Login
      Contents x
      Active Remediation Automation
      • 18 Mar 2024
      • 1 Minute to read
      • PDF
      Contents

      Active Remediation Automation

      • Updated on 18 Mar 2024
      • 1 Minute to read
      • PDF
      Article summary

      Since Active Remediation is an applied security orchestration, automation, and response (SOAR) product, early threat triage and containment necessitate a few automations. These automations only take effect against hosts in a remediate sensor group. Your team cannot modify Red Canary Managed automations.

      AR - High or medium severity threat published (Red Canary managed)

      • These automations fire on either high or medium severity threats and will automatically isolate the affected host in the Threat. They also notify our Threat Response Engineers (TREs) via Slack and PagerDuty of the Threat.

      • TREs take an isolate-first approach to limit the risk of malware propagation or lateral movement. Similarly, this approach gives the team time to log into your environment and investigate. 

      IOC Response (Red Canary Managed)

      • This automation attempts to perform initial triage of the Threat by actioning Indicators of compromise (IOCs). Red Canary views IOCs as artifacts that the team has determined as malicious and safe to act against.

      • Actions will vary based on the supported capabilities of your EDR platform. They can include the following actions: 

        • ban hash

        • kill process

        • delete binary

        • delete registry key

        • ban domain

        • quarantine file

      Remediation Requested (Red Canary Managed)

      • When the Request Remediation feature is used, it sends messages to the TRE team via Slack and PagerDuty.

      Notify TRE of New Note (Red Canary Managed)

      • When your team leverages the Add Comment functionality on a Threat, it sends messages to the TRE team via Slack and PagerDuty. This automation helps provide context when your team has additional information about the observed activity, including expected admin or developer behavior.

      Notify Customer of New Note

      • Upon completion of remediation, a TRE will provide a summary of your Threat timeline, including completed actions and any outstanding actions for your team.

      • This automation emails specific email addresses to notify you that remediation is complete.

      • It is customizable by your team and can be altered to send Slack, Teams, SMS, PagerDuty, Voice, Webhook, or Syslog notifications. 

      Unsupported OS Detected

      • This automation fires an email to specified email addresses when a Linux endpoint is placed in a Remediate Sensor Group.

      Note: Automations leveraging PagerDuty for TRE workflows only contain the following information: Threat URL, Threat Severity, and Threat Classification.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout