This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Monitor endpoints
- Detect potential threats (performed by Red Canary)
- Review potential threats that have been investigated by Red Canary
- Respond to threats using automation
- How Red Canary uses artificial intelligence and machine learning
Once Red Canary has identified a potentially threatening event affecting your organization, we investigate that activity to determine if it is a real threat or false positive.
Red Canary’s investigation is more than mere triage; we review the identified process, its behavior, and whether it appears to be malicious or suspicious. Our investigation takes advantage of the deep endpoint telemetry we collect from your endpoints and associated endpoint metadata, identity metadata, and context from adversary behavior across all Red Canary customers.
View potentially threatening events
From the navigation menu, click Events to view potentially threatening events that Red Canary has identified from telemetry (and, optionally, alerts data) sent from your security products. This gives you an overview of analyzed events over the last 90 days, whether those events escalated to threats or were false positives, and the top tactics we’ve observed.
View analyzed events
On the Events page, the Analyzed events list shows many of the potentially threatening events that Red Canary has identified and analyzed to determine if they are threatening or false positives. Each of these events is associated to a process that executed on one of your endpoints, and each is mapped to one or more MITRE ATT&CK® techniques or Indicators of Compromise (IOC).
When Red Canary’s investigation concludes that an event is a threat, it’s confirmed as a threat. You can then review it on the Threats page in Red Canary. Each threat contains a wealth of information about the following:
- Endpoints and identities that were involved
- MITRE ATT&CK techniques that Red Canary observed being used
- Analytics, threat intelligence, and alerts that led to the identification of the threat
- An annotated timeline highlighting the key endpoint activities involving the threat
This information gives every one of your responders, whether they are seasoned incident handling professionals or members of your help desk, the exact information they need to remediate the threat.
Click Threats in the Red Canary navigation menu to view a list of the threats detected in your environment.
Click the colored link for a specific threat to see threat details.
The details of each threat include a wealth of information to enable your response.
The Threat Timeline enables you to evaluate key information selected by Red Canary to highlight what happened and why it was threatening. Timeline entries include elements that denote key milestones and comments from our team and yours. You can also contact your Incident Handler from the Threat timeline regarding specific threats.
|1||The title of the Activity, describing what happened.|
|2||This is a machine-generated, human-readable description of what happened.|
|3||These are additional, relevant details.|
|4||The name of the Endpoint associated with the Activity. Click to open a slide-out window with additional details about the threat.|