Post-Triage, Red Canary Final Alert States

After a Detection Engineer analyzes an alert, or it is triaged via automation (Workflow Rule), these are the final alert states you will see in your portal:

• Not a Threat

• Suspicious

• Highly Suspicious

• Threat

Not a Threat

The majority of alerts labeled Not a Threat will have been handled via automation. Red Canary's Detection Engineers analyze historical security alerts to categorize them. This helps remove informational alerts and alerts that wouldn't help us identify actual threats within your environment. Alerts with insufficient information for threat confirmation are likely redundant with our existing detector coverage powered by behavioral analytics.

We understand these alerts might be important for your internal compliance or business functions. However, for threat detection purposes, Red Canary has categorized them as less critical.

Some alerts receiving this designation will have been investigated by a Detection Engineer, and after analysis was completed, it was determined that no threat was observed.

Some example scenarios of Not a Threat alerts:

• The alert is entirely informational in nature.

• An alert represents a status change in an application or system.

• A suspicious process or file was observed but was deemed a False Positive after investigation.

• A network connection was reset.

Suspicious

Our Detection Engineers see a pattern of these alerts being false positives. However, due to limited data, we can't confidently dismiss them as Not a Threat. These still represent potential items of concern, and it is our recommendation that the customer complete the investigation on their end.

Some example scenarios of Suspicious alerts:

• A Conditional Access Policy was modified.

• A Data Loss Prevention data transfer threshold was exceeded.

• Custom Alerts that lack context for analysis.

• Spyware network traffic was observed.

Highly Suspicious

While these alerts are classified as Highly Suspicious, Red Canary needs more context to confirm a threat. However, due to their seriousness, we highly recommend a thorough investigation by your team.
Some example scenarios of Highly Suspicious alerts:

• A suspicious replication request was sent to a Domain Controller.

• Network connections to domains associated with adversary activity.

• Successful authentications from commercial VPN providers (iCloud, NordVPN, etc)

Threat

Alerts for malware, or other unwanted software that were Mitigated By Control will be labeled Threat on the alerts page, but they will not have a corresponding published threat. Red Canary makes an effort to publish threats for behaviors that require our users’ prompt attention. Since your EDR product already stopped this activity, Mitigated By Control alerts typically don't require further action from you. In the cases where we can’t add additional context or suggested action, we generally do not issue a published threat.

Important: Alerts for blocked malware that are later-stage malware, such as C2 infrastructure, hack tools, or ransomware, are alerts that warrant additional investigation and analysis by Red Canary. In those cases, customers should expect to see a published threat in their portal. Additionally, if there is behavior leading up to the anti-virus mitigation, Red Canary will treat the activity as malicious and publish a threat.

Note: When alerts are included as part of a published threat, the corresponding alert in Alert Center will also receive a final alert state of Threat, and customers can see the link to the published threat it was included in.