Create Workflow Rules
    • 03 Jul 2024
    • 3 Minutes to read
    • PDF

    Create Workflow Rules

    • PDF

    Article summary

    Red Canary Alert Workflow Rules enable you to create custom ingest rules and define actions for the status or resolution of alerts from third party platforms. You can automatically review alert data as it comes into Red Canary and make updates to the actions you want taken when alerts are detected. Adding Alert Workflow Rules ensures you’re focusing on the alerts that impact your organization the most. This article will cover how to create an Alert Workflow Rule, add rules and actions to your Workflow Rule, and add suppression rules as needed.

    Create Alert Workflow Rules

    Add Alert Workflow Rules to get the most out of Red Canary’s alert detection. Include the criteria and actions you want taken during specific events.

    1. From your Red Canary dashboard, click the Alerts dropdown, and then click Workflow Rules. The Alert Workflow Rules page displays filters that are currently available and contains status (active/inactive), creation date, and subdomain restriction information.

    2. To configure a new global Alert Workflow Rule, click Create Alert Workflow Rule.

      1.png

    3. Enter a Title and Description for the rule.

      2.png

    4. Ensure that the Active slider is toggled to the ON position (toggled to the right, highlighted in green).

      3.png

    To add criteria to your new rule, click Select an option, and then select the rule criteria. Depending on your selection, you’ll be able to add additional criteria to your rule. You can also click Add Criteria to add additional filtering criteria that will further narrow your search.

    Note: Make sure that all your criteria are linked together as the rule will only apply if all criteria are met during an alert.

    4.png

    Criteria

    Criteria include the following:

    Criteria

    Definition

    Alert Blocked Status equals

    Matches whether the alert source reported that the alert is blocked or not blocked. This information comes directly from the alerts that are sent from your third-party security product.

    Alert Classification contains

    Searches for a substring on classification

    Alert Classification equals

    An exact match on the classification

    Severity equals

    Standardizes the alert source as low medium high or unknown

    Alert Source is

    The product that generated the alert (non specific to any customer's environment)

    Alert Title equals

    Has to be an exact match for the alert title

    Alert has a Filter Point

    Enhanced parsing and a mapping from field to value

    Alert mentions a Device

    Matches the devices that Red Canary parses on the alert including Host name, IP address and Mac address

    Alert mentions a File

    Looks for a match of the criteria of a file that is part of the alert (Example: file name, the SHA-1 hash, SHA-256 hash value)

    Alert mentions a Network Connection

    Matches to the destination IP, Destination Port, Domain, Source IP, Source Port, or URL

    Alert mentions a Process

    Matches to a specific process name and process ID

    Alert mentions an Identity

    Looks for email address, user name, phone number, windows SID, or posix ID

    When CIDR/IP Range includes the Alerts

    Matches to the device, destination or source IP address/CIDR block

    Native alert JSON field equals

    Matches between a field name and a value

    Native alert Raw data matches

    Allows you to specify a regular expression to match against raw alert data

    1. In the Actions section, click Select an option to create the actions that will happen when an alert matches the specified criteria. The following action can take place:

      • Add a Note to the alert — creates a note that is attached to the alert

      • Set Alert Assignee to — assigns the alert to the individual in your organization you want notified of the alert

      • Set Alert Status to — changes the Alert status to one of the following:

        • Resolved: Remediated

        • Resolved: False Positive

        • Resolved: Authorized Testing

        • Resolved: Remediation Unwarranted

        • Resolved: Sanctioned Activity

        • Resolved: Not a Threat

        • Analysis Complete: Threat

        • Analysis Complete: Highly Suspicious

        • Analysis Complete: Suspicious

        • Analysis Complete: Not a Threat

        • Investigating

      • Set Alert Severity to — changes the Alert Severity to one of the following:

        • high

        • medium

        • low

        • informational

        • unknown

    2. You can add as many actions as you want taken during an alert by clicking Add Action.

      5.png

    3. When you are finished, you can...

      • Click Create for New Alerts and the Alert Workflow Rule will be implemented to all new alerts from the time the rule was implemented.

        Or...

      • Click Create for New and Existing Alerts and the Alert Workflow Rule rule will be implemented to all new alerts and the alerts already collected by Red Canary.

        6.png


     

     


    Was this article helpful?