Issue
How can an email, or other communication, be sent when endpoint isolation is performed?
Environment
Red Canary
Automation
Resolution
From the Automation page, create a trigger with the following criteria.
- When an Audit Log is created
- and Audit Log Action is Endpoint Isolation Status Changed
- and Audit Log Description contains changed to isolated
Next, connect this trigger to a playbook with the desired notification method, such as Send Email or Send SMS Message.
Because the Audit Log does not support the $Endpoint variable, hostname details can only be included in the message by using the $AuditLog.description attribute in the message body. This attribute will produce output similar to the example below.
Isolation for HOSTNAME (#ENDPOINTID / sensor #SENSORID) changed to isolated
This method of notification will capture all isolations originating from the Red Canary Portal, including those initiated by users and Active Remediation playbooks. Isolations initiated from a Sensor's EDR management platform will not have an associated Audit Log entry in Red Canary, thus will not meet the trigger conditions.
Note: When creating the trigger conditions, Audit Log Action must be set to "Endpoint Isolation Status Changed". Other selected log actions will not capture the isolation event.