Issue
Is there a way to setup automation to decommission uncommunicative endpoints?
Environment
Red Canary - Automation
Resolution
You can use an Automation Trigger to execute a Playbook for Decommissioning an endpoint that has not checked in within the last 59 days or less. Below is an example of the fields you can use for a trigger.
NOTE: Once the Trigger is created, you will need to add/connect a Playbook by clicking on the green "Connect playbook" button on the Trigger.
From this you can set a Playbook to Decommission the endpoint.
To receive an alert to manually approve Decommissioning for an endpoint, check the Require approval box and select the preferred method of notification.
NOTE: the Require approval setting is ONLY needed if you want to receive an alert before the Decommissioning process takes place. This will also require someone to manually approve the action before it takes place. If you need the Playbook to run in a fully automated fashion, do NOT enable the Require approval setting.
**Note: Once a trigger and playbook are set up and enabled, automation will only work for endpoints that meet the criteria in the future. For endpoints that need to be decommissioned retroactively, you will need to decommission manually. See Decommissioning Endpoints.
For further guidance on the basics of automation:
Getting started with automation
Automate Trigger Condition Descriptions
Comments
0 comments
Please sign in to leave a comment.