Skip to main content
Red Canary help

Release notes

  • Updated .

Note: This page does not include updates to the Linux EDR sensor. For information about updates the Linux EDR sensor, check out our Linux EDR version history page.

November 2023, to date

New documentation

October 2023

Changes and resolved issues

  • New Intelligence Profiles. The Intelligence Team created nine new Intelligence Profiles and updated fifteen Intelligence Profiles to provide additional threat context to our users. A notable new profile is Nitrogen, a malware family delivered via malvertising that often leads to follow-on activity. 
  • Surveyor on Rails. The Threat Hunting Team recently released a new internal hunting tool called Surveyor on Rails. This tool allows our Threat Hunters to efficiently hunt across user environments as we investigate and seek to identify new threats. Surveyor on Rails has enabled the team to hunt across user environments in a fraction of the time that it used to.
  • Wiz update. Red Canary has teamed up with Wiz as its first certified MDR partner. For more information, see our latest blog post on what’s coming up.

Bug Fixes

  • Fixed Automate on-demand search. We fixed an issue that prevented users from searching for the desired target to run an on-demand playbook against.
  • We refactored the Lacework integration for improved integration reliability and performance.
  • Portal SMS MFA can now be disabled on a subdomain level.

New documentation

September 2023

Changes and resolved issues

  • Thwarted Ransomware. On 9/15/23 the night crew helped thwart a Ransomware attack against one of our users. One of our Detection Engineers saw suspicious usage of the bitsadmin tool and determined this threat was likely a “hands on keyboard” situation, and coordinated a call across threat hunting specialists here at Red Canary. Ultimately this threat was confirmed, blocked, and attributed to the ALPHV/BlackCat Ransomware affiliate.
  • New detectors. Thirty-three new detectors were developed and deployed across Windows, MacOS, Linux, AWS, and Identity.   
  • Readiness Exercises Updates. We released ten new scenarios in the portal focused on Cloud and ICS readiness.

Bug Fixes

  • Forensics Package overhaul. We addressed a known issue for users of this feature, as the forensic package required an overhaul for the majority of the EDRs for which we provide the capability. Users who have utilized the updated capabilities have reported a better experience.
  • Improved Microsoft Graph v2 ingestion and sync. Due to a change in Microsoft’s data strategy we had to navigate a back office change with significant customer impact. We re-designed the way we ingest, delay, and queue data from Microsoft sources. This change improves the quality of data for these Microsoft products
  • Fixed reporting loading errors. We fixed known issues with high endpoint count users that would previously error out. These include the Collections Report and the By The Number Report.

New documentation

August 2023

Changes and resolved issues

  • You can now integrate Red Canary with Amazon Web Services (AWS) GuardDuty across all accounts and regions within your AWS Organization. This new integration lets Red Canary assume a role in your AWS environment, eliminating the need for a dedicated IAM user. In addition, Red Canary will detect when a new account or region appears, and automatically begin collecting GuardDuty findings. For more information, see Integrate Amazon Web Services with Red Canary.
  • The integrations table now includes a Data Is column that describes the current status of your ingested data. This update gives you better insight into what Red Canary does with your data after ingestion.
    • Data will be stored and investigated: indicates that the data investigation has been assigned to Red Canary
    • Data will be stored: indicates that the data investigation has been assigned to the user.
      For more information, see Integrations

New documentation

July 2023

Changes and resolved issues

  • The Linux EDR sensor now collects Scriptload and file modification telemetry. Collecting these types of telemetry enables our users to gain deeper insights into potential threats. For more information, see Release v1.5.0 and Release v1.5.1.
    • Scriptload Telemetry:
      • The Linux EDR sensor now collects the contents of scripts that start with a shebang (#!), ensuring we have granular visibility into script execution within environments protected by Linux EDR. With this valuable information, Red Canary identifies and analyzes potentially malicious scripts and detects script-based attacks.
    • File Modification Telemetry:
        • The Linux EDR sensor offers real-time visibility into any changes (creates, writes, deleters) made to critical system files. Red Canary quickly identifies unauthorized alterations and detects file-based attacks by capturing these modifications.
    • With these enhanced telemetry capabilities, the Linux EDR sensor becomes an even more powerful ally in our user’s security arsenals. This telemetry will be collected regardless of user subscription (CWP or Linux EDR).

