Configure Customizations

Customizations let you tailor how Red Canary reviews “Suspicious Activity” threats, helping reduce false positives and irrelevant notifications. Use this page to create and modify customizations in your Red Canary portal.

The Customizations page contains four tabs:

• Explicit Instructions: Add explicit instructions describing which kinds of suspicious activity to ignore.

• Inferred Instructions: Review and approve Red Canary-generated customizations based on user feedback for threats previously remediated as “Authorized, Non-testing behavior.”

• Environment Q&A (Beta): Add context about your environment and user activity.

• General Notes (Beta): Add general, security-relevant context that doesn’t fit into the above categories.

Note

You must be an Admin-level user to view, create, and modify customizations.

Explicit Instructions

On the Explicit Instructions tab, you can provide suppressive instructions specifying which kinds of threats you do not want published. This entry directly influences Red Canary’s threat notification behavior.

Note

Red Canary may override explicit instructions if necessary to alert you about activity that’s highly likely to be a genuine threat. Promoting or prioritizing specific activities for publishing is not supported. Red Canary carefully evaluates your customizations and will recommend adjustments to help minimize false positives and ensure your environment is accurately represented.

Suppress alerts for successful, interactive user sign-ins from personal (unmanaged) devices to the following approved applications (Cisco Webex, PROD-TENANT-1, and PROD-TENANT-2) only when BOTH of the following conditions are met:

1. Multi-factor authentication (MFA) was completed successful
2. The sign-in was allowed by a Conditional Access policy

This suppression applies even if the user connects via a consumer VPN service, such as TunnelBear, NordVPN, ExpressVPN.

Suppress alerts for failed logons to Microsoft Teams from personal mobile devices that are blocked by conditional access.

Suppress alerts for sign-in attempts to PROD-TENANT-1 from personal devices that satisfy MFA but are blocked by conditional access.

Do not publish threats for sign-ins when the user is in an unusual geographic location, as long as they are signing in from a registered device, and they pass conditional access. Travel to Europe, India are very common for our users.

Suppress any threat when the main process is named “BlackBear.” Treat these as known tests; do not publish threats for them.

Creating an Explicit Instruction

1. In your Red Canary portal, go to Customizations.

2. On the Explicit Instructions tab, click Add new explicit instruction.
   

3. On the New Explicit Instruction page:

   1. Set the status:

      • Active: The customization is applied by the Threat Review Agent during evaluations. Choose this status when the customization is ready to be enforced.

      • Needs Review: The customization is not applied by the Threat Review Agent. Choose this status to request input from team members or to keep the customization as a draft.

      • Inactive: The customization is not applied by the Threat Review Agent. Choose this status to deactivate the customization without deleting it.

   2. In the Customization field, add your instructions.

   3. (Optional) In the Reason for change field, add relevant notes such as the purpose or intent of the customization.
      

4. Click Save Answer.

5. If necessary, Red Canary will suggest modifications to your entry before creating the customization. Make sure to review and apply the suggested changes to ensure it's accurate and actionable.

6. Activate the customization by setting the status to Active.

Modifying an Explicit Instruction

If you need to modify a customization, click the edit icon and repeat the steps above. If you want to disable a customization, change the status to Inactive.

Inferred Instructions

Note

The Inferred Instructions tab may be empty; new suggestions will appear as relevant feedback is provided, so check back periodically.

On the Inferred Instructions tab, you can review customization suggestions automatically generated by Red Canary based on user comments for threats previously remediated as “Authorized, Non-testing behavior.”

Suppress threats for authentications to the Zoom application from non-managed devices, including those from unknown VPNs.

Reviewing an Inferred Instruction

1. In your Red Canary portal, go to Customizations, then click the Inferred Instructions tab.

2. To approve the customization, change the status to Active.

3. To reject the customization, change the status to Inactive.

Environment Q&A (Beta)

Note

Environment Q&A customizations are currently for research and development purposes only and won’t impact Red Canary agent workflows until the feature is Generally Available. We encourage you to add relevant contextual information to support ongoing development and refinement of this feature.

On the Environment Q&A tab you can provide context about your organization's environment by answering optional, structured questions. The areas covered include:

• Risk Context

• Network and Infrastructure

• Identity and Access Management

• Endpoint and Device Management

• Other Security Tools

• Time Bound Considerations

All of our staff and customers are US based, and we don’t expect any network traffic to originate from outside of the US for normal business operations.

All of our corporate staff (in tenant 123456) are required to use strong authentication methods, which means that we don’t expect any MFA via SMS for those users. In our guest tenant (tenant 67890), users can use any MFA method that they wish, including MFA.

Creating an Environment Q&A Customization

1. In your Red Canary portal, go to Customizations, then click the Environment Q&A tab.

2. Click the edit icon next to each question.
   

3. On the Edit Environment Q&A page:

   1. Set the status:

      • Active: The customization is applied by the Threat Review Agent during evaluations. Choose this status when the customization is ready to be enforced.

      • Needs Review: The customization is not applied by the Threat Review Agent. Choose this status to request input from team members or to keep the customization as a draft.

      • Inactive: The customization is not applied by the Threat Review Agent. Choose this status to deactivate the customization without deleting it.

   2. In the text field, add a response to the question.

   3. (Optional) In the Reason for change field, add relevant notes such as the purpose or intent of the customization.
      

4. Click Save Answer.

5. If necessary, Red Canary will suggest modifications to your entry before creating the customization. Be sure to review and apply the suggestions to ensure it's accurate and actionable.

6. Once the customization is finalized, change the status to Active.

Modifying an Environment Q&A Customization

If you need to modify a customization, click the edit icon and repeat the steps above. If you want to disable a customization, change the status to Inactive.

General notes (Beta)

Note

General Notes customizations are currently for research and development purposes only and won’t impact Red Canary agent workflows until the feature is Generally Available. We encourage you to add relevant contextual information to support ongoing development and refinement of this feature.

On the General Notes tab, you can add any other security-relevant context that doesn’t fit the other categories. This could include operational changes, new regions of activity, or recent business events.

Our organization is migrating from Carbon Black Cloud to CrowdStrike Falcon for our EDR provider. This transition will be ongoing from March, 2026 through July, 2026.

Our company is merging with Acme Corp as of Mar 15, 2026, and all of their users will be absorbed into our tenant before the end of that month.

Creating a General Note

1. On the Customizations page, click the General Notes tab.

2. Click Add new general note.
   

3. On the New General Note page:

   1. Set the status:

      • Active: The customization is applied by the Threat Review Agent during evaluations. Choose this status when the customization is ready to be enforced.

      • Needs Review: The customization is not applied by the Threat Review Agent. Choose this status to request input from team members or to keep the customization as a draft.

      • Inactive: The customization is not applied by the Threat Review Agent. Choose this status to deactivate the customization without deleting it.

   2. In the Customization field, add a general note.

   3. (Optional) In the Reason for change field, add relevant notes such as the purpose or intent of the customization.
      

4. Click Save Answer.

5. If necessary, Red Canary will suggest modifications to your entry before creating the customization. Be sure to review and apply the suggested changes to ensure it's accurate and actionable.

6. Once the customization is finalized, change the status to Active.

Modifying a General Note

If you need to modify a customization, click the edit icon and repeat the steps above. If you want to remove a customization, change the status to Inactive.

Next Steps

After creating a customization, we recommend regularly reviewing your suppressed threats to monitor the impact and usage of your customizations. To learn how to view suppressed threats or set up notifications, see Manage Suppressed Threats.