Use the Alerts page to view all the potential threats Red Canary has identified in your organization. You can drill down into individual alerts for additional information.
The top-level Alerts page displays three cards that provide a summarized view of alert activity across key dimensions within the last 72 hours:
Top Sources: Highlights the security products or tools generating the most alerts. Each source is displayed along with its corresponding alert count, helping you identify which integrations are producing the majority of alerts.
Top Endpoints: Lists endpoints (devices, sensor IDs, etc.) associated with the highest number of alerts. Each entry includes an identifier for the endpoint and its alert count, allowing you to pinpoint affected devices quickly.
Top Identities: Displays identities or user accounts linked to the most alerts. Each identity is shown alongside its alert count, providing you visibility into potentially suspicious account activity.
Click on any of these cards to drill down into the associated data for further investigation, or use the details to filter alerts and focus on those that are most impactful.
Filtering Alerts
The Alerts page is designed to simplify your analysis to focus on specific or actionable data. To refine your view and locate relevant alerts, you’ll need to apply filters based on specific attributes and a defined time range.
Using the Search Box
To manually build a filter:
Enter your filter attributes in the Search with query or keyword box. Note that you can click on the example searches in the UI to paste the text as a template.
Press Enter to apply the filter.
Note: Multiple attributes are applied with the AND logical operator, so each attribute further narrows the filter.
For alerts, the following filter attributes are available:
Attribute | Description | Example |
Keywords | Plain keyword filtering (with no attribute specified) works against certain text fields in the alert, for example identity and endpoint names. Unlike the defined attributes filters, keywords match on partial values. |
|
Alert ID | Filter by the alert ID of the alert. Use |
|
Assigned To | Filter by the assignee of the alert. |
|
Created At | Filter by the data and time the alert was ingested at. |
|
Endpoint | Filter by the current host name, sensor ID, or Red Canary ID of the endpoint. Use |
|
Identity | Filter by the username, UID, or Red Canary ID of the identity. Use | as an "OR" to filter for multiple values |
|
Provider Source | Filter by the individual source of the alert. Use |
|
Provider Classification | Filter by the provider source given classification. Use |
|
Provider Severity | Filter by the provider source given severity. Use |
|
Raw Data | Filter by raw data contained in the alert. |
|
State | Filter by the state of the alert. Use |
|
Dates/Times
Date-based attributes are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times. For example:
2025-01-01..matches on or after (>=) the from date..2025-01-01matches on or before (<= the to date2025-01-01..2025-01-31matches on or after (>=) the from date and on or before (<=) the to date
Alerts are listed with eight sortable columns of data:
Alert: The Red Canary alert ID
Status: The state of the alert (i.e., Under Investigation, Threat, Not a Threat)
Assigned To: The team assigned to investigate the alert (i.e., Your Team, Red Canary)
Created at: The date and time (UTC) of when Red Canary received the alert
Resources: The identities and endpoints affected by the alert
Classification: The reported classification provided directly by the alert source, representing the "category" or type of activity detected
Severity: The importance level of the alert as assigned by the originating provider (i.e., Informational, Low, High). In cases where the provider's severity doesn't align with standardized levels, Red Canary maps it to the most appropriate category.
Source: The security platform generating the alert
Using the Filter Icon
As an alternative to entering attributes manually in the Search with query or keyword box, you can use the UI to create your filter attributes.
Click the filter icon
to show available options.
Use the dropdowns and text boxes to define the filters.
Click Apply Filters to build the filter string and apply it.
Viewing Alert Details
You can examine the details for an individual alert by clicking on the Alert ID.
The summary at the top of the page describes the alert and provides a link to the investigation (if available).
The alerts details are presented on four tabs:
Overview Tab
The Overview tab contains a summary of the alert, including affected identities and endpoints.
Navigate to the Activity section to access key investigative tools and insights. Here, you can:
Review a timestamped history of the alert’s investigation and activity
Track changes to the alert’s state (i.e., New → Investigating → Not a Threat)
Determine if the alert is correlated with other alerts for further context
Add comments for your team (requires an Analyst role)
Original Alert Tab
The Original Alert tab shows the alert’s raw data, which you can use for further analysis.
Recommendations Tab
The Recommendations tab, powered by Red Canary Copilot, offers actionable response and mitigation steps tailored to the alert's details.
Insights Tab
The Insights tab leverages Red Canary Copilot to enrich alert data with contextual details, baseline information, and additional enrichment, providing deeper insights to support your investigations.
Changing the Alert Status
In the top-right corner, you can update the alert status to reflect actions taken by your team.
Contacting Us
If you have questions or need assistance, click the Contact Us button at the top of the alert.
Taking Actions
Click the Actions tab to:
Filter Alerts Like This: Create a Workflow Rule to define custom actions for the status or resolution of similar alerts.
Automate Alerts Like This: Build an Automation Playbook to set up an automated response for similar alerts.
