Note: This page does not include updates to the Linux EDR sensor. For information about updates the Linux EDR sensor, check out our Linux EDR version history page.
August 2022 (to date)
New Documents
- Navigate Red Canary
- Integrate Palo Alto Networks Threat Prevention with Red Canary
- Integrate Palo Alto Networks Wildfire with Red Canary via syslog
New Videos
- Setting up a basic automation
- Advanced automation in Red Canary
- Download an automation summary in Red Canary
Changes
- When you log in to Red Canary, enjoy a newly redesigned homepage that now displays vital threat information front and center. Additional data is also now available on the homepage, including:
- Key activities Red Canary has performed in the last 90 days, such as the number of leads investigated and threats discovered
- The number of endpoints monitored over a specified timeframe
- An enhanced activity feed that not only shows you security actions executing in your environment, such as playbooks firing, but also additional industry news, blog posts, and more.
- The amount of telemetry and number of alerts Red Canary has ingested and analyzed from your integrated security products over a specified timeframe
- Highlighting any actionable items, such as unresolved threats, endpoints not sending telemetry, and alert sources needing configuration
For more information, see the new Homepage article in the Red Canary Help Center.
- Palo Alto Networks Threat Prevention now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
July 2022
New Documents
- Integrate Cisco Umbrella with Red Canary
- Integrate Palo Alto Networks Wildfire with Red Canary via email
- Okta Advanced Threat Detection (For Threat Investigation users only)
New Videos
Changes
- Microsoft Defender for Endpoint customers can now quickly identify which of their endpoints are Live Response capable in the Red Canary portal. Live Response through the Microsoft Defender for Endpoint sensor requires specific Windows versions and builds, and endpoints are now automatically tagged to identify which endpoints are Live Response capable.
- Red Canary Analytics now incorporates CrowdStrike notifications that relate to detected ransomware creating files on an endpoint. This provides us further ability to monitor and alert you when ransomware attacks occur.
- In the Expert Analysis & Investigation report, we updated “Investigated Events” to “Analyzed Events,” which now matches the corresponding By the Numbers report value.
- Cisco Umbrella now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
- Palo Alto Networks WildFire now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
- Red Canary now automatically synchronizes SentinelOne site names to a Red Canary reporting tag. Reporting tags can be used in automations and endpoint filtering.
- You can now click on correlated identities and navigate to the identities detail page from the Alerts table page.
Resolved Issues
- Red Canary’s parsing logic has been enhanced to account for certain Dragos alerts that include special characters as leading or trailing identifiers in the alert. These characters were causing errors when parsing the alert data.
- Darktrace parsing is now enhanced to handle nested JSON data in the native alert information.
- Alerts that are re-ingested will no longer be escalated as a new event. This issue was duplicating events when ingesting occurred.
- PAN-OS alerts that contain multiple nested alerts are now parsed correctly as separate, individual alerts within Red Canary.
- Playbook triggers have been updated to replace the legacy “Priority” attributes with the new “Status” attributes. You do not need to take any action with this update.
- Parsing for FortiNet FortiGate alerts is now updated to correctly map the data attributes to the Red Canary data schema.
June 2022
Changes
- Alerts are now assigned to either “Red Canary” or “Your Team” based on which team is responsible for the alert during its investigation.
- You can now create, edit, and delete endpoint and identity tags in bulk, speeding up the process of updating your endpoint and identify environment.
- You can now more easily determine where your attention is most needed by viewing and sorting Intelligence Profiles based on how prevalent they are in an environment.
Resolved Issues
- When searching for alerts in a specified timeframe, the results correctly aggregate and display the alerts within that range.
- The GuardDuty network connection parser now creates a single correlated device for the internal IP address.
New Documents
May 2022
Changes
- Red Canary looks a little different! We’re updating the interface to be easier to navigate and more user-friendly. Most notably, the left navigation menu has been updated to include subpages for faster navigation, and the background has been changed to provide more contrast for better readability. Be on the look out for updates as we continue to finesse these exciting changes.
- The Alerts page has been updated to support Red Canary’s alert management service. You can now review all your alerts ingested by Red Canary in one place while also being able to search for a set of alerts or individual alerts, view an alert’s details, determine the current status of an alert, and see if an alert is part of an ongoing event or threat. Learn more about managing alert data in the Red Canary Help Center.
- Red Canary Alerts now have new Status states and an updated workflow that better supports the new end-to-end Manage, Detection and Response (MDR) service. With this update, Red Canary can provide detection and response beyond the traditional EDR endpoints.
- To help you find threats of account takeover, Red Canary now examines raw telemetry from Microsoft Office 365. To learn more about integrating Office 365 with Red Canary, check out Connect Red Canary to Office 365 in the Help Center.
