Login
      Contents x
      Use Automation to Combat Threats
      • 15 Jul 2024
      • 1 Minute to read
      • PDF
      Contents

      Use Automation to Combat Threats

      • Updated on 15 Jul 2024
      • 1 Minute to read
      • PDF
      Article summary

      Automation is the key to quickly remediating threats and minimizing your time to remediation. You can configure automation playbooks to be triggered by several events in the life cycle of a confirmed threat:

      • When a threat is published

      • When a threat is marked as remediated

      • When a threat is marked as not remediated

      • When a threat is acknowledged

      Respond to a threat

      You can configure an automation playbook to execute during a threat's life cycle.

      1. From the navigation menu, click Automation.

      2. Click Configure new trigger and select When a Threat is published.

      3. Customize the trigger to meet your needs.

      4. Associate one or more playbooks to the trigger.

      What automation actions affect the state of threats?

      A number of automation actions can affect the state of a threat in Red Canary. These include,

      • Marking a threat as acknowledged

      • Marking a threat as not remediated (with a specific reason)

      • Marking a threat as remediated

      You can find the complete list of actions in Red Canary.

      Notifying your incident response team when a threat is confirmed

      Threat_severity_high_medium_new.png

      Notify your team whenever a threat with a specific severity is published, by triggering playbooks that:

      • Create a ticket in your incident management system with the Webhook or API action.

      • Email an incident response mailing list with the Send Email action.

      • Post a message in a Slack/Teams channel with the Send Slack Message or Send Microsoft Teams Message action.

      • Trigger a PagerDuty incident for your security response team using the Create PagerDuty Incident action.

      • Call a phone tree using the Call Phone Numbers action.

      Isolate and remediate workstations affected by malicious software

      Threat_workstation.png

      Activate network isolation / containment for workstation (non-server) endpoints that are affected by malicious software detections, by triggering playbooks that:

      • Enqueue endpoint isolation using the Isolate the Endpoint action.

      • Disable network communications with a device management system triggered with the Webhook or API action.

      • Record a number of forensics artifacts using the Collect forensics action.

      • Remediate infections using the Kill Processes (IOC), Delete/Capture Files (IOC), etc., actions.

       

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout