Overview

Response plans consist of a number of actions that you specify to take against an endpoint.  An example response plan might consist of: killing processes, capturing binaries, and isolating and endpoint.

This article is part of a four-part series:

Respond to confirmed threats
Isolate an endpoint
Execute response plans (this article)
Audit response plans

Getting Started

You can begin crafting a response plan by clicking on the red "Respond" button that appears at the top of the detection timeline:

Clicking the button will reveal a red banner that runs alongside the entire detection timeline:

You can select a number of actions:  Kill Process, Delete File, Capture File, Ban Binary, and Delete Registry Key.

Automatically Prepared Response Plans

You will notice that certain response actions are pre-selected: This is Red Canary's way of saving you time by auto-selecting the action items that are tied to high-confidence indicators-of-compromise (IoCs).

Executing the Response Plan

You can review selected actions by clicking the "Review & Execute" button that appears on the bottom on the detection timeline:

The following menu appears once button is clicked:

The Response Plan window provides a summary of all selected response actions.  The response items are grouped into two categories: 'Enterprise-wide actions' and 'Endpoint-specific actions'.

You are able to drag-and-drop the response items that appear under 'Endpoint-specific actions'. A common use case for this may be capturing a file before telling the system to delete it.

Click 'Execute' once you have reviewed the response actions.

Upon execution, the Red Canary platform will attempt to execute the response plan. If the endpoint is currently offline, the plan will be queued for execution once the endpoint reestablishes communication.

Did this answer your question?