Login
      Contents x
      Dry Run Threats for Playbooks
      • 15 Jul 2024
      • 1 Minute to read
      • PDF
      Contents

      Dry Run Threats for Playbooks

      • Updated on 15 Jul 2024
      • 1 Minute to read
      • PDF
      Article summary

      This article leads through the process of checking whether a threat matches the conditions you have set for a trigger since playbooks are only run when all trigger conditions match. A threat can change over time and this tool allows you to see what the state of the threat is at the time automation is run. Threats published in the last 90 days are available for trigger dry runs.

      The steps below take into account that you already know how to access and run playbooks.

      Check if the trigger’s conditions match a threat

      1. From your Red Canary homepage, click Automation.

      2. Review your listed playbooks. 

      3. If a playbook does not run, click Check if a Threat meets these conditions.

      Note: A checkmark indicates if the trigger’s condition matches a threat.

      Trigger condition does not match a threat

      Under most conditions, you will be able to see exactly why a condition failed to match. In this example a threat was remediated, but since its severity was Low, the trigger did not match and the playbook(s) did not run.

      The threat was originally listed as low severity but was later increased to high, which is why the condition did not match.

      Updates to threats

      When there is a substantive update to a threat, Red Canary will re-publish the threat. 

      1. To see whether a threat has been updated, click the dropdown arrow from the Check field.

        Note: Multiple options display, each with a timestamp of the published time.

      2. Select the correct threat to run the playbook.

      Classification differences

      This is an example of a recently remediated threat that includes Credential Theft as the threat secondary classification.

      This is an example of a trigger condition that has changed because the secondary classification updated after the threat was remediated.

      1. To match the conditions, click the dropdown arrow from the Check field.

      2. Select the desired Threat value.

        Note: Threats may have more than one version if there has been a Substantive Update. The timestamp provided refers to the latest publish time.


      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout