When processing and validating alerts from select security platforms, Red Canary can add comments to those alerts and update their states. This state synchronization allows Red Canary to keep the alerts in your other security products up to date so you don’t waste time reviewing alerts that Red Canary has already processed.

Supported alert sources

Click here for a list of alert sources for which Red Canary supports state and comment synchronization.

Enable commenting on alerts 

You can instruct the Red Canary platform to add comments to alerts in the source platform during the process of alert validation.

To enable alert commenting for an alert source:

1. From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
2. Click the name of the alert source you want to update.
3. You will see the ICON_COMMENT icon if alert state commenting is available for this alert source platform.
4. Click Edit Configuration (a blue button in the upper right hand corner)
5. Check the Alerts should be commented on in the source platform as validation is performed? box.
6. Click Save.

Enable state updating on alerts 

You can instruct the Red Canary platform to update the state of alerts in the source platform during the process of alert validation.

To enable state synchronization for an alert source:

1. From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
2. Click the name of the alert source you want to update.
3. You will see the ICON_EXCHANGE icon if alert state synchronization is available for this alert source platform.
4. Click Edit Configuration.
5. Check the Alert state should be updated in the source platform as validation is performed? box.
6. Click Save.

Why do I see more than one comment stating that Red Canary is validating the same alert?

Red Canary’s alert validation process involves continuous attempts to correlate alerts to associated endpoint and process activity (every 30 minutes for two days). When alert state commenting is enabled, a comment will be added to the alert at the beginning of each correlation pass.

This will result in multiple comments being added to an alert as it goes through multiple correlation passes. This is useful so you can identify and confirm that Red Canary is continuing to validate the alert.

How can I tell if Red Canary updated an alert automatically within Defender for Endpoint?

Red Canary can automatically update alerts within Defender, but other mechanisms can also update Defender alerts automatically. You can tell if Red Canary closed an alert in Defender by looking for this comment in the Alert History within the Defender portal:

This alert has been validated by Red Canary and deemed a false positive because all of the reviewed activity was deemed to be non-threatening.

If you don't see that comment, then a different system, not Red Canary, closed the alert.