Overview

The Red Canary platform is built to empower your response to threats confirmed by our analysts. Response actions consist of isolating endpoints, banning hashes across your environment, and capturing binaries.

This article is part of a four-part series:

Respond to confirmed threats (this article)
Isolate an endpoint
Execute response plans
Audit response plans

Getting Started

Getting started with response is easy: simply click the red "Respond" button that appears at the top of the detection timeline:

Clicking the button reveals a sidebar that runs along the right-hand side of the detection timeline:

The following actions are available to you:

  • Isolate Endpoint: Cuts off network communication.
  • Kill Process: Removes the process from memory.
  • Delete File: Removes the file from disk.
  • Capture File: Retrieves the file from the endpoint (which can be helpful for additional analysis; running it through a sandbox, performing reverse engineering, etc.)
  • Ban Binary: Bans the file hash. Prevents the file from executing on any endpoint.
  • Delete Registry Key: Removes the registry key from the system.
Did this answer your question?