Automation is essential to taking fast and consistent action when events happen in your organization. Red Canary’s automation capabilities are designed to enable you to complete specific security tasks, as opposed to infinitely customizable SOAR products that require weeks of configuration.
Automation: key concepts
There are several key elements that comprise automation: Triggers, Playbooks, and Actions.
Triggers describe when automation should begin. Triggers start with an event (such as When a threat is published or When an Endpoint status changes) and can be limited by conditions such as and Threat Severity is ... . Each trigger can be linked to one or more playbooks, making both triggers and playbooks highly reusable.
Playbooks are a group of actions you want to take to achieve a goal. Playbooks can range from the simple (“Email my security mailing list”) to the complex (“Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation”).
An action is the specific action taken by the automation, whether sending an email, calling a phone, changing a firewall rule, or sending an alert to your SIEM. Red Canary's supported actions are constantly expanding as we enable new integrations.
How do I get started with Automation?
The first automation you will enable is how you want to be notified when Red Canary confirms a threat in your environment. This might involve actions of sending emails, calling phone numbers, or triggering a system like PagerDuty.
The next automation should outline your incident response plan, which you will follow whenever Red Canary verifies a threat. This should involve some form of endpoint containment and remediation, and it may also involve additional triggers that customize which playbooks are executed on different types or groups of endpoints.
Create an Automation
- From the navigation menu, select Automation. The automation page is split into two sections, Triggers and Playbooks.
- Click Configure new trigger and select the event you want to start with.
- Adjust the trigger’s name to describe your use case. Customize the conditions to meet your use case. Keep in mind that certain fields will only be available for certain events.
- Click Save.
- Click Playbooks, and Create New Playbook.
- Rename the playbook with a name and description that are easy to understand at a glance.
- Click Add Action. This action will be initiated by the trigger that was created.
- Select the required action, and click Add to Playbook.
- Enter the pertinent information required.
- Then click Save.
- Return to the main Automation page, and click Connect playbook to connect the action to the trigger.
Triggers are active by default. Click the Active slider to deactivate the trigger and prevent it from firing, or click the ICON_TRASH to permanently delete the trigger.
Note: Please read the section on automated actions to learn more.
Add actions to a playbook
Actions are how you define what should happen when a playbook is executed.
- When viewing any playbook, click Add Action.
- Click an action from the list of actions by product (to view these actions by outcome instead of product, click show actions by outcome).
- Click Add to Playbook.
- Customize the action as desired, then click Save.
Actions are active by default. Click the Active slider to deactivate the action and prevent it from executing, or click Delete from the left menu to permanently delete the playbook.
You can choose the number of seconds to wait before automatically dialing the next number if the playbook has the option to call numbers when triggered. The default is set to five seconds, but the dropdown now provides 30, 60, 120, 240 (four minutes), 480 (eight minutes), 960 (16 minutes) seconds as options.
Associate playbooks and triggers
Both triggers and playbooks are reusable so the automation is consistent and requires less work to define.
- Click Connect Playbook next to any trigger.
- Click the playbook you want associated with the trigger. The playbook will now be executed when the trigger is triggered.
- To remove a playbook’s association to a trigger click Disconnect next to the playbook. The playbook will no longer be executed when the trigger is triggered (but it is not deleted).
Automation is essential to every security program. Red Canary is designed to make it incredibly easy and safe to implement.
To learn more about creating triggers, please read: Create triggers to customize when a playbook is run.
Require approval for an action
You can require approval before any playbook action is executed.
- Within any playbook, click the ICON_PENCIL icon next to the action that requires approval.
- Check Require approval.
- Click the method that Red Canary should use to notify your team about the action and complete the resulting form.
- Click Save.
What if multiple actions in a playbook require approval?
Each unique contact will only receive one approval notice per playbook. For example, if you use the same email address, SMS number, or Slack URL for approval on five different actions in the same playbook, they will only receive one approval email (not five) when the playbook executes.
What if I don’t approve an action?
If a required action is not accepted within a few minutes, a new set of notifications is sent. These notifications will continue on a less frequent schedule until we've either exhausted all retries (six tries over ~20 hours) or all actions are approved.
What if I’m not comfortable with automation?
Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. Red Canary’s accuracy rates are much higher, but it still can take weeks or months to get comfortable. There are also situations in which any action taken on specific endpoints (domain controllers, for example) would be too impactful for your business to be allowed.
We designed action approvals for these very situations. Allowing certain actions to require approval by your team before executing is a smart way to begin using automation.
Learn more about easing into automation with human approvals.
Please sign in to leave a comment.