Enable the Red Canary Plugin for Microsoft Copilot for Security

Updated on 18 Oct 2024
1 Minute to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

Follow these steps to enable the Red Canary plugin for Microsoft Copilot for Security.

Upload the plugin manifest to Microsoft Security Copilot

Note: To test this plugin, you must have a Microsoft Copilot for Security instance. Microsoft Copilot for Security has a usage consumption model, and you may incur additional costs from Microsoft for using the Red Canary Plugin for Microsoft Copilot for Security.

Follow the instructions outlined in the Microsoft help docs for installing a custom plugin.
1. Select Security Copilot Plugin.
2. Select the .yaml format.
3. Enter the following URL:
  (https://rc-customer-tools.s3.us-east-2.amazonaws.com/msft_copilot_plugin/RedCanary_manifest.yaml)
Specify the subdomain URL under the instance URL you want Security Copilot to use.
Configure the API key as documented here in the Microsofts help docs.

API Usage

Note: The plugin only uses GET requests and cannot update your Red Canary instance or data.

API Endpoint	Request Type	Prompt	API Role Required
openapi/v3/endpoints	GET	Show me the 25 most recent endpoints in Red Canary	Analyst Viewer
openapi/v3/endpoint_users	GET	Can you show me the most recent 10 endpoint users in Red Canary?	Analyst Viewer
openapi/v3/detections	GET	Show me the 10 most recent threats in Red Canary	Analyst Viewer
/openapi/v3/detections/marked_indicators_of_compromise	GET	Are there any IOCs in Red Canary?	Analyst Viewer
/openapi/v3/customer/external_alerts	GET	Can you show me the external alerts in Red Canary?	Analyst Viewer
/openapi/v3/customer/external_alerts/{id}	GET	Can you give me more details on Red Canary external alert 371119?	Analyst Viewer
/openapi/v3/customer/system_activities	GET	Were there any detector updates in Red Canary?	Analyst Viewer
/openapi/v3/customer/intel_reporting	GET	How many events were analyzed by Red Canary	Analyst Viewer
/openapi/v3/detections/{id}	GET	Can you give me more details on Red Canary Threat ID 72?	Analyst Viewer
/openapi/v3/endpoints/sensor_id/{sensor_id}	GET	Can you give me more details on Red Canary sensor ID 169428575?	Analyst Viewer
/openapi/v3/endpoints/{id}	GET	Can you give me more info on endpoint ID 100000074413556 in Red Canary?	Analyst Viewer
/openapi/v3/detections/{id}/timeline	GET	Can you show me the threat timeline entries for Threat ID 72?	Analyst Viewer
/openapi/v3/detections/{id}/detectors	GET	Can you list the detectors in Threat 72?	Analyst Viewer
/openapi/v3/detections/{id}/related_detections	GET	Can you show me related detections for Threat 72?	Analyst Viewer
/openapi/v3/detections/{id}/marked_indicators_of_compromise	GET	Can you show me an IOCs in Threat 72?	Analyst Viewer
/openapi/v3/endpoint_users/{id}	GET	Can you give me more information about Endpoint User ID: 100000305141114?	Analyst Viewer
/openapi/v3/detections/{id}/events	GET	Can you show me all the events in Threat 72?	Analyst Viewer
/openapi/v3/endpoint_users/{id}/system_activities	GET	Can you show me the activities for Endpoint User ID 100000305141114	Analyst Viewer
/openapi/v3/endpoints/{id}/endpoint_users	GET	Can you show me the users from Endpoint ID: 100000060390802?	Analyst Viewer
/openapi/v3/search/ip_addresses/{ip_address}	GET	can you search for ip address 172.16.16.16 in Red Canary?	Analyst Viewer
/openapi/v3/search/endpoint_hostnames/{endpoint_hostname}	GET	Can you search in Red Canary for hostname vtw-ad10a49823a?	Analyst Viewer
/openapi/v3/events	GET	Can you show me the most recent events investigated by Red Canary?	Analyst Viewer

Was this article helpful?

What's Next

Integrate Microsoft Defender for Cloud with Red Canary

Table of contents

Upload the plugin manifest to Microsoft Security Copilot
API Usage