Red Canary now uses MITRE's ATT&CK framework as our common language for adversary tactics and techniques that your organization faces. You can learn more about this transformation in these posts:
- Part 1: Why We’re Using ATT&CK Across Red Canary
- Part 2: Designing ATT&CK Interfaces in Red Canary
- Part 3: Mapping our detectors to ATT&CK techniques
All 800+ Red Canary detectors have been mapped to the ATT&CK techniques they hunt for and identify. This allows us to show the detectors, techniques, and tactics in play for each detection.
This launch unlocks several new views in your Red Canary portal.
The Endpoint and Endpoint User involved in a detection are now reported at the top of your detection. If the detection affects your CEO's laptop or domain controllers, that along with threat classification is most important.
The tactics involved with each detection are listed alongside the associated techniques and Red Canary detectors.
Clicking View in ATT&CK Matrix displays a full ATT&CK matrix with the detection's techniques highlighted. This view can be helpful to screenshot and compare with others using ATT&CK matrices.
Though the large majority of our detections are due to purely behavioral detectors, we felt it was important to clearly show what types of intelligence were used in each detection. The Contributing Intelligence section now displays this information.
The detector categories displayed in the what our engine observed section exists in a collapsed panel and will be decommissioned in the coming weeks.
The Detections by Observed Tactic report replaces the soon to be decommissioned Detection report and displays the number of potentially threatening events and confirmed detections identified by Observed Tactic. Expanding any row shows the detections involved that tactic.