Issue
We have an Automate Trigger setup to fire whenever a specific type of External Alert comes in. For example, if a USB device has been used in our environment. However, we have not been getting any alerts from the Playbook.
Environment
Red Canary Automate
Resolution
When your Automate Trigger is set to execute when an External Alert comes in, then your Playbook can only be configured with the "$ExternalAlert" variables. If "$Detection" variables are used, the Playbook may fail to execute, or the variables will be sent as plain text.
Example of Trigger set to execute based on "External Alert" data
External Alert Playbook variables
ExternalAlert
$ExternalAlert.analysis_team
$ExternalAlert.external_alert_source_alert_identifier
$ExternalAlert.external_alert_source_alert_url
$ExternalAlert.native_email_raw
$ExternalAlert.native_json_raw(supports JSON interpolation)
$ExternalAlert.reported_classification
$ExternalAlert.reported_severity
$ExternalAlert.risk_score
$ExternalAlert.status_and_state
$ExternalAlert.url
ExternalAlertSource
$ExternalAlertSource.display_category
$ExternalAlertSource.name
ExternalAlertSourcePlatform
$ExternalAlertSourcePlatform.display_category
$ExternalAlertSourcePlatform.display_name
In some cases, depending on the fidelity of the External Alert data, you may also be able to use some of the Endpoint specific variables in your Playbook. However, this will need to be thoroughly tested.
Endpoint specific Playbook variables
If you are using the Email notification Playbook, then you will also need to make sure your "Template" setting is configured to use the "Custom Freeform Email" setting. If you choose any of the "Threat" Template settings, the Playbook will not work.
Cause
This behavior occurs when the Automate Playbook Trigger is set to fire based on External Alert data, but the Playbook is configured to execute based on threat data. Keep in mind: External Alert data is not the same as threat data. In Red Canary Alert data = External Alerts (Generated from Alert data from all of your 3rd Party devices like firewalls), and Threats = Confirmed Threats (Generated from raw Event data that was received from your EDR Sensors). These are two completely different things.
See also: $Event and $Endpoint variables not showing data in Automate email notifications
Comments
0 comments
Please sign in to leave a comment.