This article is part of a walkthrough of getting started with Red Canary:
- Collecting endpoint telemetry
- Collecting external alerts
- Detecting potential threats (performed by Red Canary)
- Investigating potential threats (performed by Red Canary)
- Responding to confirmed threats
The first thing you should do after activating your Red Canary account is begin collecting endpoint telemetry. This telemetry is some of the most valuable data for your security program and is collected by various forms of endpoint sensors.
Selecting an endpoint sensor
Red Canary supports a number of endpoint detection and response (EDR) / endpoint protection platform (EPP) sensors that have passed our stringent quality tests. Red Canary does not support the multitude of EDR/EPP products that do not collect an acceptable amount of data for investigation and incident response.
Red Canary supports the following endpoint sensors:
- CrowdStrike Falcon
- Elastic Endgame
- Microsoft Defender ATP
- VMware Carbon Black EDR (formerly known as Carbon Black Response)
- VMware Carbon Black Cloud (formerly known as Carbon Black Defense / ThreatHunter)
This list of supported platforms is updated as EDP/EPP vendors update their platforms to meet the minimum requirements for detection, investigation, and incident response.
Deploying endpoint sensors
Endpoint sensors should be deployed using the instructions from your EDR/EPP vendor. All platforms except for Microsoft Defender ATP on Windows require the installation of a software application on each endpoint.
Deploy the sensor to all of your endpoints using a deployment tool such as GPO or SCCM on Windows, a mobile device management (MDM) tool such as JAMF on macOS, and RPM/DEB deployment tools on Linux.
Verifying sensor deployment
A critical step following deployment is to ensure all endpoints are monitored by your EDR/EPP product and Red Canary. Nearly all long-dwelling security incidents affecting Red Canary customers are due to deployment failures that left endpoints unprotected.
To verify sensor deployment:
- Create a complete list of endpoints in your organization using your inventory tools.
- Visit your EDP/EPP platform’s sensors/endpoints page and verify that the counts and hostnames match the inventory list.
Your Red Canary endpoint view automatically synchronizes endpoint metadata from your EDR/EPP platform.
Your Red Canary dashboard reports the number of endpoints monitored in the last 72 hours as well as the amount of telemetry collected from those endpoints and analyzed by Red Canary: