- 22 Aug 2024
- 2 Minutes to read
- PDF
Synchronize Alert Status and Comments from Red Canary to Alert Platforms
- Updated on 22 Aug 2024
- 2 Minutes to read
- PDF
When processing and validating alerts from select security platforms, Red Canary can add comments to those alerts and update their states. This state synchronization allows Red Canary to keep the alerts in your other security products up to date so you don’t waste time reviewing alerts that Red Canary has already processed.
Supported alert sources
Red Canary can add comments to alerts and update their states for several supported alert sources. This is known as “state and comment synchronization.” We support state and comment synchronization for the following alert sources:
Data Source | State Sync | Comment Sync |
---|---|---|
Crowdstrike Falcon Insight: EDR | ✅ | ✅ |
Elastic Security | ✅ | ✅ |
Microsoft Defender for Cloud | ❌ | ❌ |
Microsoft 365 Defender v2 * | ✅ - inherits via Graph v2 | ❌ - inherits via Graph v2 |
Microsoft ATP API Poll Alerts | ✅ | ✅ |
Microsoft Azure Sentinel | ✅ | ✅ |
Microsoft Cloud App Security v2 * | ✅ | ❌ - inherits via Graph v2 |
Microsoft Defender for Endpoint v2 * | ✅ - inherits via Graph v2 | ❌ - inherits via Graph v2 |
Microsoft Defender for Identity v2 * | ✅ - inherits via Graph v2 | ❌ - inherits via Graph v2 |
Microsoft Defender for Office 365 v2 * | ✅ - inherits via Graph v2 | ❌ - inherits via Graph v2 |
Microsoft Entra ID Identity Protection v2 * | ✅ - inherits via Graph v2 | ❌ - inherits via Graph v2 |
Microsoft Graph v2 | ✅ | ❌ |
Palo Alto Networks Cortex XDR Alerts | ✅ | ✅ |
SentinelOne Singularity | ✅ | ✅ |
Note: If Red Canary supports your alert source, you still need to enable the platform in your alert source configuration.
Enable commenting on alerts
You can instruct the Red Canary platform to add comments to alerts in the source platform during the process of alert validation.
To enable alert commenting for an alert source:
From your Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
You will see the icon if alert state commenting is available for this alert source platform.
Click Edit Configuration (a blue button in the upper right hand corner)
Check the Alerts should be commented on in the source platform as validation is performed? box.
Click Save.
Enable state updating on alerts
You can instruct the Red Canary platform to update the state of alerts in the source platform during the process of alert validation.
To enable state synchronization for an alert source:
From your Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
You will see the icon if alert state synchronization is available for this alert source platform.
Click Edit Configuration.
Check the Alert state should be updated in the source platform as validation is performed? box.
Click Save.
Why do I see more than one comment stating that Red Canary is validating the same alert?
Red Canary’s alert validation process involves continuous attempts to correlate alerts to associated endpoint and process activity (every 30 minutes for two days). When alert state commenting is enabled, a comment will be added to the alert at the beginning of each correlation pass.
This will result in multiple comments being added to an alert as it goes through multiple correlation passes. This is useful so you can identify and confirm that Red Canary is continuing to validate the alert.
How can I tell if Red Canary updated an alert automatically within Defender for Endpoint?
Red Canary can automatically update alerts within Defender, but other mechanisms can also update Defender alerts automatically. You can tell if Red Canary closed an alert in Defender by looking for this comment in the Alert History within the Defender portal:
This alert has been validated by Red Canary and deemed a false positive because all of the reviewed activity was deemed to be non-threatening.
If you don't see that comment, then a different system, not Red Canary, closed the alert.