  • The integrations page now shows the correct Alert and Telemetry information in their appropriate columns. This data provides insight on the amount and type of information that Red Canary is receiving from your third-party alert source. For more information, see Integrations.

New documentation

June 2023

Changes and resolved issues

  • Red Canary’s Integration section is now easier to locate. From your Red Canary homepage, click Integrations to be taken to our main Integrations page. Start by typing in the name of your third-party security source, or scroll through the list to find the correct source. For more information, see Integrations.

  • Red Canary’s Events API now includes MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) identifier information. Users can easily extract TTP data, enabling them to discover what types of adversary motives and techniques their network is most vulnerable to, and security weaknesses that can be exploited.

New documentation

May 2023, to date

Changes and resolved issues

  • SentinelOne alerts now automatically close in Red Canary when they have been reviewed by Red Canary’s Cyber Incident Response Team (CIRT) team. The alert's status and any closing comments made by Red Canary will automatically update in the SentinelOne console. This update provides users with a consistent experience between the two integrated platforms. 
  • Cortex alerts now automatically close in Red Canary when they have been reviewed by Red Canary’s CIRT team. The alert's status and any closing comments made by Red Canary will automatically update in the Cortex console. This provides users with a consistent experience between the two integrated platforms. 
  • Red Canary now automatically adds additional analyst context to SentinelOne alerts that have been reviewed by Red Canary’s CIRT team. Any notes made by Red Canary’s analysts during the review and disposition of a SentinelOne alert will now display as a Note attached to SentinelOne’s Incidents in the SentinelOne console. This update enables users to see why an alert was given a disposition by the Red Canary team, further enhancing the clarity of Red Canary’s review. 
  • Data Loss Prevention (DLP) alerts from Microsoft Graph v2 integrations will no longer be ingested by Red Canary. This alert source lacked sufficient security context for Red Canary to review and will require the user to review future instances. 
  • Red Canary's integration with SentinelOne for Ban Binary response actions now standardizes on SHA1 hashes. This update allows for the consistent banning of hashes when utilizing SentinelOne as an EDR platform. In addition, this update enables users to respond quickly to found threats.
  • Red Canary users can now adjust the Jamf Isolation group chosen for SOAR response actions with Jamf Pro using the Red Canary console. This update allows for quick updates to the Jamf integration while maintaining quality isolation outcomes. 

April 2023

Changes

  • Red Canary has launched Red Canary Readiness, a new portfolio of offerings that gives teams a whole new way to train and prepare for incidents. The initial Readiness product is Readiness Exercises, a first-of-its-kind continuous learning platform that delivers realistic training, tabletops, and atomic testing in a single unified experience. For more information, see Red Canary Readiness
  • Red Canary has added a new Request Remediation button which enables on-demand requests for remediation on a published High or Medium severity Threat. The goal of this feature is to give the user a way to request additional support in instances where:
    • User did not tag the endpoint correctly or opted to not tag it due to isolation concerns.
    • User Acknowledged (AR stop) but then reconsidered and now wants Active Remediation (AR) intervention.
    • User removes the endpoint from the network and needs a way to notify the Active Remediation team when it's back online.
    • User discusses the threat with the Threat Hunting team and becomes comfortable with Active Remediation actions.
    • User can request AR actions on an old threat (prior to tagging) that generates additional activity without a substantial update.

New Readiness documentation

New Active Remediation documentation

New documentation

March 2023

Changes and resolved issues

  • Red Canary now supports SentinelOne’s latest data ingest mechanism, Cloud Funnel 2.0. With this upgrade, our new SentinelOne customers can easily set up and configure data integration with Red Canary using just a few pieces of information. This upgrade offers additional enrichment to XDR data from SentinelOne’s Singularity data lake streamed directly into Red Canary’s AWS S3 storage. An example of this is the inclusion of OsSource process data, which improves how Red Canary determines process lineage, resulting in increased detection coverage and investigative efficiency. We will automatically migrate all existing customers to this new mechanism over the next few weeks. For more information, see Integrate SentinelOne Cloud Funnel 2.0 with Red Canary.
  • Azure AD response actions can now fire optionally without user approval and be triggered by alerts, not just detections. These changes expand the scope and increase the speed by which customers respond to threats impacting their users, thus decreasing their mean time to respond. This new update is especially beneficial for users who have set up automation in Red Canary for Microsoft 365 Defender alerts. For more information, see Utilize Azure AD response actions.
  • The Linux EDR sensor now captures “shebang” script load information. If a process start invokes a "shebang" script (a file beginning with '#!'), the sensor now outputs information about that script’s content (currently limited to 1KB) as well as any middle interpreters of that script, in addition to the executable information.
  • Linux EDR customers can now hunt and interact with telemetry more efficiently. The search tool has been improved to make it easier for users to search while keeping the original search functionality for our experienced users. In addition, one of our new features enables you to easily specify date and time ranges within a search. Finally, a slide-out panel has been added to make it easier to view telemetry details.
  • Filtering for threats is now even more extensive with the new threat table matrix. Customers can now filter by 10 attributes. The table order has been rearranged to make filtering and searching more intuitive. For more information, see Filter for specific threats.

New documentation

February 2023

Changes and resolved issues

  • Red Canary now supports response actions for Azure Active Directory (AzureAD). Using Red Canary's updated playbook features, Threat Investigation customers can manually or automatically revoke session tokens, and suspend and unsuspend users. This new feature provides you with advanced remediation options to quickly respond to and stop threats. For more information, see Utilize Azure AD response actions.
  • Red Canary now utilizes Palo Alto Cortex XQL capabilities to retroactively search for developing threats in historical process telemetry. This update ensures Palo Alto Cortex customers are protected from the latest emerging threats by retroactively hunting for suspicious activity when new attacker IOCs are identified.

New documentation

January 2023

Changes and resolved issues

  • Red Canary now supports MDR for Lacework. Lacework looks for abnormal behavior rather than using a strict rules-based analytics approach. As such, there can be higher false positives in Lacework, but this approach can be more flexible to changing threats in your cloud environment. Red Canary monitors Lacework alerts for threats and correlates this telemetry to other threats and alerts in your cloud environment. Today, Red Canary is focused on detecting active (post compromise) threats in your environment, and in the near future we’ll be able to help you identify and respond to critical misconfigurations as well. For more information, see Integrate Lacework with Red Canary.
  • We have expanded the content and filter options on Homepage’s Activity Feed to include Intelligence Profiles. Red Canary develops Profiles to help describe threats and summarize their associated behaviors. Customers can now have their Activity Feed inform them when Red Canary publishes new Intelligence Profiles. 
  • You can now create an automation action to apply reporting tags to endpoints. Reporting tags allow you to add additional metadata to help organize and categorize endpoints within their environment. This feature enables you to automatically apply existing or new tags to endpoints based on an endpoint trigger event. When an endpoint changes statuses or exceeds a last check-in time threshold, you can immediately apply relevant tags to help manage the endpoints without human intervention.
  • We have updated our API to reflect that Threats can be remediated as TEST. Although the Red Canary platform offered four options for not remediating threats, the API documentation only had three. We added "not_remediated_authorized_testing" to our API to match the content found in the platform. You can therefore choose not to remediate the threat and mark it as “This was testing” for clarification.
  • We’ve expanded our integration with Microsoft Sentinel to harness the power of SIEM (Security information and event management) for threat detection and response. Red Canary integrates with Microsoft Sentinel incidents generated from Microsoft’s built-in analytics. By ingesting and reviewing your Microsoft incidents, Red Canary can help protect against identity-based threats, improve your cloud security coverage, and operationalize more of Microsoft’s security tools. Check out our blog for detailed information. For integration directions, see Integrate Microsoft Sentinel with Red Canary.
  • Red Canary now supports MDR for CrowdStrike endpoint logon telemetry for all CrowdStrike EDR customers. Red Canary ingests, normalizes, and investigates device logon telemetry from CrowdStrike Falcon agents. This new visibility means Red Canary can detect brute force and other identity based threats using the CrowdStrike agents that customers have deployed in their environment. For more information, see Identity detection support for CrowdStrike EDR.
  • Red Canary now supports MDR for Microsoft Defender for Cloud. Defender for Cloud enables you to continually assess, secure, and defend your Azure, AWS, and Google Cloud Platform infrastructure. Red Canary assesses Defender for Cloud alerts and threats that are correlated to other threats and alerts in your cloud environment. For more information, see Integrate Microsoft Defender for Cloud with Red Canary.
  • You can now verify Red Canary’s handling of Microsoft Sentinel incidents. When Red Canary publishes a threat related to a Microsoft Sentinel incident, you will now see a comment in Red Canary on the incident in Microsoft Sentinel with a link to the published threat in Red Canary. This update enables you to easily pivot from Microsoft Sentinel to Red Canary and verify that Red Canary is investigating your Microsoft Sentinel Incidents.
  • We have expanded our Intelligence Products by adding Industry News as its own section. The Red Canary Intelligence team reviews and curates the latest cybersecurity news that is relevant. This new page keeps you abreast of emerging and prevalent threats, allowing you to make informed decisions regarding your security posture. Check out Intelligence Products for more information.

