- 18 Mar 2024
- 1 Minute to read
- PDF
Active Remediation Automation
- Updated on 18 Mar 2024
- 1 Minute to read
- PDF
Since Active Remediation is an applied security orchestration, automation, and response (SOAR) product, early threat triage and containment necessitate a few automations. These automations only take effect against hosts in a remediate sensor group. Your team cannot modify Red Canary Managed automations.
AR - High or medium severity threat published (Red Canary managed)
These automations fire on either high or medium severity threats and will automatically isolate the affected host in the Threat. They also notify our Threat Response Engineers (TREs) via Slack and PagerDuty of the Threat.
TREs take an isolate-first approach to limit the risk of malware propagation or lateral movement. Similarly, this approach gives the team time to log into your environment and investigate.
IOC Response (Red Canary Managed)
This automation attempts to perform initial triage of the Threat by actioning Indicators of compromise (IOCs). Red Canary views IOCs as artifacts that the team has determined as malicious and safe to act against.
Actions will vary based on the supported capabilities of your EDR platform. They can include the following actions:
ban hash
kill process
delete binary
delete registry key
ban domain
quarantine file
Remediation Requested (Red Canary Managed)
When the Request Remediation feature is used, it sends messages to the TRE team via Slack and PagerDuty.
Notify TRE of New Note (Red Canary Managed)
When your team leverages the Add Comment functionality on a Threat, it sends messages to the TRE team via Slack and PagerDuty. This automation helps provide context when your team has additional information about the observed activity, including expected admin or developer behavior.
Notify Customer of New Note
Upon completion of remediation, a TRE will provide a summary of your Threat timeline, including completed actions and any outstanding actions for your team.
This automation emails specific email addresses to notify you that remediation is complete.
It is customizable by your team and can be altered to send Slack, Teams, SMS, PagerDuty, Voice, Webhook, or Syslog notifications.
Unsupported OS Detected
This automation fires an email to specified email addresses when a Linux endpoint is placed in a Remediate Sensor Group.
Note: Automations leveraging PagerDuty for TRE workflows only contain the following information: Threat URL, Threat Severity, and Threat Classification.