- VMware Carbon Black Response customers hosted by Red Canary will now expedite data archival.
- The
is_protected
status has been removed from Red Canary to prevent inaccurate reporting and playbook actions. This status was originally intended to show that an endpoint was both checking in and sending telemetry to Red Canary within the previous 3 hours, but because of the random nature of EDR telemetry collection, it wasn’t a reliable measure of an endpoint’s status. With this change, playbooks using theis_protected
status as a trigger will no longer work. - VMware Carbon Black Response users will now see status check help text in Red Canary that is updated to match the VMware features and setting name changes introduced in version 7.5.1.
New documentation
- Grant Red Canary analysts access to your Microsoft Defender console for Active Remediation
- API quickstart guides
- Use eBPF as the default telemetry source
- Export shell activities
- Integrate AWS GuardDuty alerts with Red Canary
- Connect Red Canary to Office 365
- Review and manage alert data
- Alert Workflow Rules
- Integrate Dragos with Red Canary
April 2022
Changes
- VMware Carbon Black EDR Windows Sensor Version 7.3.0 is now available across the Red Canary hosted Carbon Black server fleet. Learn more about Sensor Version 7.3.0.
- You can now use the CrowdStrike kill process response action to quickly remediate process threats.
- Jamf users can now update their Jamf isolation group using Red Canary’s external service configuration.
- We’ve updated the term “detections” and “confirmed threats” in Red Canary to just “threats.” This is part of a larger initiative to streamline the threat timeline to provide a more holistic view of what is or has occurred during a threat. This change won’t impact your APIs and URLs. Look for more information about the updated threat timeline in the coming weeks.
Resolved Issues
- You’re now able to respond and isolate any endpoints in your Jamf environment. Jamf was previously limited to the first 100 endpoints, which limited response actions.
- You can now collect forensic packages on CrowdStrike endpoints. Users managed by Red Canary’s Managed Security Service Provider (MSSP) will notice the addition of a “run” permission in a real-time response, which enables this collection to occur.
New Documentation
- Integrate Okta Workforce Identity Alerts with Red Canary
- Compare your active endpoints in Red Canary to SentinelOne
- Integrate Jamf EDR with Red Canary
- Recommendations for configuring a macOS sensor with Red Canary
March 2022
Changes
- Four new Security Alert Automation Playbooks were added to Red Canary. The new playbooks include Assign an alert to a user, Unassign an alert, Set alert investigation result, and Add note to an alert. These new playbooks provide more flexibility to users when managing alerts.
- The integration between Red Canary and Okta Workforce Identity was enhanced to capture additional alert information types related to account locks, privilege escalation, privilege revoke, password reset, and secondary email creation. These alert types are potential indicators of compromise (IOC) and are useful data points for threat investigations.
- A new status monitoring and notification feature was added to the Status Checks interface in Red Canary. This notification will alert users if the API polling for their configured Alert Source platforms stops responding and requires attention.
- The Jamf provisioning process no longer requires the Jamf Support team to engage. This helps streamline the provisioning process.
- The Top 20 observed MITRE ATT&CK techniques have been updated based on the 2022 Threat Detection Report.
- We’ve added the following examples of our Incident Handling team’s playbooks to Red Canary:
- IH - Phone Escalation: calls and texts specified phone numbers in the event of a detection
- IH - Isolate: automatically isolates an endpoint without requiring human approval
- IH - Isolate Approval: sends an email requesting approval to isolate an endpoint
- IH - IOC Remediation: runs through a series of processes to remediate indicators of compromise (IOC)
- IH - Notify Customer of New Note: sends an email when Red Canary creates a new note
Resolved Issues
- To provide a more accurate view of SentinelOne Singularity alerts, the alerts detail display was updated to include the correct corresponding detail information.
- The Red Canary by the Numbers report now returns an accurate count of investigative leads.
- The Confirmed Threats report has been updated to more accurately reflect where confirmed threats came from.
- If you had received an email with a link to a specific page in Red Canary but weren’t signed in through single sign-on, you would have been directed to authenticate then redirected to the Red Canary dashboard. Now, after authenticating through single sign-on, you’ll be directed to the correct page that was linked.
- The security alert data parser has been updated to resolve problems with identifying native Cylance security scoring data. This update provides more context to the alert and allows for better prioritization of information.
- The Alert Source integration configuration now decommissions previous data collectors when customers change their data ingest method (API, Syslog, TCP, HTTPS). Prior to this fix, you could receive redundant Alerts due to both the old and new ingest methods remaining enabled.
- There was an issue where a user could receive a “404 - Not Found” error when searching for
Automate Playbook Executed
in an audit log. Audit logs should now return all results. - Previously, if a user entered an invalid search term on the Endpoints page, the page would error without notifying the user. Now if a user’s search fails, they will receive a notification that links them to information about valid search terms.
