Muokkaa

Jaa

Red Canary

  • Artikkeli

Red Canary provides managed detection and response (MDR) and other security capabilities to protect endpoints, network, cloud workloads, identities, and SaaS applications. You can use the Red Canary plugin with Microsoft Security Copilot to enhance your security operations.

Note

This article contains information about third-party plugins. This is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.

Know before you begin

Integration with Security Copilot requires an API Key. You must have the Analyst Viewer or Admin role assigned in Red Canary to get your API key and you'll need to take the following steps before using the plugin.

  1. Get your Red Canary API key. If you don't have one yet, follow these steps:

  2. Go to Red Canary portal and sign in.

  3. In the upper right corner, next to your name, select View profile.

  4. Under Generate API Authentication Token, select Generate.

    Screenshot showing where you create an API key in Red Canary.

  5. Copy and save your API key. We recommend using a secure password vault.

  6. Sign in to Microsoft Security Copilot.

  7. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  8. Next to Red Canary, select the toggle to enable it.

    Screenshot showing how to turn the Red Canary plugin to on.

  9. Provide your Red Canary URL and API Token.

    Screenshot showing where to enter your Red Canary URL and API key.

  10. Save your changes.

Sample Red Canary prompts

After the Red Canary plugin is configured, you can use it by typing Red Canary in your Security Copilot prompt bar, followed by an action. The following screenshot shows Red Canary capabilities you can use.

Screenshot showing available Red Canary skills.

The following table provides several examples you can try:

API Endpoint Prompt
openapi/v3/endpoints Show me the 25 most recent endpoints in Red Canary
openapi/v3/endpoint_users Can you show me the most recent 10 endpoint users in Red Canary?
openapi/v3/detections Show me the 10 most recent threats in Red Canary
/openapi/v3/detections/marked_indicators_of_compromise Are there any IOCs in Red Canary?
/openapi/v3/customer/external_alerts Can you show me the external alerts in Red Canary?
/openapi/v3/customer/external_alerts/{id} Can you give me more details on Red Canary external alert 371119?
/openapi/v3/customer/system_activities Were their any detector updates in Red Canary?
/openapi/v3/customer/intel_reporting How many events were analyzed by Red Canary
/openapi/v3/detections/{id} Can you give me more details on Red Canary Threat ID 72?
/openapi/v3/endpoints/sensor_id/{sensor_id} Can you give me more details on Red Canary sensor ID 169428575?
/openapi/v3/endpoints/{id} Can you give me more info on endpoint ID 100000074413556 in Red Canary?
/openapi/v3/detections/{id}/timeline Can you show me the threat timeline entries for Threat ID 72?
/openapi/v3/detections/{id}/detectors Can you list the detectors in Threat 72?
/openapi/v3/detections/{id}/related_detections Can you show me related detections for Threat 72?
/openapi/v3/detections/{id}/marked_indicators_of_compromise Can you show me an IOCs in Threat 72?
/openapi/v3/endpoint_users/{id} Can you give me more information about Endpoint User ID: 100000305141114?
/openapi/v3/detections/{id}/events Can you show me all the events in Threat 72?
/openapi/v3/endpoint_users/{id}/system_activities Can you show me the activities for Endpoint User ID 100000305141114
/openapi/v3/endpoints/{id}/endpoint_users Can you show me the users from Endpoint ID: 100000060390802?
/openapi/v3/search/ip_addresses/{ip_address} can you search for ip address 172.16.16.16 in Red Canary?
/openapi/v3/search/endpoint_hostnames/{endpoint_hostname} Can you search in Red Canary for hostname vtw-ad10a49823a?
/openapi/v3/events Can you show me the most recent events investigated by Red Canary?

Frequently Asked Questions (FAQ)

Why are prompts failing?

If prompts fail to invoke, make sure you're using a supported prompt (see the preceding table).

Why am I getting errors?

If you get an error while using the plugin, make sure that there are no AWS outages in your region (AWS US-East-2).

Provide feedback

To provide feedback, contact Red Canary.

See also

Non-Microsoft plugins for Microsoft Security Copilot Manage plugins in Microsoft Security Copilot