Red Canary’s world-class Managed Detection and Response service has used artificial intelligence and machine learning for years to help realize our vision of a world where organizations can focus on their mission without being distracted by a cyberattack.
We currently employ a suite of Generative AI agents to automatically investigate certain categories of security events. These agents form an initial opinion, summarize the event, and compile the findings before forwarding them to a human analyst for confirmation. For more information on Red Canary flow investigations, see our blog post Accelerating identity threat detection and response with GenAI.
We also provide AI-compiled reports directly to customers to help you understand what an alert means, offer recommendations on how to address it, and highlight the lines of inquiry (and often the actual data) that is used by Red Canary to investigate that alert. We want you to know why certain events are marked as "not a threat" so that you can trust and understand the thoroughness of the Red Canary triage process. Red Canary uses a series of agents and retrieval-augmented generation (RAG) techniques to assemble these summaries, adding relevant contextual telemetry, insight into other similar alerts, and Red Canary expert analysis as appropriate. For more information, see our article on Expert AI Agents.
Where Are the Red Canary AI Agents Deployed?
Red Canary leverages artificial intelligence to provide actionable insights in the following areas:
Red Canary Alert Summarization
When Red Canary investigates an alert in your environment and publishes it in your portal, we provide a wealth of information about that alert. Summaries are automatically generated on a per-customer basis when an alert is viewed in the customer portal. This feature is powered by Microsoft Azure OpenAI.
Red Canary Threat Recommendations
After Red Canary publishes a threat of any type or severity, a comment is added to the respective threat timeline containing recommendations for remediation. This content is powered by Microsoft Azure OpenAI.
Red Canary Identity Insights
For supported Identity Records, Red Canary analyzes the identity’s behavior. You can click on the Identity Record and a summary of the identity’s login behavior patterns appears, powered by Microsoft Azure OpenAI.
Red Canary Agentic Tuning (Customizations)
Customizations allow you to provide Red Canary with detailed information about your environment and risk profile. By submitting open-text entries and answering guided questions, you give our agentic AI threat evaluation workflows valuable context to use when deciding whether or not to suppress threats. This content is powered by Microsoft Azure OpenAI.
What Data is Being Processed?
When an alert summary is generated, data Red Canary has collected about the alert is processed by Microsoft Azure OpenAI through structured prompts Red Canary has designed to generate an actionable, concise summary.
When the “Threat Recommendations” feature is enabled, the content contributing to a Red Canary threat (including endpoint activity, cloud activity, and Identity behaviors) is processed by Microsoft Azure OpenAI to render succinct recommendations for remediation.
When you click on a supported Identity Record, data Red Canary has collected about the Identity is processed by Microsoft Azure OpenAI through structured prompts Red Canary has designed to generate actionable, concise insights of the login behavior.
Is My Data Shared With Anyone Else?
No, Microsoft Azure OpenAI is built with an assurance that inputs and outputs are (1) not available to other customers, (2) not available to OpenAI, (3) not used to train OpenAI models, (4) not used to improve any Microsoft or third-party products or services. The Microsoft Azure OpenAI service does not interact with any other services operated by OpenAI, such as ChatGPT.
When Red Canary sends customer data to the Azure OpenAI service, that data never leaves Red Canary controlled infrastructure for processing, storage, training, or for any other reason. Red Canary sends data to a Red Canary provisioned model that is logically isolated within the Red Canary tenant in Azure Cognitive Services, that data then follows Microsoft's processing rules. Red Canary has opted out of the “General” Azure region for the models, which means we only deploy our models to US-based data centers in Azure.
Investigative Tools for Red Canary Analysts
Behind the scenes, Red Canary uses additional state-of-the-art technology to help our team of security analysts, intelligence experts, and threat hunters comb through terabytes of security telemetry to detect, incriminate, prioritize, and investigate security events. Some examples of the technologies we use include:
NLP
Decision Trees
Ranking models
Recurrent Neural Networks
Count frequency models
Word embeddings
Fuzzy matching algorithms
Data linkage statistical systems
Vector Search Engines
Clusterization algorithms
Anomaly Detection algorithms
Apriori analysis
Machine learning (supervised and unsupervised)
Integration with Microsoft Security Copilot
Red Canary has developed and published a plugin for Microsoft Security Copilot, allowing users to access Red Canary data directly from the Security Copilot interface. This integration facilitates seamless data access and enhances the overall user experience. To learn more, read our blog post Teaming with Microsoft Copilot for Security.