- Sorting on the Applications page now takes numbers in an application’s name into account. Previously, names that contained numbers were ignored.
New Documentation
February 2022
Changes
- Imperva Web Application Firewall (WAF) security related alerts are now supported in Red Canary. You can view Imperva WAF security related notifications in Red Canary to prioritize and manage your security alerts.
- Jamf now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
- Cisco Firepower is now supported as part of the threat investigation service. You can configure the ingestion of Cisco Firepower alerts via email. These alerts are aggregated and correlated to endpoint and identity data across your enterprise. For users with the threat investigation service, Red Canary analysts will provide Tier 1 triage and prioritization of these network alerts to help streamline your threat remediation process.
- GitHub security-related alerts are now supported in Red Canary. You can view GitHub security-related notifications in Red Canary to prioritize and manage your security alerts.
- The detection timeline now uses the term “blocklist” instead of “blacklist” as part of our inclusive language effort.
- We’re excited to announce that Intelligence Insights are now available in Red Canary. Intelligence Insights are researched and developed by the Red Canary Intelligence Team and designed to provide you with both long-term trends and time-sensitive threat intelligence so you can make informed decisions about your security posture.
All existing customers are enrolled to receive Intelligence Insights emails, and you can also view them directly in Red Canary by clicking Analytics & Intelligence, and then clicking Intelligence Insights. You’ll find all previously published Intelligence Insights here as well.
To opt-out of receiving Intelligence Insight emails, navigate to your user profile, and then unselect Email me when Red Canary publishes an intelligence insight.
Resolved Issues
- Sorting on the Applications page now takes into account lowercase names.
- The Getting Help page in Red Canary was updated with information about who to contact at Red Canary for technical support and emergencies.
- Jamf Pro and Jamf Protect sensor IDs now correlate within Red Canary for all supported macOS versions. The full hostname and endpoint data from Jamf Pro is now related to your Jamf Protect telemetry.
New Documentation
- Linux EDR release v.1.3.2
- Defender for Endpoint Configuration Guides
- Third-party sensor version recommendation policy
January 2022
Changes
- Alert Filters replaced the Suppression Rules tab under External Alerts. Previously, you could only mark alerts as "Not a threat." Now, you can proactively change alert status, assign alerts to specific users, and add comments. These additions greatly improve your alert management capabilities by automatically advancing known or previously triaged alert types through your alert management process.
- Response actions have been added to the Red Canary and Jamf integration. You can now add and remove Jamf endpoints from network isolation groups enabling rapid remediation. For more information, see Isolating and deisolating endpoints using Jamf.
- Red Canary now collects identity information about confirmed threats from Okta Workforce Identity. This enables us to provide a faster, more complete response for customers using Okta.
- As a customer_admin, you are now able to reset the Carbon Black Live Response using the Getting Help page. This is useful when Live Response becomes non-responsive. This function is only available for Red Canary-hosted Carbon Black Response servers at this time.
- You can now import security alert data from FortiNet FortiGate for analysis and management within the Red Canary platform using syslog ingestion.
- Additional security data attribute aggregation has been added to Palo Alto PAN-OS source platforms. These additional attribute fields will allow us to correlate alerts to endpoints and provide threat identification data for PAN-OS alerts.
- Endpoints running Jamf Protect can now be added and removed from network isolation in Red Canary.
- Automated playbook actions will now trigger based on the alert priority.
- In accordance with our end of life policy, the following recently outdated sensor versions will be supported until April 7, 2022.
Resolved Issues
- Alert data from Proofpoint Targeted Attack Protection now correlates to endpoints correctly. In previous versions, a data parsing issue resulted in erroneous endpoint identification.
- Jamf timelines now include all process trees and related file modification indicators. This data helps to improve clarity and analysis of confirmed threats by including context around detections.
- SentinelOne users now have a streamlined view of tip-offs, due to correlated external alerts generating unique tip-offs on a per-event basis.
- Cisco Umbrella and Cisco Duo alerts will no longer experience data ingestion failures due to security data parsing issues.
- API polling for Sentinel One security alert data ingestion now includes the correct identification of account ID information.
New Documentation
- Reviewing daily and weekly email summaries
- Alerts lifecycle
- Configure alert filters
- Isolating and deisolating endpoints using Jamf
- MDR for Production Systems (formerly CWP) Version History. This information enables you to compare and contrast versions before you upgrade.
December 2021
Changes
- We expanded the data fields being parsed from the Palo Alto Prisma Cloud. This allows us to pull in more context and better correlate and investigate an alert.
