Red Canary

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Red Canary provides managed detection and response (MDR) and other security capabilities to protect endpoints, network, cloud workloads, identities, and SaaS applications. You can use the Red Canary plugin with Microsoft Copilot for Security to enhance your security operations.

Set up the Red Canary plugin

Integration with Copilot for Security requires an API Key. You must have the Analyst Viewer or Admin role assigned in Red Canary to get your API key.

  1. Get your Red Canary API key. If you don't have one yet, follow these steps:

  2. Go to Red Canary portal and sign in.

  3. In the upper right corner, next to your name, select View profile.

  4. Under Generate API Authentication Token, select Generate.

    Screenshot showing where you create an API key in Red Canary.

  5. Copy and save your API key. We recommend using a secure password vault.

  6. Sign in to Microsoft Copilot for Security.

  7. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  8. Next to Red Canary, select the toggle to enable it.

    Screenshot showing how to turn the Red Canary plugin to on.

  9. Provide your Red Canary URL and API Token.

    Screenshot showing where to enter your Red Canary URL and API key.

  10. Save your changes.

Use the Red Canary plugin

After the Red Canary plugin is configured, you can use it by typing Red Canary in your Copilot for Security prompt bar, followed by an action. The following screenshot shows Red Canary skills you can use.

Screenshot showing available Red Canary skills.

The following table provides several examples you can try:

API Endpoint Request Type Prompt API Role Required
openapi/v3/endpoints GET Show me the 25 most recent endpoints in Red Canary Analyst Viewer
openapi/v3/audit_logs GET Can you show me the 10 most recent audit logs in Red canary? Admin
openapi/v3/endpoint_users GET Can you show me the most recent 10 endpoint users in Red Canary? Analyst Viewer
openapi/v3/detections GET Show me the 10 most recent threats in Red Canary Analyst Viewer
/openapi/v3/detections/marked_indicators_of_compromise GET Are there any IOCs in Red Canary? Analyst Viewer
/openapi/v3/customer/external_alerts GET Can you show me the external alerts in Red Canary? Analyst Viewer
/openapi/v3/customer/external_alerts/{id} GET Can you give me more details on Red Canary external alert 371119? Analyst Viewer
/openapi/v3/customer/system_activities GET Were their any detector updates in Red Canary? Analyst Viewer
/openapi/v3/customer/intel_reporting GET How many events were analyzed by Red Canary Analyst Viewer
/openapi/v3/detections/{id} GET Can you give me more details on Red Canary Threat ID 72? Analyst Viewer
/openapi/v3/managed_portal_users GET Can you show me a list of users who have access to the Red Canary portal? Admin
/openapi/v3/endpoints/sensor_id/{sensor_id} GET Can you give me more details on Red Canary sensor ID 169428575? Analyst Viewer
/openapi/v3/endpoints/{id} GET Can you give me more info on endpoint ID 100000074413556 in Red Canary? Analyst Viewer
/openapi/v3/detections/{id}/timeline GET Can you show me the threat timeline entries for Threat ID 72? Analyst Viewer
/openapi/v3/detections/{id}/detectors GET Can you list the detectors in Threat 72? Analyst Viewer
/openapi/v3/detections/{id}/related_detections GET Can you show me related detections for Threat 72? Analyst Viewer
/openapi/v3/detections/{id}/marked_indicators_of_compromise GET Can you show me an IOCs in Threat 72? Analyst Viewer
/openapi/v3/endpoint_users/{id} GET Can you give me more information about Endpoint User ID: 100000305141114? Analyst Viewer
/openapi/v3/detections/{id}/events GET Can you show me all the events in Threat 72? Analyst Viewer
/openapi/v3/endpoint_users/{id}/system_activities GET Can you show me the activities for Endpoint User ID 100000305141114 Analyst Viewer
/openapi/v3/endpoints/{id}/endpoint_users GET Can you show me the users from Endpoint ID: 100000060390802? Analyst Viewer
/openapi/v3/search/ip_addresses/{ip_address} GET can you search for ip address 172.16.16.16 in Red Canary? Analyst Viewer
/openapi/v3/search/endpoint_hostnames/{endpoint_hostname} GET Can you search in Red Canary for hostname vtw-ad10a49823a? Analyst Viewer
/openapi/v3/events GET Can you show me the most recent events investigated by Red Canary? Analyst Viewer

Frequently Asked Questions (FAQ)

Why are prompts failing?

If prompts fail to invoke, make sure you're using a supported prompt (see the preceding table). Otherwise, invoke Red Canary by using /.

Why am I getting errors?

If you get an error while using the plugin, make sure that there are no AWS outages in your region (AWS US-East-2).

See also

Other plugins for Microsoft Copilot for Security

Manage plugins in Microsoft Copilot for Security