FAQ

FAQ

What if multiple actions in a playbook require approval?

Each unique contact will only receive one approval notice per playbook. For example, if you use the same email address, SMS number, or Slack URL for approval on five different actions in the same playbook, they will only receive one approval email (not five) when the playbook executes. 

What if I don’t approve an action?

If a required action is not accepted within a few minutes, a new set of notifications is sent. These notifications will continue on a less frequent schedule until we've either exhausted all retries (six tries over ~20 hours) or all actions are approved.

What if I am not comfortable with automation?

Many teams aren’t comfortable diving into fully automated response and remediation when threats are detected. Red Canary’s accuracy rates are much higher, but it still can take weeks or months to get comfortable. There are also situations in which any action taken on specific endpoints (domain controllers, for example) would be too impactful for your business to be allowed.

We designed action approvals for these very situations. Allowing certain actions to require approval by your team before executing is a smart way to begin using automation.

File hash ban using automation with Microsoft Defender for Endpoint

When Red Canary bans a file hash via automate, the scope is automatically set to all endpoints on the Microsoft Defender side. You can view any file hash bans by logging into your Microsoft 365 Defender console and going to Settings | Endpoints | Indicators. The title column notates Red Canary Automate to indicate this was created via automation.

What if I connect a trigger to a playbook with actions that make no sense?

The great thing about reusable triggers and playbooks is that they save you a lot of time when you need multiple triggers to call the same actions. But they also allow you to connect playbooks that are incompatible with a specific trigger.

We are working on ways to prevent this in the future, but for now, make sure you don’t connect your “endpoint remediation” playbook to an When an audit log occurs trigger, or nothing will happen!

When you add actions to a playbook, you can select attributes or variables from a list to customize your actions. Variables and their corresponding actions are grouped together.