueue endpoint isolation using the Isolate the Endpoint action.
  • Disable network communications with a device management system triggered with the Webhook or API action.
  • Record a number of forensics artifacts using the Collect forensics action.
  • Remediate infections using the Kill Processes (IOC), Delete/Capture Files (IOC), etc. actions.

 

Comments

0 comments

Please sign in to leave a comment.