Red Canary
Important
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Red Canary provides managed detection and response (MDR) and other security capabilities to protect endpoints, network, cloud workloads, identities, and SaaS applications. You can use the Red Canary plugin with Microsoft Copilot for Security to enhance your security operations.
Note
This article contains information about third-party plugins. This is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.
Know before you begin
Integration with Copilot for Security requires an API Key. You must have the Analyst Viewer or Admin role assigned in Red Canary to get your API key and you'll need to take the following steps before using the plugin.
Get your Red Canary API key. If you don't have one yet, follow these steps:
Go to Red Canary portal and sign in.
In the upper right corner, next to your name, select View profile.
Under Generate API Authentication Token, select Generate.
Copy and save your API key. We recommend using a secure password vault.
Sign in to Microsoft Copilot for Security.
Access Manage Plugins by selecting the Plugin button from the prompt bar.
Next to Red Canary, select the toggle to enable it.
Provide your Red Canary URL and API Token.
Save your changes.
Sample Red Canary prompts
After the Red Canary plugin is configured, you can use it by typing Red Canary
in your Copilot for Security prompt bar, followed by an action. The following screenshot shows Red Canary capabilities you can use.
The following table provides several examples you can try:
API Endpoint | Request Type | Prompt | API Role Required |
---|---|---|---|
openapi/v3/endpoints |
GET |
Show me the 25 most recent endpoints in Red Canary |
Analyst Viewer |
openapi/v3/audit_logs |
GET |
Can you show me the 10 most recent audit logs in Red canary? |
Admin |
openapi/v3/endpoint_users |
GET |
Can you show me the most recent 10 endpoint users in Red Canary? |
Analyst Viewer |
openapi/v3/detections |
GET |
Show me the 10 most recent threats in Red Canary |
Analyst Viewer |
/openapi/v3/detections/marked_indicators_of_compromise |
GET |
Are there any IOCs in Red Canary? |
Analyst Viewer |
/openapi/v3/customer/external_alerts |
GET |
Can you show me the external alerts in Red Canary? |
Analyst Viewer |
/openapi/v3/customer/external_alerts/{id} |
GET |
Can you give me more details on Red Canary external alert 371119? |
Analyst Viewer |
/openapi/v3/customer/system_activities |
GET |
Were their any detector updates in Red Canary? |
Analyst Viewer |
/openapi/v3/customer/intel_reporting |
GET |
How many events were analyzed by Red Canary |
Analyst Viewer |
/openapi/v3/detections/{id} |
GET |
Can you give me more details on Red Canary Threat ID 72? |
Analyst Viewer |
/openapi/v3/managed_portal_users |
GET |
Can you show me a list of users who have access to the Red Canary portal? |
Admin |
/openapi/v3/endpoints/sensor_id/{sensor_id} |
GET |
Can you give me more details on Red Canary sensor ID 169428575? |
Analyst Viewer |
/openapi/v3/endpoints/{id} |
GET |
Can you give me more info on endpoint ID 100000074413556 in Red Canary? |
Analyst Viewer |
/openapi/v3/detections/{id}/timeline |
GET |
Can you show me the threat timeline entries for Threat ID 72? |
Analyst Viewer |
/openapi/v3/detections/{id}/detectors |
GET |
Can you list the detectors in Threat 72? |
Analyst Viewer |
/openapi/v3/detections/{id}/related_detections |
GET |
Can you show me related detections for Threat 72? |
Analyst Viewer |
/openapi/v3/detections/{id}/marked_indicators_of_compromise |
GET |
Can you show me an IOCs in Threat 72? |
Analyst Viewer |
/openapi/v3/endpoint_users/{id} |
GET |
Can you give me more information about Endpoint User ID: 100000305141114? |
Analyst Viewer |
/openapi/v3/detections/{id}/events |
GET |
Can you show me all the events in Threat 72? |
Analyst Viewer |
/openapi/v3/endpoint_users/{id}/system_activities |
GET |
Can you show me the activities for Endpoint User ID 100000305141114 |
Analyst Viewer |
/openapi/v3/endpoints/{id}/endpoint_users |
GET |
Can you show me the users from Endpoint ID: 100000060390802? |
Analyst Viewer |
/openapi/v3/search/ip_addresses/{ip_address} |
GET |
can you search for ip address 172.16.16.16 in Red Canary? |
Analyst Viewer |
/openapi/v3/search/endpoint_hostnames/{endpoint_hostname} |
GET |
Can you search in Red Canary for hostname vtw-ad10a49823a? |
Analyst Viewer |
/openapi/v3/events |
GET |
Can you show me the most recent events investigated by Red Canary? |
Analyst Viewer |
Frequently Asked Questions (FAQ)
Why are prompts failing?
If prompts fail to invoke, make sure you're using a supported prompt (see the preceding table). Otherwise, invoke Red Canary by using /
.
Why am I getting errors?
If you get an error while using the plugin, make sure that there are no AWS outages in your region (AWS US-East-2
).
Provide feedback
To provide feedback, contact Red Canary.