Automation is the key to quickly remediating threats and minimizing your time to remediation. You can configure automation playbooks to be triggered by several events in the life cycle of a confirmed threat:
- When a threat is published
- When a threat is marked as remediated
- When a threat is marked as not remediated
- When a threat is acknowledged
Respond to a threat
You can configure an automation playbook to execute during a threat's life cycle.
- From the navigation menu, click Automation.
- Click Configure new trigger and select When a Threat is published.
- Customize the trigger to meet your needs.
- Associate one or more playbooks to the trigger.
What automation actions affect the state of threats?
A number of automation actions can affect the state of a threat in Red Canary. These include,
- Marking a threat as acknowledged
- Marking a threat as not remediated (with a specific reason)
- Marking a threat as remediated
You can find the complete list of actions in Red Canary.
What are examples of automation that begin with threats?
Notifying your incident response team when a threat is confirmed
Notify your team whenever a threat with a specific severity is published, by triggering playbooks that:
- Create a ticket in your incident management system with the Webhook or API action.
- Email an incident response mailing list with the Send Email action.
- Post a message in a Slack/Teams channel with the Send Slack Message or Send Microsoft Teams Message action.
- Trigger a PagerDuty incident for your security response team using the Create PagerDuty Incident action.
- Call a phone tree using the Call Phone Numbers action.
Isolate and remediate workstations affected by malicious software
Activate network isolation / containment for workstation (non-server) endpoints that are affected by malicious software detections, by triggering playbooks that:
- Enqueue endpoint isolation using the Isolate the Endpoint action.
- Disable network communications with a device management system triggered with the Webhook or API action.
- Record a number of forensics artifacts using the Collect forensics action.
- Remediate infections using the Kill Processes (IOC), Delete/Capture Files (IOC), etc. actions.