The response actions plugin introduces the functionality of running actions on a Linux endpoint triggered in response to threats, as well as within the Red Canary Portal Automations feature.
The plugin is disabled by default. When you install the Linux Endpoint Detection and Response (EDR) sensor with the “Deploy Sensors” instructions in your portal, there is no code shipped that allows the sensor to perform any actions whatsoever on the endpoint. The response actions plugin must be explicitly enabled from within your Red Canary portal to receive this functionality.
Response Action: File Retrieval and Deletion
The first action supported by the Response Actions plugin is File Retrieval and File Deletion. You can trigger this action in response to a threat from your Red Canary Portal. When you use the file retrieval functionality, you will receive an email with a download link to retrieve your file from the Red Canary portal. When you use the file deletion functionality, the sensor will delete the relevant file based on the path provided in the threat.
How to use Response Actions
- Click Threats from the navigation menu, and choose the relevant threat. On the top right click Respond.
- The response actions you can take will appear on the right side of the threat details.
- Click Review & Execute and confirm the action.
- The Automate On Demand Playbook window opens, displaying which actions will be performed. Click Approve & Execute to confirm the operation.
For more information about playbooks, please read Getting Started with Automation.