New documentation

New video

December 2022

Changes and resolved issues

  • You can now protect your Google Workspace with Red Canary MDR. Google Workspace (formerly known as G Suite) includes Gmail, Sheets, Drive, Docs, and many other productivity tools. Gmail is a critically important tool to protect, and Red Canary has stepped up as an MDR partner to protect the entire Google Workspace suite. Our integration collects telemetry and alert data from the entire Google Workspace productivity suite, giving the Red Canary team better visibility into potential threats in your environment. For more information, see Integrate Google Workspace with Red Canary.
  • Our new PDF and report subscriptions feature enables you to track the impact and effectiveness of your security operations program. Reports can now be saved to PDF format, which matches what is displayed in Red Canary. Reports can also be executed on a schedule (weekly, monthly, quarterly, etc) and distributed via email with a PDF attachment. For more information, see Report library overview.
  • Our updated Threat Timeline is now easier to understand and work with, providing the information that you need in a more consistent, accessible, and concise experience. Every Activity in a Threat Timeline now has the same core components: Title, Narrative, and Details. A new “badge” system, on the left side of an Activity, shows information such as Threat Occurred, Indicator of Compromise, or the Endpoint Specified in the Activity. The Annotations and Notes experience is now simply “Comments”. For more information, see Confidence from Context: The Red Canary threat timeline.
  • We’ve released a new integration with Palo Alto Networks, adding Cortex XDR and broadening its detection coverage for mutual customers. Red Canary can now investigate Cortex XDR detections from all Cortex XDR data sources, including network, endpoint, cloud, and third-party data, helping to provide enterprise-wide monitoring. Cortex XDR’s Native Incident Alerts, triggered off of IOCs and BIOCs, are correlated with Red Canary’s detections across the IT environment to provide additional validation and context, all delivered in a unified timeline. Cortex XDR offers various response actions that enable customers to investigate the endpoint and take immediate action to remediate it. You can now use response actions to isolate an endpoint and ban suspicious file hashes environment-wide for faster remediation and ongoing security posture enhancements. For more information, see Integrate Cortex XDR with Red Canary.
  • We’ve expanded MDR coverage of users’ Network environment by adding support for Cisco Meraki. Red Canary now investigates and correlates security alerts from Cisco Meraki products to better detect and respond to Threats for users. For more information, see  Integrate Cisco Meraki with Red Canary.
  • We've expanded our description of the Notification Summary. The new article describes what notification summary is, and a link to updating the user profile to make any changes to how the customer receives notifications. For more information, see Notification Summary.

