Providing detection feedback is an essential foundation to understanding key metrics such as your team's Mean Time to Response, Mean Time to Remediation and for tuning Red Canary's detection process for your organization.
Detection feedback is built into our platform; gone are the days of emails to a SOC or frustrating forms to fill out.
When you've reviewed a Detection, you should mark the Detection as Remediated or Not Remediated.
When you mark a detection as remediated, two things happen:
- The Red Canary platform calculates your "Time to Response" for that Detection.
- Any future activity related to this threat on this endpoint will result in a new Detection. This indicates that the threat was either incompletely remediated or was reinfected.
Mark a detection as Not Remediated
There are three common reasons you may choose not to remediate a specific detection:
- The risk does not warrant remediation. Sometimes we confirm threats that your organization has chosen not to remediate. The most common example is a specific piece of unwanted software that you have decided to allow across your endpoints.
- This is acceptable under certain circumstances. If your security team is testing your security with tools like Metasploit or using frameworks like Empire, Red Canary is going to detect that activity and confirm it as a threat. This feedback mechanism allows you to say "Please don't alert me to this specific threat for this specific set of users or endpoints".
Another common reason to mark a Detection as acceptable is dual use tools such as Fiddler or Tor that parts of your organization use for legitimate business purposes. In those cases, you can request Red Canary not notify you about those uses in the future. Your feedback can and should be limited to the users, endpoints, and endpoint groups where you feel this activity is allowed.
If you do not select a check box and do not add a note in the box, this will result in the detection being closed as "Sanctioned Activity"; all future activity related, including this endpoint/user, will be detected.
Note that this feedback currently results in procedural guidance to the Red Canary CIRT and does NOT automatically suppress that activity. This means that if you say "Metasploit is acceptable everywhere!", you'll likely get a call from your Incident Handler asking you if we can scope that guidance down.
- This activity was incorrectly identified as a threat. This feedback is used when the Detection is a complete false positive and is clearly not a threat. These happen about once per thousand Detections, but we will always err on the side of a false positive if we aren't certain the activity is acceptable.
Reopening a Detection
If you've marked a detection as either Remediated or Not Remediated and need to reverse that decision, click Re-open this detection. See the Reopen a detection you've marked as Remediated article for details.