This article is part of an overview of getting started with Red Canary:

1. Collect endpoint telemetry
2. Collect external alerts
3. Detect potential threats (performed by Red Canary)
4. Investigate potential threats (performed by Red Canary)
5. Respond to threats using automation

Estimated reading time: 5 minutes

Once Red Canary has identified a potentially threatening event affecting your organization, we investigate that activity to determine if it is a real threat or false positive.

Red Canary’s investigation is more than mere triage; we review the identified process, its behavior, and whether it appears to be malicious or suspicious. Our investigation takes advantage of the deep endpoint telemetry we collect from your endpoints and associated endpoint metadata, identity metadata, and context from adversary behavior across all Red Canary customers.

View potentially threatening events

Click Events in the Red Canary navigation menu to view potentially threatening events that Red Canary has identified from telemetry (and, optionally, alerts data) sent from your security products. This gives you an overview of analyzed events over the last 90 days, whether those events escalated to threats or were false positives, and the top tactics we’ve observed.

View analyzed events

On the Events page, the Analyzed Events list shows many of the potentially threatening events that Red Canary has identified and analyzed to determine if they are threatening or false positives. Each of these events is associated to a process that executed on one of your endpoints, and each is mapped to one or more ATT&CK® techniques or Indicators of Compromise (IOC).

View existing threats

When Red Canary’s investigation concludes that an event is a threat, it’s confirmed as a threat. Each threat contains a wealth of information about the following:

• Endpoints and identities that were involved
• ATT&CK techniques that Red Canary observed being used
• Analytics, threat intelligence, and alerts that led to the identification of the threat
• An annotated timeline highlighting the key endpoint activities involving the threat

This information gives every one of your responders, whether they are seasoned incident handling professionals or members of your help desk, the exact information they need to remediate the threat.

Click Threats in the Red Canary navigation menu to view a list of the threats detected in your environment. 

The details of each threat include a wealth of information to enable your response.

The threat timeline shows the key information selected by our team to highlight what happened and why it was threatening.

These timeline entries include key milestones and annotations and notes from both our team and yours.

Next, learn about how you can use automation to automatically respond to confirmed threats.