This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Monitor endpoints
- Detect potential threats (performed by Red Canary)
- Investigate potential threats (performed by Red Canary)
- Respond to threats using automation
This article covers what Red Canary monitors, what Red Canary does, and what your role is in ensuring that you get the most from Red Canary.
What Red Canary monitors
Red Canary ingests endpoint telemetry from various sources/agents. For detailed information, check out supported alert sources for threat investigation.
The icons in top bar of Red Canary indicate from what agents Red Canary is ingesting endpoint telemetry:
Important: Red Canary is responsible for analyzing telemetry from your agents and presenting meaningful, actionable information, but we can monitor only what we can see. We can’t monitor what we cannot see. It is up to you to ensure that you are seeing the telemetry that you want to monitor in Red Canary.
What’s your role?
The most important maintenance task you can perform is to ensure that endpoints are communicating with Red Canary. Is everything working as it should? You can see this information on the Endpoints page in Red Canary.
Pro tip: Use the search box under Endpoint inventory to filter for specific endpoints.
What should you look for?
- When was the last time an endpoint checked in?
- When was the last activity?
Your system’s checkin and activity times will depend on the parameters of the agents that are providing telemetry to Red Canary. Keep in mind that Red Canary does not report in real-time. There will be a delay due to the internal processing that Red Canary performs, and the duration of the delay will depend in part on the agent(s) that you are using and may be up to 30 minutes.
If there is an issue with how your agent is communicating with Red Canary…
- Contact Red Canary technical support via Help Center, and we’ll dive in with you to figure it out.
For more information about endpoints, check out the Endpoints section in the Help Center.
If there is a threat…
You’ll need to take action in the agent that is sending the alert in your environment. You can also contact Red Canary incident handling, and we’ll be here to help:
- For dire emergencies, use the Emergency number.
- For less critical, threat-related situations with which you need assistance, submit a ticket through the Help Center.
For more information about threats, check out the Threats section of the Help Center.
Automation is essential for taking fast and consistent action when events happen in your system. You can use Automations to help you keep track of endpoints status and threats. Red Canary provides Automations (Triggers and Playbooks) that automatically respond to predefined events and complete specific security tasks.
Automation Triggers define when Playbooks should be executed. Triggers start with an event and can be limited by conditions such as, the “Threat's severity is high”. Each Trigger can be bound to one or more Playbooks, allowing Triggers and Playbooks to be highly reusable.
Automation playbooks are a grouped set of actions that you want to take to achieve a goal. Playbooks can range from the simple (for example, “Email my security@ mailing list”) to the complex (for example, “Notify an on-call phone tree, network isolate any affected endpoints, and begin remediation”).
For more information about Automations (Triggers and Playbooks), check out the Automation section in the Help Center.
What else can you do?
Be sure to check your Red Canary Home page frequently to see Unresolved Threat alerts, Telemetry and Alerts info, and your Activity Feed.