Login
      Contents x
      Active Remediation FAQ
      • 18 Jul 2024
      • 3 Minutes to read
      • PDF
      Contents

      Active Remediation FAQ

      • Updated on 18 Jul 2024
      • 3 Minutes to read
      • PDF
      Article summary

      Active Remediation FAQ

      Can I customize automations and response actions taken?

      • Unique user-specific environmental scenarios will be supported at best effort and will require a discussion and approval from the Threat Response Engineering (TRE) Team. 

      • Given our operational processes and workflows, some modifications to either automations and/or our response may not be supported.

      Is Active Remediation 24/7?

      • Active Remediation will be performed 24/7 with a combination of SOAR and EDR-provided remote response capabilities. Threats are prioritized based on severity and are acted on accordingly. 

        • High severity Threats are contained with automation and are then reviewed, with additional actions taken as necessary by the TRE team.

        • Medium-severity Threats are contained with automation during non-business hours and are then reviewed. Additional actions are taken as necessary during business hours by the TRE team.

        • Business hours are 6AM MT-6PM MT Monday through Friday, excluding holidays. Red Canary holidays are in line with US Federal holidays, for additional information contact your CSM.

      How long does it take to respond, and is there an SLA?

      • Red Canary Active Remediation has no publicly shareable Service Level Agreements (SLAs) or Objectives (SLOs) due to threat severity and complexity differences. This approach enables Red Canary Active Remediation to deliver high-quality services at scale continuously.

      What EDR Sensors does Active Remediation support?

      • Carbon Black Response 

      • Carbon Black Cloud

      • CrowdStrike

      • Microsoft Defender for Endpoint

      • Palo Alto Cortex XDR

      • SentinelOne

      What Operating Systems does Active Remediation support?

      • Windows

      • MacOS

      What Operating Systems does Active Remediation not support?

      • Active Remediation does not support Linux due to the following:

        • Wide variety of of Linux distributions

        • Response complexity and impact of 24/7 hands-on remediation without in-depth knowledge of the environment

        • Operational importance of most Linux endpoints

      What is the Request Remediation button in my portal?

      • All Red Canary portals include a “Request Remediation” button that is only unlocked for full Active Remediation users. 

      • The Request Remediation button allows for on-demand requests for remediation on a published High or Medium severity Threat. The purpose of this feature is to provide users with a mechanism for requesting additional support in instances where: 

        • Endpoints were previously not tagged within a designated remediation group but now are, and the user would like support addressing the threat

        • Threats were acknowledged by the user, who then prompted remediation efforts for a variety of reasons, but now would like to reengage a TRE for support

        • Threats that we were unable to remediate due to the host being offline. The Remediation summary will request that you utilize the Request Remediation button to notify the team when the host is back online.

      What happens when the Request Remediation button is pushed?

      • The Active Remediation team will begin remediation efforts on the affected endpoint, adhering to the standard remediation practices outlined earlier in this document.

      I have a pentest or Red Team engagement coming up. What should I do?

      • If you would like the TRE team to respond to all threats during your engagement as if they are true threats, you do not need to notify us. Red Canary will treat these threats as legitimate threats and take the necessary remediation actions. 

      • If you would like the TRE team to be aware of the engagement and respond differently to threats that are associated with the engagement, click Contact Us before the engagement begins and we can work with you to customize our response.

      Disconnect Active Remediation automated playbooks

      Four playbooks are automatically created when a customer enables any Active Remediation (AR) subscription. The four books are as follows:

      • AR — Unsupported OS Detected

      • AR — Malicious/Suspicious Threat has new IOC

      • AR — Malicious/Suspicious Threat Published

      • AR — Notes Added by Red Canary

      If you no longer use the AR subscription, you may need to manually remove the AR templated playbooks. Click Disconnect to disconnect, but not delete the playbook.

      Alternatively, to remove a playbook’s association to a trigger, click the playbook, and click Delete from the left-hand menu.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout