Skip to main content
Red Canary help

Understanding how Red Canary detects threats

  • Updated .

Red Canary’s detection is designed to identify as many possible types of threats that adversaries may use against your organization. This broad approach results in a lot of false positives for the Red Canary team to investigate, but it delivers the best results.

As Red Canary processes the telemetry and alerts collected from your endpoints and security products, any threat intelligence or analytics that match result in the creation of a potentially threatening “event” that goes to the Red Canary CIRT for investigation.

Learn more about potentially threatening events and how to list, filter, and review specific events.

What analytics do you use to detect threats?

Red Canary’s detection process uses two primary classes of analytics:

  • Every piece of telemetry is tested to determine if it matches an indicator of compromise that we’ve seen or heard adversaries use. These are brittle and often short-lived analytics, but if an adversary is foolish enough to reuse infrastructure or tools, they are easy to catch.
  • Behavioral detectors identify sequences of system activity that match techniques used by adversaries. These could be as simple as running PowerShell with an encoded command line, or a highly complex chain of behavior over a long period of time. We map every detector to MITRE ATT&CK® techniques so you can quantify your detection coverage.

How long does it take to onboard and tune detection?

Unlike other security products, Red Canary does not require you to define your own detection rules and indicators of compromise to get extremely effective results. From day one, you get the benefits of years of Red Canary detection engineering.

How can I review and understand your detection coverage?

Transparency is critical to understanding how Red Canary fits into your security stack. You need to know where Red Canary provides coverage and where we do not, and we strive to make that information easy to find.

Red Canary’s detection coverage is most easily viewed in an ATT&CK heatmap. From there, you can drill into a specific technique and learn more about whether Red Canary has coverage for it.

What standards or frameworks do you map to?

We found that the ATT&CK taxonomy of behavioral techniques best fits the internal classification used by Red Canary, so we’ve moved to exclusively using ATT&CK (supplemented by our own techniques when appropriate, which we contribute back to ATT&CK).

Every Red Canary analytic is mapped to one or more ATT&CK techniques so that you can simply understand what Red Canary can and cannot detect. Learn more about quantifying Red Canary's detection coverage using ATT&CK.

Can I suggest or create a new analytic/detector?

Absolutely! Please submit a support case and let us know what behavior you’re looking to detect or share threat intelligence you think we should use. 

If you believe Red Canary failed to detect adversary behavior, please let us know about these false negatives.

Related articles