- You’re now able to configure the HTTP ingest method for Okta Workforce Identity alerts. To learn more about setting up this alert source, see How to Setup Okta Workforce Identity Alerts in Red Canary.
- A wider range of external alerts can be fully investigated by the Cyber Incident Response Team (CIRT) with improved correlation logic between SentinelOne external alerts and native process telemetry.
- The ability to collapse the main navigation menu is now easier to find on the bottom left-hand side of the menu.
- You can view more information about a product that is considered unwanted software by clicking the new dropdown icon on the Applications page.
- The My Profile page has been updated with consistent button styles and help text for using a GPG public key.
- Red Canary now supports detection and investigative support for CrowdStrike scriptload events.
- You’ll no longer come across intermittent 400 errors when using Automate to retrieve an investigation package from Microsoft.
- It’s easier to see the emergency support phone number and UTC time in Red Canary where it’s been relocated to the top of the page.
- The Red Canary navigation menu now visually distinguishes which menu item you’re currently on.
- An incident handler or customer success manager no longer needs to be assigned to share a file with your Red Canary team.
- Required fields on the Share Files page are now clearly marked as required.
Resolved Issues
- The Red Canary Certificate Authority (CA) certificate will now automatically renew on the Alert Source Platform.
- The Automations tab now shows all the playbooks in your environment when it was previously limited to 50 at a time.
- Endpoints that aren't on MDR for Infrastructure return as "sensor in safe mode."
- "Unknown Hostname" records are being created by SentinelOne users.
- Automate triggers won’t load.
- Red Canary Help Center links don’t automatically sign users into Red Canary.
New Documentation
November 2021
Changes
- We created a new Okta Identity Workforce integration that pulls relevant Okta security alerts into Red Canary. We recommend switching to this new API integration method for customers currently integrated with Okta alerts.
- We improved the SentinelOne external alert correlation fidelity by increasing the number of alerts that the CIRT can review.
- We added a new SentinelOne Response Action, Ban IP Address. Customers using SentinelOne can automatically or manually respond to confirmed threats by preventing endpoints from communicating with malicious IP addresses.
- We added a warning message when users try to ban non-IOCs from the detection timeline.
- We added a new submission form in Red Canary where you can request support for new alert source platforms.
- We added a new supported alert source ingestion from Obsidian Security, FortiNet FortiAnalyzer, Github, Atlassian, Slack, LogMeIn LastPass, Microsoft Intune, and Microsoft Azure Active Directory Privileged Identity Management (PIM).
- We added https://cwp-ingest.redcanary.io to the network connectivity page.
- We launched Managed Detection & Response (MDR) support for Jamf Pro and Protect customers. This support extends Red Canary’s MDR offering into the MacOS ecosystem by partnering with the only EDR technology that supports the latest Mac operating system on day one. For more information on this new support update, review our Jamf User Nation Conference announcement.
- We extended Red Canary’s SentinelOne capabilities by adding new Response Actions. You can limit the impact of a compromised system by isolating endpoints or take a more targeted remediation approach by banning a specific binary from executing. Be on the lookout for more updates as we continue building out this functionality.
- We added ScriptLoad telemetry to Analysis event blocks and detections for customers.
- We added analytical support for NamedPipeEvents from Microsoft Defender for Endpoint. Combined with our Threat Intelligence, these events help us get even better at detecting threats like Cobalt Strike.
- We added a new Automate playbook that enables customers to send Red Canary detections to Azure Sentinel as incidents.
- We relaunched the Microsoft Security GraphAPI integration to more closely adhere to the principle of least privilege. Existing GraphAPI users should reauthorize the integration to avoid interruptions in alert collection.
- We updated the endpoint protection logic to remove cases where devices come back online and show as unprotected.
Resolved Issues
- We fixed an error that occurs when attempting to submit Alert Timeline notes.
- We updated security data ingestion parsing issues for Endgame & FortiNet FortiGate.
- We fixed an issue with automated triggering of playbooks based on an alert.
- We fixed an issue with Notification via Slack for Darktrace Alerts.
- We fixed an issue where styles weren’t functioning on the Forgot Password and Reset Password pages.
- We fixed an issue where a playbook created to automate email notifications assigned a default reply to an address.
- We fixed an issue where the 2021 prevalent techniques file wouldn’t download.
- We fixed an issue where endpoint activity and status were displayed in local time, not UTC.
- We fixed an issue where weekly and monthly summary email counts were inaccurate or displayed no data.
- We fixed an issue with Isolate Endpoint functionality in Alert Management.
- We corrected the Debian package names in portal download links.
- We fixed an issue where endpoint records (/endpoints/{id}) loaded slowly or timed out.
Comments
2 comments
Check our what the Red Canary product team has been up to in March!
Check out our new documents and videos for July and early August!
Please sign in to leave a comment.