Investigations FAQ
    • 23 Sep 2025
    • 1 Minute to read
    • PDF

    Investigations FAQ

    • PDF

    Article summary


    Do I need to perform my own Investigations?

    No, Red Canary will thoroughly investigate all potentially threatening activities to determine if they’re true or false positives. You’re welcome to review our determination at any time using the Investigations page.

    What if additional activity happens after all leads in an investigation are reviewed?

    If the additional lead is within 24 hours of the originating lead, and it's for the same endpoint or identity, we’ll automatically add it to the existing investigation. This new lead will be surfaced for review by our analysts and will include the previously-reviewed leads.

    What if I believe Red Canary missed an Investigation?

    Detecting issues that threaten your business is what Red Canary does best, but there’ll be times when we fail to identify a threat. These false negatives, or detection misses, are critical feedback to Red Canary so we can improve our detection analytics and processes. Click here to learn more about how to report detection misses.

    How can I see which investigations were associated with a published Threat?

    This information is provided on the Investigations page under the “Resulting Threats” column. Additionally, each published Threat contains links to all the Investigations it was based upon.

    Can I search for individual leads?

    You can search for individual leads on the Investigations page by using the Investigative Lead filter.

    How long are investigations retained?

    Investigations associated with a confirmed Threat are retained indefinitely. Other Investigations are retained for one year.

    Can I build automations based on Investigations?

    At this time, there are no triggers or playbooks that operate on Investigations.

    Can I access Investigations through the Red Canary API?

    Yes, API access to Investigations is available. For more information, see the API Documentation.


    Was this article helpful?

    What's Next
    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.