Follow these steps to enable the Red Canary plugin for Microsoft Copilot for Security.
Upload the plugin manifest to Microsoft Security Copilot
Note: To test this plugin, you must have a Microsoft Copilot for Security instance. Microsoft Copilot for Security has a usage consumption model, and you may incur additional costs from Microsoft for using the Red Canary Plugin for Microsoft Copilot for Security.
Follow the instructions outlined in the Microsoft help docs for installing a custom plugin.
Select Security Copilot Plugin.
Select the .yaml format.
Enter the following URL:
(https://rc-customer-tools.s3.us-east-2.amazonaws.com/msft_copilot_plugin/RedCanary_manifest.yaml)
Specify the subdomain URL under the instance URL you want Security Copilot to use.
Configure the API key as documented here in the Microsofts help docs.
API Usage
Note: The plugin only uses GET requests and cannot update your Red Canary instance or data.
API Endpoint | Request Type | Prompt | API Role Required |
openapi/v3/endpoints | GET | Show me the 25 most recent endpoints in Red Canary | Analyst Viewer |
openapi/v3/endpoint_users | GET | Can you show me the most recent 10 endpoint users in Red Canary? | Analyst Viewer |
openapi/v3/detections | GET | Show me the 10 most recent threats in Red Canary | Analyst Viewer |
/openapi/v3/detections/marked_indicators_of_compromise | GET | Are there any IOCs in Red Canary? | Analyst Viewer |
/openapi/v3/customer/external_alerts | GET | Can you show me the external alerts in Red Canary? | Analyst Viewer |
/openapi/v3/customer/external_alerts/{id} | GET | Can you give me more details on Red Canary external alert 371119? | Analyst Viewer |
/openapi/v3/customer/system_activities | GET | Were there any detector updates in Red Canary? | Analyst Viewer |
/openapi/v3/customer/intel_reporting | GET | How many events were analyzed by Red Canary | Analyst Viewer |
/openapi/v3/detections/{id} | GET | Can you give me more details on Red Canary Threat ID 72? | Analyst Viewer |
/openapi/v3/endpoints/sensor_id/{sensor_id} | GET | Can you give me more details on Red Canary sensor ID 169428575? | Analyst Viewer |
/openapi/v3/endpoints/{id} | GET | Can you give me more info on endpoint ID 100000074413556 in Red Canary? | Analyst Viewer |
/openapi/v3/detections/{id}/timeline | GET | Can you show me the threat timeline entries for Threat ID 72? | Analyst Viewer |
/openapi/v3/detections/{id}/detectors | GET | Can you list the detectors in Threat 72? | Analyst Viewer |
/openapi/v3/detections/{id}/related_detections | GET | Can you show me related detections for Threat 72? | Analyst Viewer |
/openapi/v3/detections/{id}/marked_indicators_of_compromise | GET | Can you show me an IOCs in Threat 72? | Analyst Viewer |
/openapi/v3/endpoint_users/{id} | GET | Can you give me more information about Endpoint User ID: 100000305141114? | Analyst Viewer |
/openapi/v3/detections/{id}/events | GET | Can you show me all the events in Threat 72? | Analyst Viewer |
/openapi/v3/endpoint_users/{id}/system_activities | GET | Can you show me the activities for Endpoint User ID 100000305141114 | Analyst Viewer |
/openapi/v3/endpoints/{id}/endpoint_users | GET | Can you show me the users from Endpoint ID: 100000060390802? | Analyst Viewer |
/openapi/v3/search/ip_addresses/{ip_address} | GET | can you search for ip address 172.16.16.16 in Red Canary? | Analyst Viewer |
/openapi/v3/search/endpoint_hostnames/{endpoint_hostname} | GET | Can you search in Red Canary for hostname vtw-ad10a49823a? | Analyst Viewer |
/openapi/v3/events | GET | Can you show me the most recent events investigated by Red Canary? | Analyst Viewer |