Identities

Once your Red Canary account is activated, you can begin collecting identity telemetry. Identity telemetry is some of the most valuable data for your security program because users pose a distinct risk and are frequently involved in threats. Red Canary receives this data from your Identity Provider.

Integrate with an identity provider

Today, Red Canary supports Okta Workforce Identity. 

For more information about integrating Okta Workforce Identity with Red Canary, see Integrate Okta Workforce Identity with Red Canary.

Verify your integration

To verify that the integration is working correctly, review your Red Canary dashboard and scroll down to the Telemetry and Alerts section. Review your telemetry and alerts recorded from your Okta integration.

For more information, see How Identity Licensing and Usage are Determined. 

Where do identities come from?

Identities are collected from several data types processed by Red Canary, such as telemetry collected from your endpoints and alerts collected from your other security products.

How are identities classified?

Endpoint identities are classified as either local or domain identities. Identities are classified as domain identities if they contain a domain prefix (domain\\username on Windows) and that domain is not that of a known endpoint’s hostname.

Endpoint identities are also classified as system accounts if they are identities commonly used by operating systems as system accounts—for example, s-1-5-18 (Local System on Windows) or _coreaudiod on macOS.

What tags are automatically applied to identities?

Red Canary automatically applies several tags to identities as they are created and updated:

• Local Account is set to true if the account appears to be a local (non-domain) account.

• Domain Account is set to true if the account appears to be a domain account.

• System Account is set to true if the account appears to be one commonly used by operating systems as system accounts.