Skip to main content
Go to Red Canary Documentation
Red Canary Support

Using Playbooks to Automatically Reinstate an Endpoint

  • Updated .

Issue

A user would like to implement Automation in Red Canary that can automatically reinstate a decommissioned endpoint that checks in.

Environment

Red Canary Portal
   Automation

Resolution

While the Red Canary Portal does not currently have a Reinstate playbook action, you can workaround this using the Invoke Webhook or API playbook action and Red Canary's Reinstate API endpoint.  Before getting started, you will need to generate an API Key, if you have not already.

How to Generate an API Key
  1. Click your user icon at the top right in your Red Canary Portal, and select View profile
  2. Scroll to Generate API Authentication Token in the Security Settings section
  3. Click Generate

To configure this automation, follow the steps below.

  1. Navigate to Automation > Playbooks, then click Create New Playbook
  2. Click Add Action then add the Invoke Webhook or API action
  3. Configure playbook action fields as follows, replacing the <angled bracket> values with your own, and the brackets removed
    • HTTP Method: POST
    • URL: https://<MySubdomain>.my.redcanary.co/openapi/v3/endpoints/reinstate?ids=$Endpoint.id
    • Allow Untrusted Connections: No
    • HTTP Headers:  See code block below
      • x-api-key=<MyApiKey>
content-type=application/json
    • Payload: All Attributes as JSON
    • Reinstate an Endpoint Playbook Config
  4. Provide the playbook a name and/or description, then click Save to finalize changes
  5. Navigate to Automation > Triggers, then click Configure New Trigger
  6. From the list of triggers, select When an Endpoint Status Changes
  7. Under the newly created trigger, click Add Condition and add the following triggers
    • Endpoint > Decommissioned? > Istrue > Save
    • Endpoint > Endpoint Status > Isonline > Save
  8. Click Connect Playbook and connect your new Invoke Webhook or API playbook
  9. The final set of automation should look similar to the following
    • Final Automation Config

For troubleshooting API errors, see How to Authenticate to the Red Canary API

Key Concepts

  • The $Endpoint.id object attribute in the URL passes the endpoint record ID of hosts matching your trigger conditions as a parameter to the Reinstate endpoint
  • Endpoints will only meet the trigger conditions when Endpoint Status changes from suspended to online (i.e. endpoint is offline for more than 3 hours, then checks in)
  • Decommissioned endpoints actively in online status at the time this automation is created, or those decommissioned while in online status, will not meet the trigger conditions until Endpoint Status next changes from suspended to online

Cause

Red Canary does not currently offer a built-in playbook action for reinstating endpoints.  However, the Red Canary API has a Reinstate endpoint that can be used in conjunction with the Invoke Webhook or API playbook action to automate the recommissioning process.

Tags

automatically reinstate endpoints, automate reinstate, automatically recommission, automate recommissioning, reinstate automation, recommission automation, reinstate via API, reinstate via playbook, reinstate using API, reinstate using playbooks