New documentation

New videos

November 2022

Changes and resolved issues

  • Red Canary now syncs the SentinelOne analyst verdicts and the incident status fields used to triage and record investigation status and disposition inside of the SentinelOne console with the alert record maintained within Red Canary. This update keeps SentinelOne in lockstep with Red Canary by preventing duplicate efforts and easing user analyst response time and workload. 
  • When responding to threats in a CrowdStrike environment, users can now use the automate action, Delete a Registry Key, in the automation section of Red Canary. This enables remediation and incident response to occur without human involvement.
  • We’ve expanded MDR coverage of users' IT environments by adding support for the latest version of Microsoft Graph API. Red Canary investigates and correlates security alerts from third-party security products to better detect and respond to Threats for users and is pleased to recommend the enhanced v2 of this API. For more information, see Integrate Microsoft Graph V2 with Red Canary and Use the Microsoft Graph security API.
  • We’ve expanded MDR coverage of customers’ SaaS environments by adding support for Microsoft Defender for Cloud Apps. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate Microsoft Defender for Cloud Apps with Red Canary.
  • Logon events can now be viewed in your identity threat timeline. Red Canary can now add more context to identity threat timelines. For example, if we publish a threat concerning a suspicious email rule, you will see relevant logon events from the user in question. This context helps you better understand why the threat was published, what happened, and what you can do to respond and prevent future threats.
  • 'Threat' has replaced 'detection' as the trigger option for automation.To standardize terminology throughout the platform, the term ‘threat’ has replaced ‘detection’ since it more clearly describes the trigger action to be performed. The dropdown menus in Triggers reflect this update.
  • Live Response Command and Live Response Isolation have been added as Audit Log Trigger options. This was previously accessible only to CarbonBlack Response customers, and is now available for customers using the VMWare CarbonBlack Cloud EDR platform, giving them more Trigger options.

New documentation

New videos

October 2022

Changes and resolved issues

  • Manual approval for Okta playbooks is no longer required. Manual approval is now optional  and can be automated.
  • Expanded MDR coverage of customers’ network environment by adding support for ExtraHop Reveal (x) 360. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate ExtraHop Reveal (x) 360 with Red Canary.
  • Expanded MDR coverage of customers’ network environment by adding support for ExtraHop Reveal X Enterprise. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate ExtraHop Reveal X Enterprise with Red Canary.
  • If a webhook fails, Red Canary will notify your technical contacts, by sending an email detailing the failure, so you can troubleshoot. To prevent flooding the inbox, we will only send one Webhook Failure email per playbook every 24 hours. In addition to sending an email, we will create an Audit Log (https://my_customer_domain.co/audit_logs) with "Action: Automate Action Executed", and include details about the error in the Details section. 
  • Google Workspace is now available in public preview as a supported MDR integration. Red Canary monitors raw telemetry from Google and publishes threats based on our proprietary analytics.
    Note: As of October 31, 2022, this integration is available as a public preview feature only. For access to the preview, reach out to your Red Canary account team for access.
  • You can now view raw JSON data within your Red Canary dashboard by clicking Alerts, selecting an Alert ID, and then clicking the Show original alert drawer.
  • Red Canary can now push status updates for alerts back to the SentinelOne Singular platform so that users will see the updated status in their SentinelOne dashboard.
  • The Alert List view in the Alerts section has been updated so that it displays the list of associated Events or Threats for an Alert.
  • The Red Canary Hosted VMware Carbon Black EDR fleet has been upgraded to version 7.6.2. This upgrade incorporates the latest Red Canary tested and validated Carbon Black Response features and security patches. Additionally, a new telemetry source that captures fileless script loads has been added to provide enhanced security coverage of malicious process execution.

New documentation

New video

September 2022

Changes and resolved issues

  • When you click a link to an Endpoint, Identity, or Intelligence Profile on the Threats page of Red Canary, we now show some of that page’s content in a slide-out panel so that you can view it without having to open another page or tab.
  • You can now add an external service in Microsoft Office 365 without accidentally adding a duplicate external service in Office 365.
  • Red Canary now supports an additional automation action for Sentinel One users. This automation action enables you to configure Red Canary responses to execute processes on endpoints based on your playbook triggers.
  • Forensic packages will now be collected and executed correctly. You can now automatically collect additional forensic information from endpoints for preservation purposes with increased resilience and accuracy.
  • Dark Mode is now available for your homepage setup. For more information, see the Homepage article.
  • Your Red Canary homepage now includes an alerts section with telemetry and alert data types. For more information, see the Homepage article.
  • A new plugin for Response Actions is available for Linux users.  The response actions plugin enables you to run actions on a Linux endpoint triggered in response to threats. This update also applies to the Red Canary Portal Automations feature. For more information, see Plugin: Response Actions.

New documentation

New videos

August 2022

Changes and resolved issues

  • Customers who subscribe to Linux EDR can now filter and review telemetry observed within the last 7 days. To learn more, see Filtering telemetry in the Red Canary Help Center.
  • When you log in to Red Canary, enjoy a newly redesigned homepage that now displays vital threat information front and center. Additional data is also now available on the homepage, including:
    • Key activities Red Canary has performed in the last 90 days, such as the number of leads investigated and threats discovered
    • The number of endpoints monitored over a specified timeframe
    • An enhanced activity feed that not only shows you security actions executing in your environment, such as playbooks firing, but also additional industry news, blog posts, and more.
    • The amount of telemetry and number of alerts Red Canary has ingested and analyzed from your integrated security products  over a specified timeframe
    • Highlighting any actionable items, such as unresolved threats, endpoints not sending telemetry, and alert sources needing configuration

      For more information, see the new Homepage article in the Red Canary Help Center.

  • Okta Workforce Identity Events with the classification of “A bypass of MFA may have been attempted for this user“ will now be ingested as alerts and triaged for Threat Investigation users.
  • Palo Alto Networks Threat Prevention now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.

  • When you resolve a SentinelOne alert in Red Canary, the resolution status updates automatically in SentinelOne.

New documents

New videos

July 2022

Changes and resolved issues

  • Microsoft Defender for Endpoint customers can now quickly identify which of their endpoints are Live Response capable in the Red Canary portal. Live Response through the Microsoft Defender for Endpoint sensor requires specific Windows versions and builds, and endpoints are now automatically tagged to identify which endpoints are Live Response capable.
  • Red Canary Analytics now incorporates CrowdStrike notifications that relate to detected ransomware creating files on an endpoint. This provides us further ability to monitor and alert you when ransomware attacks occur.
  • In the Expert Analysis & Investigation report, we updated “Investigated Events” to “Analyzed Events,” which now matches the corresponding By the Numbers report value.
  • Cisco Umbrella now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
  • Palo Alto Networks WildFire now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
  • Red Canary now automatically synchronizes SentinelOne site names to a Red Canary reporting tag. Reporting tags can be used in automations and endpoint filtering. 
  • You can now click on correlated identities and navigate to the identities detail page from the Alerts table page.
  • Red Canary’s parsing logic has been enhanced to account for certain Dragos alerts that include special characters as leading or trailing identifiers in the alert. These characters were causing errors when parsing the alert data.
  • Darktrace parsing is now enhanced to handle nested JSON data in the native alert information.
  • Alerts that are re-ingested will no longer be escalated as a new event. This issue was duplicating events when ingesting occurred.
  • PAN-OS alerts that contain multiple nested alerts are now parsed correctly as separate, individual alerts within Red Canary.
  • Playbook triggers have been updated to replace the legacy “Priority” attributes with the new “Status” attributes. You do not need to take any action with this update.
  • Parsing for FortiNet FortiGate alerts is now updated to correctly map the data attributes to the Red Canary data schema.

New Documents

New Videos

June 2022

Changes and resolved issues

  • Alerts are now assigned to either “Red Canary” or “Your Team” based on which team is responsible for the alert during its investigation.
  • You can now create, edit, and delete endpoint and identity tags in bulk, speeding up the process of updating your endpoint and identify environment.
  • You can now more easily determine where your attention is most needed by viewing and sorting Intelligence Profiles based on how prevalent they are in an environment.
  • When searching for alerts in a specified timeframe, the results correctly aggregate and display the alerts within that range.
  • The GuardDuty network connection parser now creates a single correlated device for the internal IP address.

New Documents

May 2022

Changes and resolved issues

  • Red Canary looks a little different! We’re updating the interface to be easier to navigate and more user-friendly. Most notably, the left navigation menu has been updated to include subpages for faster navigation, and the background has been changed to provide more contrast for better readability. Be on the look out for updates as we continue to finesse these exciting changes.
  • The Alerts page has been updated to support Red Canary’s alert management service. You can now review all your alerts ingested by Red Canary in one place while also being able to search for a set of alerts or individual alerts, view an alert’s details, determine the current status of an alert, and see if an alert is part of an ongoing event or threat. Learn more about managing alert data in the Red Canary Help Center.
  • Red Canary Alerts now have new Status states and an updated workflow that better supports the new end-to-end Manage, Detection and Response (MDR) service. With this update, Red Canary can provide detection and response beyond the traditional EDR endpoints.
  • To help you find threats of account takeover, Red Canary now examines raw telemetry from Microsoft Office 365. To learn more about integrating Office 365 with Red Canary, check out Connect Red Canary to Office 365 in the Help Center.
  • VMware Carbon Black Response customers hosted by Red Canary will now expedite data archival.
  • The is_protected status has been removed from Red Canary to prevent inaccurate reporting and playbook actions. This status was originally intended to show that an endpoint was both checking in and sending telemetry to Red Canary within the previous 3 hours, but because of the random nature of EDR telemetry collection, it wasn’t a reliable measure of an endpoint’s status. With this change, playbooks using the is_protected status as a trigger will no longer work.
  • VMware Carbon Black Response users will now see status check help text in Red Canary that is updated to match the VMware features and setting name changes introduced in version 7.5.1

