When you add actions to a playbook, you can select attributes or variables from a list to customize your actions. Variables and their corresponding actions are grouped together.
Playbook Variable List
Red Canary has created a list of the most commonly used variables for each action. During an execution, select variables are available. For example, if an AuditLog creation triggered an action to run, $Detection variables won't be available.
Variables embedded in custom payloads can also be formatted using JSON or XML if they need to be escaped. Use $JSON:Variable.name or$XML:Variable.name in place of $Variable.name to use this functionality.
You can select all objects within an array using brace notation ["*"].
For example, use$Model.attributes["users"]["*"]["name"] to parse to JSON object{"users": [{"name": "John Doe"}, {"name": "Jane Doe"}]} to receive both user's names.
| Variable Name | Search Option |
| Activity Monitor/ActivityMonitorMatch | Search by name, file path, timestamp of the activity match (hit_at), and id of the activity matched |
| AuditLog | Search by specific action captured in the portal Audit Log, by portal user, by user id, by timestamp of the Audit Log entry, and by a description of the log entry |
|
CurrentTime |
Search by day of the week and hour of the day using a specified time zone, (i.e., CST, EST, MST, PST, and UTC) |
|
Detection The automation of Detection and Threats is used to provide supporting information. |
Search by severity and classification, IOC and telemetry details, and acknowledgment and resolution activities |
|
Endpoint/EndpointUser Endpoints are the computing devices throughout your organization. Software sensors installed on those endpoints gather thorough telemetry about the state of those systems' operating systems. |
Search by different identifiers, i.e., domain, and username. Note: Delimiters (ex. @ or \) should not be included when searching or filtering by domain. |
|
Event Events are changes in the behavior of a system, an environment, a process, a workflow, or a person. |
Search by command line, url, id, expected impact, |
|
ExternalAlert/ExternalAlertSource/ExternalAlertSourcePlatform External alerts are generated by your security systems and processed by Red Canary.
|
Search by identifier, url, email, json (supports JSON interpolation), reported severity, risk score etc. |
|
Indicator Security indicators are metrics-based values describing how an activity, process, or control behaved over a given period. These critical indicators are developed from predetermined criteria and may indicate an organization's general security posture. |
Search by include, domain, id, ip, path and type |
|
Note |
Search by author email or content |
|
Subdomain |
Search by subdomain |
Note: To see a list of Trigger conditions, related Models, and Variables available when creating an Automate Trigger, please view Automate Trigger Variables.
Comments
0 comments
Please sign in to leave a comment.