Login
      Contents x
      Active Remediation Automations
      • 21 Aug 2024
      • 1 Minute to read
      • PDF
      Contents

      Active Remediation Automations

      • Updated on 21 Aug 2024
      • 1 Minute to read
      • PDF
      Article summary

      Active Remediation is a security orchestration, automation, and response (SOAR) applied product, meaning that we require a handful of automations to perform initial triage and containment of Threats. These automations only take effect against hosts in a remediate sensor group. Automations that are Red Canary Managed are not modifiable by your team.

      High Severity Threat Published and Active Remediation (AR) - Medium Severity Threat Published (Red Canary Managed)

      • These automations fire on either a High or Medium severity Threat and will automatically isolate the affected host in the Threat. The automations also notify our Threat Response Engineers (TREs) via Slack and PagerDuty.

      • TREs take an isolate-first approach to limit the risk of malware propagation or lateral movement. Similarly, this approach gives the team time to log into your environment and investigate.

      IOC Response (Red Canary Managed)

      • This automation attempts to perform initial triage of the Threat by actioning Indicators of compromise (IOCs). Red Canary views IOCs as artifacts the team has determined as malicious and safe to act against.

      • Actions will vary based on the supported capabilities of your EDR platform. They can include the following actions:  

        • ban hash

        • kill process

        • delete binary

        • delete registry key

        • ban domain

        • quarantine file

      Notify Customer of New Note

      • Upon completion of remediation, a TRE will provide a summary of your Threat timeline that covers actions performed and any outstanding actions for your team.

      • This automation emails specific email addresses to notify you that remediation is complete.

      • This automation is customizable by your team and can be altered to send Slack, Teams, SMS, PagerDuty, Voice, Webhook, or Syslog notifications.

      Remediation Requested (Red Canary Managed)

      • When the Request Remediation function is utilized, this automation fires notifications to the TRE team via Slack and PagerDuty.

      Notify TRE of New Note (Red Canary Managed)

      • When your team leverages the Add Comment functionality on a Threat, the automation fires notifications to the TRE team via Slack and PagerDuty,

      • This automation helps provide context when your team has additional information about the observed activity, including expected admin or developer behavior.

      Unsupported OS Detected

      • This automation fires an email to specified email addresses when a Linux endpoint is placed in a Remediate Sensor Group.

      Note: Automations leveraging PagerDuty for TRE workflows only contain the following information: Threat URL, Threat Severity, and Threat Classification.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout