Many EDR products with preventative capabilities, such as anti-virus, will generate an alert when they block malware execution on an endpoint. In the past, when no additional malicious behavior had occurred, Red Canary marked such alerts as “Mitigated by Control”.
Suppose you receive an alert for blocked malware that is later-stage malware, such as C2 infrastructure, hack tools, or ransomware. In that case, those alerts warrant additional investigation and analysis by Red Canary, and users should expect to see a published threat in their portal. Additionally, if there is behavior leading up to the anti-virus mitigation, Red Canary will treat the activity as malicious and publish a threat.
Example of alert:
Note: Moving forward, alerts for malware that were Mitigated By Control will be labeled “Threat” on the alerts page, but they will not have a corresponding published threat.
Red Canary makes an effort to publish threats for behaviors that require our users’ prompt attention. Because these Mitigated By Control alerts are for activity that the EDR product has already prevented, there is usually no need to take any additional action. In the cases where we can’t add additional context or suggested action, we generally do not issue a published threat.
You should leverage Automate to get notified when one of these alerts gets marked as a threat.
Example of a sample playbook:
If you require assistance setting up a notification for these alerts, please contact Technical Support via the Contact Us button in your portal.