This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Red Canary provides managed detection and response (MDR) and other security capabilities to protect endpoints, network, cloud workloads, identities, and SaaS applications. You can use the Red Canary plugin with Microsoft Security Copilot to enhance your security operations.
Note
This article contains information about third-party plugins. This is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.
Integration with Security Copilot requires an API Key. You must have the Analyst Viewer or Admin role assigned in Red Canary to get your API key and you'll need to take the following steps before using the plugin.
Get your Red Canary API key. If you don't have one yet, follow these steps:
Go to Red Canary portal and sign in.
In the upper right corner, next to your name, select View profile.
Under Generate API Authentication Token, select Generate.
Copy and save your API key. We recommend using a secure password vault.
Sign in to Microsoft Security Copilot.
Access Manage Plugins by selecting the Plugin button from the prompt bar.
Next to Red Canary, select the toggle to enable it.
Provide your Red Canary URL and API Token.
Save your changes.
After the Red Canary plugin is configured, you can use it by typing Red Canary in your Security Copilot prompt bar, followed by an action. The following screenshot shows Red Canary capabilities you can use.
The following table provides several examples you can try:
| API Endpoint | Prompt |
|---|---|
openapi/v3/endpoints |
Show me the 25 most recent endpoints in Red Canary |
openapi/v3/endpoint_users |
Can you show me the most recent 10 endpoint users in Red Canary? |
openapi/v3/detections |
Show me the 10 most recent threats in Red Canary |
/openapi/v3/detections/marked_indicators_of_compromise |
Are there any IOCs in Red Canary? |
/openapi/v3/customer/external_alerts |
Can you show me the external alerts in Red Canary? |
/openapi/v3/customer/external_alerts/{id} |
Can you give me more details on Red Canary external alert 371119? |
/openapi/v3/customer/system_activities |
Were their any detector updates in Red Canary? |
/openapi/v3/customer/intel_reporting |
How many events were analyzed by Red Canary |
/openapi/v3/detections/{id} |
Can you give me more details on Red Canary Threat ID 72? |
/openapi/v3/endpoints/sensor_id/{sensor_id} |
Can you give me more details on Red Canary sensor ID 169428575? |
/openapi/v3/endpoints/{id} |
Can you give me more info on endpoint ID 100000074413556 in Red Canary? |
/openapi/v3/detections/{id}/timeline |
Can you show me the threat timeline entries for Threat ID 72? |
/openapi/v3/detections/{id}/detectors |
Can you list the detectors in Threat 72? |
/openapi/v3/detections/{id}/related_detections |
Can you show me related detections for Threat 72? |
/openapi/v3/detections/{id}/marked_indicators_of_compromise |
Can you show me an IOCs in Threat 72? |
/openapi/v3/endpoint_users/{id} |
Can you give me more information about Endpoint User ID: 100000305141114? |
/openapi/v3/detections/{id}/events |
Can you show me all the events in Threat 72? |
/openapi/v3/endpoint_users/{id}/system_activities |
Can you show me the activities for Endpoint User ID 100000305141114 |
/openapi/v3/endpoints/{id}/endpoint_users |
Can you show me the users from Endpoint ID: 100000060390802? |
/openapi/v3/search/ip_addresses/{ip_address} |
can you search for ip address 172.16.16.16 in Red Canary? |
/openapi/v3/search/endpoint_hostnames/{endpoint_hostname} |
Can you search in Red Canary for hostname vtw-ad10a49823a? |
/openapi/v3/events |
Can you show me the most recent events investigated by Red Canary? |
If prompts fail to invoke, make sure you're using a supported prompt (see the preceding table).
If you get an error while using the plugin, make sure that there are no AWS outages in your region (AWS US-East-2).
To provide feedback, contact Red Canary.
Non-Microsoft plugins for Microsoft Security Copilot Manage plugins in Microsoft Security Copilot
Training
Module
Describe the core features of Microsoft Security Copilot - Training
Describe the core features of Microsoft Security Copilot.
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
CheckPhish and Microsoft Security Copilot
Learn how to use the CheckPhish plugin with Microsoft Security Copilot.
Cybersixgill and Microsoft Security Copilot
Learn about the Cybersixgill plugin you can use with Microsoft Security Copilot.
Whoisfreaks and Microsoft Security Copilot
Learn about the Whoisfreaks plugin you can use with Microsoft Security Copilot.