Customizations

Customizations allow you to provide Red Canary with detailed information about your environment and risk profile. By submitting open-text entries and answering guided questions, you give our agentic AI threat evaluation workflows valuable context to use when deciding whether or not to suppress threats.

How Red Canary Uses Customizations

1. You add customizations in the Red Canary portal.

2. Red Canary agentic workflows review your customization for appropriateness and actionability and accept, reject, or suggest modifications as needed.

3. Once active, customizations are applied each time the Threat Review Agent evaluates threats with the “Suspicious Activity” classification. If the Agent suppresses a threat, it will add a comment to the threat, explaining the decision and include a link to the specific customization used during the evaluation.

   What is the Threat Review Agent?

   The Threat Review Agent is a specialized Red Canary AI workflow that:

   • Reviews threats using customizations as primary decision criteria

   • Classifies threats as Threat or Not a Threat (defaults to Threat unless your customizations justify reclassification)

   • Prioritizes specific and actionable customizations over generic feedback

   • Generates detailed explanations describing which customizations influenced a decision

   • Tracks and reports which specific customizations were used during the threat review process

   • Applies strict relevance criteria to ensure only relevant customizations affect decisions

By default, suppressed threats are excluded from automation actions, notifications, and reporting. Suppressed threats remain fully accessible for review both in the portal and via API. All changes made to customizations are recorded in an audit log, ensuring you can see what was changed, when it was changed, and who made the change. You can also add a “Reason for Change” note to document and justify any updates to your customizations.

Note

• Red Canary may override or contradict a customization to alert you to activity which we have high confidence represents a threat.

• The Threat Review Agent can only use customizations to suppress threats; customizations cannot be used to publish threats that Red Canary wouldn’t otherwise publish.

• After creation, customizations do not apply retroactively and will not affect threats that have already been published.

Types of Customizations in Red Canary

The Customizations page contains four types of customizations, each designed to capture different types of context and instructions.

Explicit Instructions

Explicit Instructions are freeform entries you add, specifying which activities should be suppressed and not published as threats.

For example, if you want to suppress alerts legitimate or blocked activity, your explicit instruction could be:

Suppress alerts for sign-in attempts to PROD-TENANT-1 from personal devices that satisfy MFA but are blocked by conditional access.

To create an explicit instruction, see Configure Customizations.

Inferred Instructions

Inferred Instructions are automatically generated by Red Canary from user comments on threats previously remediated as “Authorized, Non-testing behavior.” These customizations are available for your review and approval. Once activated, they are actively used by the Threat Review Agent when deciding whether to suppress or publish threats.

For example, if you comment on a threat:

“This behavior is expected—our users are permitted to access Zoom from personal devices, even over VPN. Conditional access allowed this authentication, so it’s not a concern.”

Red Canary might suggest the following inferred instruction:

Suppress threats for authentications to the Zoom application from non-managed devices, including those from unknown VPNs.

To review and activate inferred instructions, see Configure Customizations.

Environment Q&A (Beta)

Environment Q&A asks structured questions about your environment, grouped into the following categories:

• Risk Context

• Network and Infrastructure

• Identity and Access Management

• Endpoint and Device Management

• Other Security Tools

• Time Bound Considerations

For example:

Question: In which countries/regions/provinces/states does your organization operate?

Your Response: All of our staff and customers are US based, and we don’t expect any network traffic to originate from outside of the US for normal business operations.

To create an environment Q&A, see Configure Customizations.

General Notes (Beta)

General Notes are freeform text entries intended to capture other relevant security information and context that don’t require explicit instructions.

For example, if you’re changing MDR providers, you might add the following general note:

Our organization is migrating from Carbon Black Cloud to CrowdStrike Falcon for our EDR provider. This transition will be ongoing from March, 2026 through July, 2026.

To create a general note, see Configure Customizations.

FAQ