New documentation

April 2022

Changes and resolved issues

  • VMware Carbon Black EDR Windows Sensor Version 7.3.0 is now available across the Red Canary hosted Carbon Black server fleet. Learn more about Sensor Version 7.3.0.
  •  You can now use the CrowdStrike kill process response action to quickly remediate process threats.
  • Jamf users can now update their Jamf isolation group using Red Canary’s external service configuration.
  • We’ve updated the term “detections” and “confirmed threats” in Red Canary to just “threats.” This is part of a larger initiative to streamline the threat timeline to provide a more holistic view of what is or has occurred during a threat. This change won’t impact your APIs and URLs. Look for more information about the updated threat timeline in the coming weeks.
  • You’re now able to respond and isolate any endpoints in your Jamf environment. Jamf was previously limited to the first 100 endpoints, which limited response actions.
  • You can now collect forensic packages on CrowdStrike endpoints. Users managed by Red Canary’s Managed Security Service Provider (MSSP) will notice the addition of a “run” permission in a real-time response, which enables this collection to occur. 

New Documentation

March 2022

Changes and resolved issues

  • Four new Security Alert Automation Playbooks were added to Red Canary. The new playbooks include Assign an alert to a user, Unassign an alert, Set alert investigation result, and Add note to an alert. These new playbooks provide more flexibility to users when managing alerts.
  • The integration between Red Canary and Okta Workforce Identity was enhanced to capture additional alert information types related to account locks, privilege escalation, privilege revoke, password reset, and secondary email creation. These alert types are potential indicators of compromise (IOC) and are useful data points for threat investigations.
  • A new status monitoring and notification feature was added to the Status Checks interface in Red Canary. This notification will alert users if the API polling for their configured Alert Source platforms stops responding and requires attention. 
  • The Jamf provisioning process no longer requires the Jamf Support team to engage. This helps streamline the provisioning process.
  • The Top 20 observed MITRE ATT&CK techniques have been updated based on the 2022 Threat Detection Report.
  • We’ve added the following examples of our Incident Handling team’s playbooks to Red Canary:
    • IH - Phone Escalation: calls and texts specified phone numbers in the event of a detection
    • IH - Isolate: automatically isolates an endpoint without requiring human approval 
    • IH - Isolate Approval: sends an email requesting approval to isolate an endpoint
    • IH - IOC Remediation: runs through a series of processes to remediate indicators of compromise (IOC)
    • IH - Notify Customer of New Note: sends an email when Red Canary creates a new note
  • To provide a more accurate view of SentinelOne Singularity alerts, the alerts detail display was updated to include the correct corresponding detail information.
  • The Red Canary by the Numbers report now returns an accurate count of investigative leads.
  • The Confirmed Threats report has been updated to more accurately reflect where confirmed threats came from.
  • If you had received an email with a link to a specific page in Red Canary but weren’t signed in through single sign-on, you would have been directed to authenticate then redirected to the Red Canary dashboard. Now, after authenticating through single sign-on, you’ll be directed to the correct page that was linked.
  • The security alert data parser has been updated to resolve problems with identifying native Cylance security scoring data. This update provides more context to the alert and allows for better prioritization of information. 
  • The Alert Source integration configuration now decommissions previous data collectors when customers change their data ingest method (API, Syslog, TCP, HTTPS). Prior to this fix, you could receive redundant Alerts due to both the old and new ingest methods remaining enabled.
  • There was an issue where a user could receive a “404 - Not Found” error when searching for Automate Playbook Executed in an audit log. Audit logs should now return all results.
  • Previously, if a user entered an invalid search term on the Endpoints page, the page would error without notifying the user. Now if a user’s search fails, they will receive a notification that links them to information about valid search terms.
  • Sorting on the Applications page now takes numbers in an application’s name into account. Previously, names that contained numbers were ignored.

