Issue
How can an email, or other communication, be sent when endpoint isolation is performed?
Environment
Red Canary
Automation
Resolution
From the Automation page, create a trigger with the following criteria.
- When an Audit Log is created
- and Audit Log Action is Endpoint Isolation Status Changed
- and Audit Log Description contains "isolated":"isolated"
Next, connect this trigger to a playbook with the desired notification method, such as Send Email or Send SMS Message.
Because the Audit Log does not support the $Endpoint variable, hostname details can only be included in the message by using the $AuditLog.description attribute in the message body.
This method of notification will capture all isolations originating from the Red Canary Portal, including those initiated by users and Active Remediation playbooks. Isolations initiated from a Sensor's EDR management platform will not have an associated Audit Log entry in Red Canary, thus will not meet the trigger conditions.
Additional Notes
- When creating the trigger conditions, Audit Log Action must be set to "Endpoint Isolation Status Changed". Other selected log actions will not capture the isolation event.
- To be notified when an endpoint is either isolated or deisolated in Red Canary, revise the Audit Log Description trigger condition to the following.
- and Audit Log Description contains "isolated":