Automation is the key to quickly remediating threats and minimizing your time to remediation. You can configure automation playbooks to be triggered by several events in the life cycle of a confirmed threat:
When a threat is published
When a threat is marked as remediated
When a threat is marked as not remediated
When a threat is acknowledged
Respond to a threat
You can configure an automation playbook to execute during a threat's life cycle.
From the navigation menu, click Automation.
Click Configure new trigger and select When a Threat is published.
Customize the trigger to meet your needs.
Associate one or more playbooks to the trigger.
What automation actions affect the state of threats?
A number of automation actions can affect the state of a threat in Red Canary. These include,
Marking a threat as acknowledged
Marking a threat as not remediated (with a specific reason)
Marking a threat as remediated
You can find the complete list of actions in Red Canary.
Notifying your incident response team when a threat is confirmed
Notify your team whenever a threat with a specific severity is published, by triggering playbooks that:
Create a ticket in your incident management system with the Webhook or API action.
Email an incident response mailing list with the Send Email action.
Post a message in a Slack/Teams channel with the Send Slack Message or Send Microsoft Teams Message action.
Trigger a PagerDuty incident for your security response team using the Create PagerDuty Incident action.
Call a phone tree using the Call Phone Numbers action.
Isolate and remediate workstations affected by malicious software
Activate network isolation / containment for workstation (non-server) endpoints that are affected by malicious software detections, by triggering playbooks that:
Enqueue endpoint isolation using the Isolate the Endpoint action.
Disable network communications with a device management system triggered with the Webhook or API action.
Record a number of forensics artifacts using the Collect forensics action.
Remediate infections using the Kill Processes (IOC), Delete/Capture Files (IOC), etc., actions.