This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Monitor endpoints
- Detect potential threats (performed by Red Canary)
- Investigate potential threats (performed by Red Canary)
- Respond to threats using automation
The first thing you should do after activating your Red Canary account is to begin collecting endpoint telemetry. This telemetry is some of the most valuable data for your security program and is collected by various forms of endpoint sensors.
Select an endpoint sensor
Red Canary supports a number of endpoint detection and response (EDR) and endpoint protection platform (EPP) sensors that have passed our stringent quality tests. Red Canary does not support the multitude of EDR/EPP products that do not collect an acceptable amount of data for investigation and incident response. See Supported alert sources for threat investigation for a list of the endpoint agents that Red Canary supports.
Deploy endpoint sensors
Endpoint sensors should be deployed using the instructions from your EDR/EPP vendor. All platforms, except for Microsoft Defender for Endpoint on Windows, require the installation of a software application on each endpoint.
Deploy the sensor to all of your endpoints using a deployment tool such as Group Policy Objects (GPO) or Microsoft System Center Configuration Manager (SCCM) on Windows, a mobile device management (MDM) tool such as JAMF on macOS, and Red Hat Package Manager (RPM)/Debian package (DEB) deployment tools on Linux.
Verify sensor deployment
A critical step following deployment is to ensure all endpoints are monitored by your EDR/EPP product and Red Canary. Nearly all long-dwelling security incidents affecting Red Canary users are due to deployment failures that left endpoints unprotected.
- Create a complete list of endpoints in your organization using your inventory tools.
- Visit your EDP/EPP platform’s sensors/endpoints page and verify that the counts and hostnames match the inventory list.
Your Red Canary endpoint dashboard view automatically synchronizes endpoint metadata from your EDR/EPP platform.
Your Red Canary dashboard reports the number of endpoints monitored in the last 72 hours as well as the amount of telemetry collected from those endpoints and analyzed by Red Canary.