Investigations FAQ

No, Red Canary will thoroughly investigate all potentially threatening activities to determine if they’re true or false positives. You’re welcome to review our determination at any time using the Investigations page.

If the additional lead is within 24 hours of the originating lead, and it's for the same endpoint or identity, we’ll automatically add it to the existing investigation. This new lead will be surfaced for review by our analysts and will include the previously-reviewed leads.

Detecting issues that threaten your business is what Red Canary does best, but there’ll be times when we fail to identify a threat. These false negatives, or detection misses, are critical feedback to Red Canary so we can improve our detection analytics and processes. Click here to learn more about how to report detection misses.

This information is provided on the Investigations page under the “Resulting Threats” column. Additionally, each published Threat contains links to all the Investigations it was based upon.

You can search for individual leads on the Investigations page by using the Investigative Lead filter.

Investigations associated with a confirmed Threat are retained indefinitely. Other Investigations are retained for one year.

At this time, there are no triggers or playbooks that operate on Investigations.

Yes, API access to Investigations is available. For more information, see the API Documentation.