Red Canary Alert Workflow Rules enable you to create custom ingest rules and define actions for the status or resolution of alerts from third party platforms. You can automatically review alert data as it comes into Red Canary and make updates to the actions you want taken when alerts are detected. Adding Alert Workflow Rules ensures you’re focusing on the alerts that impact your organization the most. This article will cover how to create an Alert Workflow Rule, add rules and actions to your Workflow Rule, and add suppression rules as needed.
Estimated procedure time: 5 minutes
Create Alert Workflow Rules
Add Alert Workflow Rules to get the most out of Red Canary’s alert detection. Include the criteria and actions you want taken during specific events.
- From your Red Canary dashboard, click the Alerts dropdown, and then click Workflow Rules. The Alert Workflow Rules page displays which filters are currently available and contains status (active/inactive), creation date, and subdomain restriction information.
- To configure a new global Alert Workflow Rule, click Create Alert Workflow Rules.
- Enter a Title and Description for the rule.
- Ensure that the Active slider is toggled to the ON position (toggled to the right, highlighted in green).
- To add criteria to your new rule, click Select an option, and then select the rule criteria. Depending on your selection, you’ll be able to add additional criteria to your rule. You can also click Add Criteria to add additional filtering criteria that will further narrow your search.
Note: Make sure that all your criteria are linked together as the rule will only apply if all criteria are met during an alert.
Your criteria include:
- Alert Blocked Status equals—Matches whether the alert source reported that the alert is blocked or not blocked
- Alert Classification contains—Searches for a substring on classification
- Alert Classification equals—An exact match on the classification
- Severity equals—Standardizes the alert source as low medium high or unknown
- Alert Source is—The product that generated the alert (non specific to any customer's environment)
- Alert Title equals—Has to be an exact match for the alert title
- Alert has a Filter Point—Enhanced parsing and a mapping from field to value
- Alert mentions a Device—Matches the devices that Red Canary parses on the alert including Host name, IP address and Mac address
- Alert mentions a File—Looks for a match of the criteria of a file that is part of the alert (Example: file name, the SHA-1 hash, SHA-256 hash value)
- Alert mentions a Network Connection—Matches to the destination IP, Destination Port, Domain, Source IP, Source Port, or URL
- Alert mentions a Process—Matches to a specific process name and process ID
- Alert mentions an Identity—Looks for email address, user name, phone number, windows SID, or posix ID
- When CIDR/IP Range includes the Alerts—Matches to the device, destination or source IP address/CIDR block
- Native alert JSON field equals—Matches between a field name and a value
- Native alert Raw data matches—Allows you to specify a regular expression to match against raw alert data
- In the Actions section, click Select an option to create the actions that will happen when an alert matches the specified criteria. There are five actions that can take place:
- Add a Note to the alert—creates a note that is attached to the alert
- Set Alert Assignee to—assigns the alert to the individual in your organization you want notified of the alert
- Set Alert Status to—changes the Alert status to one of the following:
Resolved: False Positive
Resolved: Authorized Testing
Resolved: Remediation Unwarranted
Resolved: Sanctioned Activity
Resolved: Not a Threat
Analysis Complete: Threat
Analysis Complete: Highly Suspicious
Analysis Complete: Suspicious
Analysis Complete: Not a Threat
Set Alert Severity to—changes the Alert Severity to one of the following:
- You can add as many actions as you want taken during an alert by clicking Add Action.
- When you are finished, you can:
- Click Create for New Alerts and the Alert Workflow Rule will be implemented to all new alerts from the time the rule was implemented.
- Click Create for New and Existing Alerts and the Alert Workflow Rule rule will be implemented to all new alerts and the alerts already collected by Red Canary.