When processing and validating alerts from select security platforms, Red Canary can add comments to those alerts and update their states. This state synchronization allows Red Canary to keep the alerts in your other security products up to date so you don’t waste time reviewing alerts that Red Canary has already processed.

Supported security platforms

• Elastic Security
• Microsoft Defender
• Crowdstrike Falcon Insight: EDR

Note: If Red canary supports your third party security platform, you still need to enable the platform in your alert source configuration.

Enable commenting on alerts 

You can instruct the Red Canary platform to add comments to alerts in the source platform during the process of alert validation.

To enable alert commenting for an alert source:

1. Click Alert Sources in the site navigation.
2. Click the name of the alert source you want to update.
3. You will see the ICON_COMMENT icon if alert state commenting is available for this alert source platform.
4. Click Configure.
5. Check the Alerts should be commented on in the source platform as validation is performed? box.
6. Click Save.

Enable state updating on alerts 

You can instruct the Red Canary platform to update the state of alerts in the source platform during the process of alert validation.

To enable state synchronization for an alert source:

1. Click Alert Sources in the site navigation.
2. Click the name of the alert source you want to update.
3. You will see the ICON_EXCHANGE icon if alert state synchronization is available for this alert source platform.
4. Click Configure.
5. Check the Alert state should be updated in the source platform as validation is performed? box.
6. Click Save.

What alert states result from the states of alert validation?

The specific states an alert can be updated to depend on the underlying source platform, but alerts can be update to use one of the following states:

• New alerts are new awaiting investigation or review
• In progress alerts are being investigated / validated by Red Canary
• True positive alerts have been confirmed as threatening activity by Red Canary
• False positive alerts have been deemed a false positive by Red Canary

During Red Canary’s alert validation process, an alert with this feature enabled will be updated with the following states:

• Alerts that are uncorrelated are updated with a state of new
• Alerts that are pending review are updated with a state of in progress
• Alerts that are false positive are updated with a state of false positive
• Alerts that are confirmed threatening are updated with a state of true positive
• Alerts that are marked as activity blocked are updated with a state of true positive

Why do I see more than one comment stating that Red Canary is validating the same alert?

Red Canary’s alert validation process involves continuous attempts to correlate alerts to associated endpoint and process activity (every 30 minutes for two days). When alert state commenting is enabled, a comment will be added to the alert at the beginning of each correlation pass.

This will result in multiple comments being added to an alert as it goes through multiple correlation passes. This is useful so you can identify and confirm that Red Canary is continuing to validate the alert.

How can I tell if Red Canary updated an alert automatically within Defender for Endpoint?

Red Canary can automatically update alerts within Defender, but other mechanisms can also update Defender alerts automatically. You can tell if Red Canary closed an alert in Defender by looking for this comment in the Alert History within the Defender portal:

This alert has been validated by Red Canary and deemed a false positive because all of the reviewed activity was deemed to be non-threatening.

If you don't see that comment, then a different system, not Red Canary, closed the alert.