This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Detect potential threats (performed by Red Canary)
- Investigate potential threats (performed by Red Canary)
- Respond to threats using automation
Estimated reading time: 5 minutes
The first thing you should do after activating your Red Canary account is begin collecting endpoint telemetry. This telemetry is some of the most valuable data for your security program and is collected by various forms of endpoint sensors.
Select an endpoint sensor
Red Canary supports a number of endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors that have passed our stringent quality tests. Red Canary does not support the multitude of EDR/EPP products that do not collect an acceptable amount of data for investigation and incident response.
Red Canary supports the following endpoint sensors:
- CrowdStrike Falcon
- Elastic Endgame
- Microsoft Defender for Endpoint
- VMware Carbon Black EDR (formerly known as Carbon Black Response)
- VMware Carbon Black Cloud (formerly known as Carbon Black Defense / ThreatHunter)
This list of supported platforms is updated as EDP/EPP vendors update their platforms to meet the minimum requirements for detection, investigation, and incident response.
Deploy endpoint sensors
Endpoint sensors should be deployed using the instructions from your EDR/EPP vendor. All platforms, except for Microsoft Defender for Endpoint on Windows, require the installation of a software application on each endpoint.
Deploy the sensor to all of your endpoints using a deployment tool such as Group Policy Objects (GPO) or Microsoft System Center Configuration Manager (SCCM) on Windows, a mobile device management (MDM) tool such as JAMF on macOS, and Red Hat Package Manager (RPM)/Debian package (DEB) deployment tools on Linux.
Verify sensor deployment
A critical step following deployment is to ensure all endpoints are monitored by your EDR/EPP product and Red Canary. Nearly all long-dwelling security incidents affecting Red Canary users are due to deployment failures that left endpoints unprotected.
- Create a complete list of endpoints in your organization using your inventory tools.
- Visit your EDP/EPP platform’s sensors/endpoints page and verify that the counts and hostnames match the inventory list.
Your Red Canary endpoint dashboard view automatically synchronizes endpoint metadata from your EDR/EPP platform.
Your Red Canary dashboard reports the number of endpoints monitored in the last 72 hours as well as the amount of telemetry collected from those endpoints and analyzed by Red Canary.