Below are explanations of common trigger actions:
Audit Log
- When a user is completely deleted from Red Canary the Audit Log records this action as User Destroyed.
- When all roles have been removed from a user for a subdomain, the Audit Log records this action as User Removed.
Endpoint Status
- The variables that determine if an Endpoint is classified as suspended are different for each EDR provider.
For example, when the Carbon Black EDR Sensor sends us a status of offline and power_state=1 we will mark the Endpoint as suspended. What exactly constitutes a power_state=1 status is determined by Carbon Black. When the Microsoft Defender for Endpoint Sensor sends a status of healthStatus=Inactive we will mark the Endpoint as suspended. - For a more complete list of Endpoint Status definitions, please see our article: Monitoring Sensor Health and Connection to Red Canary
External Alert
- External Alerts are the alert messages that we receive from the Alert Sources that have been configured in the Red Canary > Alerts Sources page. From the Alert Sources page you have the ability to connect your various internal Alert Sources to Red Canary and ship the alerts to us. The alerts are assigned a Severity level of Unknown, Informational, Low, Medium, or High based on the data we received in the alert message.
- To learn more about Alert Sources, please see our article Collecting External Alerts.
Comments
0 comments
Please sign in to leave a comment.