Issue
Is there a way to setup automation to decommission uncommunicative endpoints?
Environment
Red Canary - Automation
Resolution
You can use an Automation Trigger to execute a Playbook for Decommissioning an endpoint that has not checked in within the last 59 days or less. Below is an example of the fields you can use for a trigger.
Once the Trigger is created, you will need to add/connect a Playbook by clicking on the green "Connect playbook" button on the Trigger.
From this you can set a Playbook to Decommission the endpoint.
To receive an alert to manually approve Decommissioning for an endpoint, check the Require approval box and select the preferred method of notification.
Important Notes:
- Once a trigger and playbook are set up and enabled, automation will only work for endpoints that meet all conditions after that point and are within 59 days of the last check in. For endpoints that need to be decommissioned retroactively, you will need to complete this manually. See Decommissioning Endpoints for more information
- The Require approval setting is ONLY needed if you want to receive an alert before the Decommissioning process takes place. This will also require someone to manually approve the action before it takes place. If you need the Playbook to run in a fully automated fashion, do NOT enable the Require approval setting.
For further guidance on the basics of automation:
Getting started with automation
Automate Trigger Condition Descriptions
Comments
0 comments
Please sign in to leave a comment.