Getting Started with Active Remediation
    • 20 Sep 2024
    • 3 Minutes to read
    • PDF

    Getting Started with Active Remediation

    • PDF

    Article summary

    Red Canary Active Remediation is an annual subscription product that can be purchased as an add-on for Red Canary Managed Detection & Response (MDR) for Endpoint subscriptions.

    Active Remediation provides hands-on-keyboard remediation support for Red Canary-managed endpoints.

    How does Active Remediation Work?

    Active Remediation utilizes endpoint sensor groups to perform remediation on Red Canary managed endpoints for supported EDRs based on the subscription details outlined above. Please see the EDR-specific sections below for more information on how Active Remediation is configured.

    When Red Canary MDR publishes a Threat occurring on a Red Canary managed endpoint tagged within a designated remediation group:

    • the Active Remediation Threat Response Engineer (TRE) team is notified to begin working through remediation based on the subscription details outlined above (example: threat classification and time zones if applicable).

    • Simultaneously, SOAR (security orchestration, automation and response) capabilities will take immediate actions to ensure the endpoint is in a standard state, including commands to isolate the host and removing artifacts known as identified indicators of compromise (IOCs).

    • Upon notification of the Threat, the team acknowledges it, indicating in your portal that a TRE has begun working on it.

    • If a Threat is marked as remediated by your team while a TRE is actively investigating or remediating the Threat, we will conclude our investigation and response at that time.

    Following our investigation and completion of remediation tasks:

    • a Remediation Summary is documented that includes the Threat details and a log of all actions taken on the endpoint through the TRE team. These details are shared directly on the Threat timeline.

    • If the Threat cannot be fully remediated through the EDR remote response capabilities, then the following will occur:

      • The Threat Response Engineers’ actions will be included in the Remediation Summary, along with additional recommended actions.

      • The Threat will be left open for review and closed appropriately after the recommendations are considered and/or complete.

    Videos

    Learn more about Active Remediation with the videos below on each relevant topic:

    Configuring Active Remediation

    Below is the process for tagging endpoints that will be covered by Red Canary Active Remediation within your Red Canary portal, related to each supported EDR.

    Carbon Black Cloud

    1. From the Carbon Black Cloud homepage, click the Enforce dropdown in the navigation pane.

    2. Click Policies.

    3. Click +NEW POLICY.

    4. Enter remediate - [policy name] for your Policy Name.

      Note: For existing policies, rename the policy as remediate - [existing policy name].

    5. Click Save.

    Carbon Black Response

    1. From the Carbon Black Response homepage, click Sensors in the navigation pane.

    2. Click NEW.

    3. Enter remediate_[sensor group name] for your Group Name.

    4. Click Create Group.

      Existing sensor groups can be renamed to adhere to this convention.

    NOTE:

    Active Remediation is not able to support on-premise (customer-hosted) Carbon Black Response EDR.

    Cortex

    By default, endpoints are not placed into a logical group.

    1. To create a new Endpoint group, navigate to Endpoints.

    2. Click Endpoint Groups, and then click Add Group.

    3. Groups should follow the naming convention: remediate - [group_name]

    CrowdStrike

    By default, endpoints are not placed into a logical group.

    1. To create a new endpoint group, navigate to Host setup and management.

    2. Click Host groups, and then click Add New Group.

    3. Groups should follow the naming convention: remediate - [group_name]

    In addition to creating a new Remediate Host Group, additional configurations may need to be implemented for Response and Prevention Policies.

    1. To review your Prevention Policies, navigate to Endpoint Security, and then click Configure.

    2. Click Prevention Policies.

    3. Remediate host groups must have the following policy feature enabled in their attached policy for both Windows and OSX:

      1. Custom Blocking

    4. To review your Response Policies, navigate to Host Setup and Management, and then click Response and Containment.

    5. Click Response Policies.

    6. Remediate host groups must have the following settings enabled in the attached policy for both Windows and OSX:

      1. Real Time Response

      2. Custom Scripts

      3. get

      4. put

      5. run

    Microsoft Defender for Endpoint

    SentinelOne

    By default, endpoints are placed into a “Default Group” in a respective site and inherit the site policies.

    1. To create a new endpoint group, navigate to endpoints (Sentinels).

    2. Click Group, and then click New Group.

    3. Enter remediate - [group_name] for your group name.


    Was this article helpful?