We need to have an Automate Trigger and Playbook setup to execute when a threat is published based on the time of day and the day of the week. For example, we would like to be notified if a threat is published and the time of day is before 7am and after 4pm Monday through Friday.
Red Canary Automate
In order to set this up to work properly you will need to create a Trigger for "When a Detection is Published."
In this example we need to create a Playbook to notify us when a threat is published, and the time of day is before 7am and after 4pm, from Monday through Friday.
To set this up follow these steps:
- Open the Automations page in Red Canary.
- Create a new Trigger by clicking the "New Trigger" button on the top right of the page.
- Select the "When a Detection is Published" Trigger condition.
- Give the new Trigger a name (For example: "Notify When a threat is published before 7am and after 4pm Monday through Friday.")
- Click the "Add a condition" button and choose the "Time" condition. Then, select the "Day of Week in..." condition. NOTE: Be sure to choose your desired Time Zone (i.e UTC, PST, MST, EST, CST). Then, selection the "Is one of" condition, and include the days Monday, Tuesday, Wednesday, Thursday and Friday.
- Click the "Add a condition" button again and choose the "Time" condition. Then, select the "Hour of day" condition. NOTE: be sure to select your desired Time Zone (i.e UTC, PST, MST, EST, CST). Then select the "Is not one of" condition, and choose all of the times from 7am through 4pm (i.e 7,8,9,10,11,12,13,14,15,16).
Now, you have a Trigger setup to execute when a threat is published during the week (Monday through Friday) and the time of day does not fall on any of the hours between 7am through 4pm.
Now it's time to setup your Playbook.
- Click Add a Playbook.
- Select Create a new Playbook on the top right of the page. NOTE: if you do not see the new Playbook populate next to your Trigger, refresh the page.
- Click on the new Playbook block. It will be given a default name of "Playbook <Some Number>" (Example: "Playbook 10"). Give the Playbook a new name by clicking in the name field. For example: "Send email notification."
- Next, click Add Action. You will be given a bunch of options. Choose the option that best suites your needs. In this example we will choose the Email selection.
- Click on the Send email link and then click Add to Playbook.
- You will need to configure the required Email Playbook fields, and then click the Save button.
Here's an example of an Email Playbook configuration:
Once you have your notification Playbook configured, your new Automate Trigger and Playbook should look similar to this: