This article describes the basic lifecycle of an event in Red Canary.
Estimated reading time: 5 minutes
Events are indicators of potentially threatening activity generated by Red Canary for the purpose of enabling investigations by the Red Canary Cyber Incident Response Team (CIRT). Events are similar to the alerts produced by other security products. To prevent false positives, Red Canary investigates all events.
How are events identified?
Events are the result of applying various types of behavioral analytics and intelligence to the large volume of endpoint telemetry Red Canary analyzes from your environment.
Before an event is generated, Red Canary determines whether the behavior has already been flagged as non-threatening. In these cases, Red Canary suppresses the event. Suppression criteria are the product of past investigations performed by Red Canary's CIRT and are used to prevent investigations of the same behavior. The majority of activity is eliminated via suppression before it results in an event. (Learn more about suppression on the Red Canary blog.)
Events can be created under the following circumstances:
- Indicators of Compromise (IOCs) identified by Red Canary or a third party are applied to telemetry.
- Detectors inspect telemetry to identify adversary behaviors, or attributes of processes or software that are suspicious.
- Retrospective analysis identifies past occurrences of newly identified indicators or behaviors.
- The Red Canary CIRT hunting within or across environments during the course of an investigation, or while testing new threat hypotheses.
- Red Canary processing an alert from one of your external alert sources.
What does Red Canary do with events?
Red Canary or Red Canary's CIRT investigates and dispositions events.
Some events are handled automatically, allowing Red Canary to quickly identify and communicate high-frequency or high-impact events to you. Common uses of automated event processing include the identification of unwanted software, certain known malware behaviors, and rapid response when Red Canary is introduced to a new environment experiencing an incident.
How are events classified?
Analyzed events are classified in one of the following ways:
|Confirmed threat||Red Canary confirmed the activity identified by the event to be threatening and associated it with a threat..|
|False positive||The identification of this event was the result of a data or logic error.|
|Unlicensed||Red Canary doesn't monitor the endpoint associated with the event based on your explicit request.|
|Ignored product||The event was skipped because of an Application you’ve chosen to mute/ignore.|
|Mitigated||The event was skipped because the potentially threatening activity was mitigated by a security control.|
|Execution prevented||The event was skipped because the execution of potentially threatening activity was prevented by a security control.|
|Not a threat||Red Canary's CIRT investigated the event and determined it to be non-threatening.|
|Alternate escalation||The event was confirmed to be threatening and has been escalated outside of a Red Canary threat.|
How long are events retained?
Events associated with a confirmed threat are retained indefinitely. Other events are retained for one year.