- 15 Jul 2024
- 1 Minute to read
- PDF
Dry Run Threats for Playbooks
- Updated on 15 Jul 2024
- 1 Minute to read
- PDF
This article leads through the process of checking whether a threat matches the conditions you have set for a trigger since playbooks are only run when all trigger conditions match. A threat can change over time and this tool allows you to see what the state of the threat is at the time automation is run. Threats published in the last 90 days are available for trigger dry runs.
The steps below take into account that you already know how to access and run playbooks.
Check if the trigger’s conditions match a threat
From your Red Canary homepage, click Automation.
Review your listed playbooks.
If a playbook does not run, click Check if a Threat meets these conditions.
Note: A checkmark indicates if the trigger’s condition matches a threat.
Trigger condition does not match a threat
Under most conditions, you will be able to see exactly why a condition failed to match. In this example a threat was remediated, but since its severity was Low, the trigger did not match and the playbook(s) did not run.
The threat was originally listed as low severity but was later increased to high, which is why the condition did not match.
Updates to threats
When there is a substantive update to a threat, Red Canary will re-publish the threat.
To see whether a threat has been updated, click the dropdown arrow from the Check field.
Note: Multiple options display, each with a timestamp of the published time.
Select the correct threat to run the playbook.
Classification differences
This is an example of a recently remediated threat that includes Credential Theft as the threat secondary classification.
This is an example of a trigger condition that has changed because the secondary classification updated after the threat was remediated.
To match the conditions, click the dropdown arrow from the Check field.
Select the desired Threat value.
Note: Threats may have more than one version if there has been a Substantive Update. The timestamp provided refers to the latest publish time.