Red Canary uses information about your responses to threats to improve the quality and timeliness of threat investigation. The information you record about your responses also helps the Red Canary team keep track of which threats pose a serious risk to your environment.
- From the navigation menu, click Threats.
- Open the threat that you want to resolve by clicking the link in the threat description.
- Review the threat timeline.
- If the threat has been removed from your environment and is no longer a security concern, scroll to the bottom of the timeline, and then click Remediated.
Note: If Red Canary detects similar malicious activity in the future, a new threat will be created for you to review.
- To mark a threat as unremediated, click Not Remediated, and then select one of the following options:
- This is unauthorized activity that will not be remediated. You accept the risk this software or behavior poses to your environment. If similar activity is observed in the future, it will be appended to this threat.
- This is authorized, non-testing activity. This activity is acceptable for some or all of your users. You can select the user group authorized to perform these activities in the future, which won’t be appended to this threat moving forward. You can also choose to not see threats like this in the future.
- This activity was incorrectly identified. This activity is a false positive. Red Canary will review this threat to improve future detections. Similar activity won’t be appended to this confirmed threat. You can enter additional information to the text box.
- This was testing. Similar activity won’t be appended to this threat. Use the dropdowns to specify whether the testing was internal or external and the tool used for testing.
Note: If you configured your Red Canary profile to exclude tests from reports, you won't see this activity in the Report Library.
- Optionally, select I want to discuss this with my Incident Handler to email your Incident Handler, indicating that you want to discuss this unremediated threat. The email will automatically include the name of threat and your reason for not remediating.
- Click Mark as will not remediate.
Note: If you change your mind and want to remediate the threat, scroll to the bottom of the Threat Timeline and click the Re-open this threat button.