New Documentation

February 2022

Changes and resolved issues

  • Imperva Web Application Firewall (WAF) security related alerts are now supported in Red Canary. You can view Imperva WAF security related notifications in Red Canary to prioritize and manage your security alerts.
  • Jamf now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
  • Cisco Firepower is now supported as part of the threat investigation service. You can configure the ingestion of Cisco Firepower alerts via email. These alerts are aggregated and correlated to endpoint and identity data across your enterprise. For users with the threat investigation service, Red Canary analysts will provide Tier 1 triage and prioritization of these network alerts to help streamline your threat remediation process.
  • GitHub security-related alerts are now supported in Red Canary. You can view GitHub security-related notifications in Red Canary to prioritize and manage your security alerts.
  • The detection timeline now uses the term “blocklist” instead of “blacklist” as part of our inclusive language effort.
  • We’re excited to announce that Intelligence Insights are now available in Red Canary. Intelligence Insights are researched and developed by the Red Canary Intelligence Team and designed to provide you with both long-term trends and time-sensitive threat intelligence so you can make informed decisions about your security posture.
  • All existing customers are enrolled to receive Intelligence Insights emails, and you can also view them directly in Red Canary by clicking Analytics & Intelligence, and then clicking Intelligence Insights. You’ll find all previously published Intelligence Insights here as well.
    To opt-out of receiving Intelligence Insight emails, navigate to your user profile, and then unselect Email me when Red Canary publishes an intelligence insight.
  • Sorting on the Applications page now takes into account lowercase names.
  • The Getting Help page in Red Canary was updated with information about who to contact at Red Canary for technical support and emergencies.
  • Jamf Pro and Jamf Protect sensor IDs now correlate within Red Canary for all supported macOS versions. The full hostname and endpoint data from Jamf Pro is now related to your Jamf Protect telemetry.

New Documentation

January 2022

Changes and resolved issues

  • Alert Filters replaced the Suppression Rules tab under External Alerts. Previously, you could only mark alerts as "Not a threat." Now, you can proactively change alert status, assign alerts to specific users, and add comments. These additions greatly improve your alert management capabilities by automatically advancing known or previously triaged alert types through your alert management process.
  • Response actions have been added to the Red Canary and Jamf integration. You can now add and remove Jamf endpoints from network isolation groups enabling rapid remediation. For more information, see Isolating and deisolating endpoints using Jamf.
  • Red Canary now collects identity information about confirmed threats from Okta Workforce Identity. This enables us to provide a faster, more complete response for customers using Okta.
  • As a customer_admin, you are now able to reset the Carbon Black Live Response using the Getting Help page. This is useful when Live Response becomes non-responsive. This function is only available for Red Canary-hosted Carbon Black Response servers at this time.
  • You can now import security alert data from FortiNet FortiGate for analysis and management within the Red Canary platform using syslog ingestion.
  • Additional security data attribute aggregation has been added to Palo Alto PAN-OS source platforms. These additional attribute fields will allow us to correlate alerts to endpoints and provide threat identification data for PAN-OS alerts.
  • Endpoints running Jamf Protect can now be added and removed from network isolation in Red Canary.
  • Automated playbook actions will now trigger based on the alert priority.
  • In accordance with our end of life policy, the following recently outdated sensor versions will be supported until April 7, 2022.
  • Alert data from Proofpoint Targeted Attack Protection now correlates to endpoints correctly. In previous versions, a data parsing issue resulted in erroneous endpoint identification.
  • Jamf timelines now include all process trees and related file modification indicators. This data helps to improve clarity and analysis of confirmed threats by including context around detections.
  • SentinelOne users now have a streamlined view of tip-offs, due to correlated external alerts generating unique tip-offs on a per-event basis.
  • Cisco Umbrella and Cisco Duo alerts will no longer experience data ingestion failures due to security data parsing issues. 
  • API polling for Sentinel One security alert data ingestion now includes the correct identification of account ID information.

New Documentation

 

Comments

1 comment

Date Votes
  • Brian Valdivia
    • Edited

    Check out what's new in June 2023!

     
    0

Please sign in to leave a comment.