Red Canary is obsessed with detecting threats that might affect your organization, but there will be times when we fail to identify a threat. These false negatives, or detection misses, are critical feedback to Red Canary so we can improve our detection analytics and processes.
We like to know about all threats that are confirmed in your organization, even if they are threats that might be impossible for Red Canary to detect (identifiable only via other data sources or specific organizational or insider context). This context helps us identify other alert sources or data that we can operationalize to improve your detection and response.
Learn more about Red Canary’s approach to detection quality.
Reporting a false negative
You can report a false negative / detection miss in your Red Canary portal. The resulting support case will involve our detection engineering and intelligence teams.
To report a false negative / detection miss:
- In your Red Canary portal, click Get Help.
- Set How can we help you? to Issue.
- Set For what? to Detection Quality.
- Complete the remainder of the form, including details about the threat affecting your organization, how you identified it, etc.
What if Red Canary identifies a false negative?
Red Canary performs various forms of quality control and reviews to identify situations where we might have misidentified threatening behavior.
If any of those reviews or threat hunting identifies one of those false negatives, we will confirm the threat in a detection published to your Red Canary portal, including a note about why the detection was delayed.