Skip to main content
Red Canary help

Investigating potential threats

  • Updated .

This article is part of a walkthrough of getting started with Red Canary:

  1. Collecting endpoint telemetry
  2. Collecting external alerts
  3. Detecting potential threats (performed by Red Canary)
  4. Investigating potential threats (performed by Red Canary)
  5. Responding to confirmed threats

Once Red Canary has identified a potentially threatening event affecting your organization, we investigate that activity to determine if it is  a true or false positive.

Red Canary’s investigation is more than mere triage; we are reviewing the identified process, its behavior, and whether it appears to be malicious or suspicious. Our investigation takes advantage of the deep endpoint telemetry we collect from your endpoints and associated endpoint metadata, identity metadata, and context from adversary behavior across all Red Canary customers.

Viewing analyzed events

The Events view lists many of the potentially threatening events that Red Canary has identified and analyzed to determine if they are threatening or false positives. Each of these events is associated to a process that executed on one of your endpoints, and each is mapped to one or more ATT&CK techniques or indicators of compromise (IOC).

mceclip0.png

Viewing confirmed threats

When Red Canary’s investigation concludes that an event is threatening activity, the threat is confirmed as a detection. Each detection contains a wealth of information about:

  • Endpoints and identities that were involved
  • ATT&CK techniques that we observed being used
  • Analytics, threat intelligence, and alerts that led to the identification of the threat
  • An annotated timeline highlighting the key endpoint activities involving the detection

This information gives every one of your responders, whether they are seasoned IR professionals or members of your help desk, the exact information they need to remediate the threat.

The Confirmed Threats view lists all of the threats confirmed in your environment. 

mceclip1.png

The details of each threat include a wealth of information to enable your response.

mceclip2.png

A timeline is included that shows the key information selected by our team to highlight what happened and why it was threatening:

mceclip3.png

These timeline entries include key milestones and annotations and notes from both our team and yours:

mceclip4.png

Next, learn about how you can use automation to automatically respond to confirmed threats.