Synchronize Alert Status and Comments from Red Canary to Alert Platforms

When processing and validating alerts from select security platforms, Red Canary can add comments to those alerts and update their states. This state synchronization allows Red Canary to keep the alerts in your other security products up to date so you don’t waste time reviewing alerts that Red Canary has already processed.

Supported alert sources

Red Canary can add comments to alerts and update their states for several supported alert sources. This is known as “state and comment synchronization.” We support state and comment synchronization for the following alert sources:

Note: If Red Canary supports your alert source, you still need to enable the platform in your alert source configuration.

Enable comment sync on alerts

You can instruct the Red Canary platform to add comments to alerts in the source platform during the process of alert validation.

To enable alert commenting for supported alert source platforms:

1. From your Red Canary homepage, click Integrations.

2. Scroll down and select the desired alert source.

3. Click Edit Configuration.

4. Under the Add comments to alerts in the external alert source… section, check the As Red Canary validates the alert checkbox. If checked, Red Canary adds comments to the alert in the external alert source as the alert is investigated and resolved.

5. Click Save.

Enable state sync on alerts

You can instruct the Red Canary platform to automatically resolve alerts in the source platform when alert validation is completed by Red Canary.

To enable state synchronization for supported alert source platforms:

1. From your Red Canary homepage, click Integrations.

2. Scroll down and select the desired alert source.

3. Click Edit Configuration.

4. Under the Close alerts in the external alert source… section, check the desired options described in the table below:

   When Red Canary validates the alert as non-threatening	If checked, Red Canary resolves the alert in the external alert source if the state is “Not a Threat.” (Default = checked)
   When Red Canary validates the alert as suspicious	If checked, Red Canary resolves the alert in the external alert source if the state is “Suspicious,” “Highly Suspicious,” or “Threat” but no threat has been published. (Default = unchecked)
   When Red Canary publishes a threat involving the alert	If checked, Red Canary resolves the alert in the external alert source as “True Positive” if the state is “Threat” and a threat has been published. (Default = checked)

5. Click Save.

Why do I see more than one comment stating that Red Canary is validating the same alert?

Red Canary’s alert validation process involves continuous attempts to correlate alerts to associated endpoint and process activity (every 30 minutes for two days). When alert state commenting is enabled, a comment will be added to the alert at the beginning of each correlation pass.

This will result in multiple comments being added to an alert as it goes through multiple correlation passes. This is useful so you can identify and confirm that Red Canary is continuing to validate the alert.

How can I tell if Red Canary updated an alert automatically within Defender for Endpoint?

Red Canary can automatically update alerts within Defender, but other mechanisms can also update Defender alerts automatically. You can tell if Red Canary closed an alert in Defender by looking for this comment in the Alert History within the Defender portal:

This alert has been validated by Red Canary and deemed a false positive because all of the reviewed activity was deemed to be non-threatening.

If you don't see that comment, then a different system, not Red Canary, closed the alert.