Once Red Canary has identified a potentially threatening event affecting your organization, we investigate that activity to determine if it is a real threat or false positive.
Red Canary’s investigation is more than mere triage; we review the identified process, its behavior, and whether it appears to be malicious or suspicious. Our investigation takes advantage of the deep endpoint telemetry we collect from your endpoints and associated endpoint metadata, identity metadata, and context from adversary behavior across all Red Canary customers.
View potentially threatening events
From the navigation menu, click Events to view potentially threatening events that Red Canary has identified from telemetry (and, optionally, alerts data) sent from your security products. This gives you an overview of analyzed events over the last 90 days, whether those events escalated to threats or were false positives, and the top tactics we’ve observed.
View analyzed events
On the Events page, the Analyzed events list shows many of the potentially threatening events that Red Canary has identified and analyzed to determine if they are threatening or false positives. Each of these events is associated to a process that executed on one of your endpoints, and each is mapped to one or more MITRE ATT&CK® techniques or Indicators of Compromise (IOC).
View threats
When Red Canary’s investigation concludes that an event is a threat, it’s confirmed as a threat. You can then review it on the Threats page in Red Canary. Each threat contains a wealth of information about the following:
- Endpoints and identities that were involved
- MITRE ATT&CK techniques that Red Canary observed being used
- Analytics, threat intelligence, and alerts that led to the identification of the threat
- An annotated timeline highlighting the key endpoint activities involving the threat
This information gives every one of your responders, whether they are seasoned threat hunting professionals or members of your help desk, the exact information they need to remediate the threat.
Click Threats in the Red Canary navigation menu to view a list of the threats detected in your environment.
Click the colored link for a specific threat to see threat details.
Threat details
The details of each threat include a wealth of information to enable your response.
Threat Timeline
The Threat Timeline enables you to evaluate key information selected by Red Canary to highlight what happened and why it was threatening. Timeline entries include elements that denote key milestones and comments from our team and yours. You can also contact your Threat Hunter from the Threat timeline regarding specific threats.
Key
| Number | Function |
| 1 | The title of the Activity, describing what happened. |
| 2 | This is a machine-generated, human-readable description of what happened. |
| 3 | These are additional, relevant details. |
| 4 | The name of the Endpoint associated with the Activity. Click to open a slide-out window with additional details about the threat. |
Next, learn about how you can use automation to automatically respond to confirmed threats.
Comments
0 comments
Please sign in to leave a comment.