Investigations

When Red Canary’s detection analytics identify a potentially threatening activity in your environment, either from a third-party alert or based on raw telemetry, we create an Investigation. You can view the Investigation in the Red Canary portal to see information about the triggering activity, learn what data we used to perform the analysis, and discover the overall outcome of that analysis.

Red Canary, unlike other security products, does not require you to build your own detection rules and indicators of compromise (IOC) in order to achieve successful results. From day one, you gain the benefits of years of Red Canary detection engineering.

For more information about our general philosophy surrounding threats, see The Red Canary Approach to Security Data and Threat Detection.

How Investigations Are Created

There are three preliminary steps that take place before an Investigation is created:

1. Ingestion of activity data (telemetry and alerts)

2. Correlation to discovered entities (endpoints or identities)

3. Determination of investigative lead strength

If Red Canary’s determines the investigative lead is strong enough, we’ll create a new Investigation based on the lead and assign it a unique ID. Investigations are designed to be living objects that grow as we observe additional activity. Whenever we identify potentially threatening activity, we’ll check to see if there’s an existing Investigation for that hostname or identity and add the new lead to it. This ensures that each Investigation captures any previous activity for context.

We use the following rules to determine whether we should append an investigative lead to an existing Investigation or create a new one:

• Same hostname: If the new lead comes from a device that's already the subject of an active Investigation, and it happened around the same time as the initiating lead (within 12 hours before or after), then it gets added into the existing Investigation.

• Same user, same hostname: If the new lead is tied to the same user and the same device as an existing Investigation, and it's still within the 12-hour before/after window, then it gets added to the existing Investigation.

• Same user, no hostname: If the new lead is from the same user and happened around the same time, but the device isn't known, it still gets added to the existing Investigation. This helps catch broader user-related activity even if there isn’t a device affected.

If none of these rules match, or if the additional activity occurs more than 12 hours before/after the initiating lead, a new Investigation is created.

Note: If an investigative lead is not deemed to be strong at the initial time of analysis, but we later see follow-on activity, we may include the original lead as contextual evidence when publishing a Threat.

Reviewing Leads

When an Investigation is created, the collection of investigative leads (often more than one) is sent to our team of analysts for review. There are three phases of lead review:

• Pending: An Investigation has been created and this lead is pending analyst review.

• In review: An analyst has claimed the lead and is actively reviewing.

• Reviewed: The analyst has finished and determined if the lead is threatening or non-threatening.

The Investigations Page

The Investigations page provides a searchable summary view of all the potential threats identified in your organization. You can drill down into individual Investigations to examine the leads or to review our Threat/non-threatening determination.

For details about the Investigations page, see View Investigations.