We have an Automate Trigger setup to fire whenever a specific type of External Alert comes in. For example, if a USB device has been used in our environment. However, we have not been getting any alerts from the Playbook.
Red Canary Automate
When your Automate Trigger is set to execute when an External Alert comes in, then your Playbook can only be configured with the "$ExternalAlert" variables. You can't use the "$Detection" variables, or the Playbook will fail to execute.
Example of Trigger set to execute based on "External Alert" data
External Alert Playbook variables
$ExternalAlert.native_json_raw(supports JSON interpolation)
In some cases, depending on the fidelity of the External Alert data, you may also be able to use some of the Endpoint specific variables in your Playbook. However, this will need to be thoroughly tested.
Endpoint specific Playbook variables
If you are using the Email notification Playbook, then you will also need to make sure your "Template" setting is configured to use the "Custom Freeform Email" setting. If you choose any of the "Threat" Template settings, the Playbook will not work.
This behavior occurs when the Automate Playbook Trigger is set to fire based on External Alert data, but the Playbook is configured to execute based on threat data. Keep in mind: External Alert data is not the same as threat data. In Red Canary Alert data = External Alerts (Generated from Alert data from all of your 3rd Party devices like firewalls), and Threats = Confirmed Threats (Generated from raw Event data that was received from your EDR Sensors). These are two completely different things.
See also: $Event and $Endpoint variables not showing data in Automate email notifications
Please sign in to leave a comment.