Red Canary uses information about your responses to threats to improve the quality and timeliness of threat investigation. The information you record about your responses also helps the Red Canary team keep track of which threats pose a serious risk to your environment.
- In Red Canary, click Threats.
- Select the threat you want to resolve.
- Review the threat timeline.
- If the threat has been removed from your environment and is no longer a security concern, click Remediated.
Note: If Red Canary detects similar malicious activity in the future, a new threat will be created for you to review.
- To mark a threat as unremediated, click Unremediated, and then select one of the following options:
- This is unauthorized activity that will not be remediated. You accept the risk this software or behavior poses to your environment. If similar activity is observed in the future, it will be appended to this threat.
- This is authorized, non-testing activity. This activity is acceptable for some or all of your users. You can select the user group authorized to perform these activities in the future, which won’t be appended to this threat moving forward. You can also choose to not see threats like this in the future.
- This activity was incorrectly identified. This activity is a false positive. Red Canary will review this threat to improve future detections. Similar activity won’t be appended to this confirmed threat. You can add additional information to the text box.
- This was testing. Similar activity won’t be appended to this threat. Use the dropdowns to specify whether the testing was internal or external and the tool used for testing.
Note: If you configured your Red Canary profile to exclude tests from reports, you won't see this activity in the Report Library.
- Optionally, select I want to discuss this with my Incident Handler to talk to a Red Canary incident handler about this unremediated threat.
- Click Mark as will not remediate.