Resolve Threats

Red Canary uses information about your responses to threats to improve the quality and timeliness of Threat investigation. The information you record about your responses also helps the Red Canary team keep track of which Threats pose a serious risk to your environment.

• From the navigation menu, click Threats.

• Open the Threat that you want to resolve by clicking the link in the Threat description.

  

• Review the Threat timeline.

• If the Threat has been removed from your environment and is no longer a security concern, scroll to the bottom of the timeline, and then click Remediated.

  Note: If Red Canary detects similar malicious activity in the future, a new Threat will be created for you to review.

• To mark a Threat as not remediated, click Not Remediated, and then select one of the following options:

  • This is unauthorized activity that will not be remediated. You accept the risk this software or behavior poses to your environment. If similar activity is observed in the future, it will be appended to this Threat.

  • This is authorized, non-testing activity. This activity is acceptable for some or all of your users. You can select the users, endpoints, or sensor groups authorized to perform these activities in the future, which won’t be appended to this Threat moving forward.

    • For Low Severity (Unwanted Software Threats), you can choose to not see Threats like this in the future.

    • For all other Threat severities, this will serve guidance to Red Canary; all other future events that meet the selected criteria will show your note to the Red Canary analyst reviewing the activity.

      

  • This activity was incorrectly identified. This activity is a false positive. An internal case is created for our Detection Engineering team to evaluate whether the Threat is a false positive due to a logic error in our detection analytics. Our team may reach out to you if we need additional context while evaluating the Threat, and you can always contact us with questions. You can enter additional information to the text box.

  • This was testing. Similar activity won’t be appended to this Threat. Use the dropdowns to specify whether the testing was internal or external and the tool used for testing. This information will be available on the timeline once the Threat is marked Not Remediated

    

    Note: If you configured your Red Canary profile to exclude tests from reports, you won't see this activity in the Report Library.

• Optionally, select I want to discuss this with my Threat Hunter to open a support case with the Threat Hunting team, indicating that you want to discuss this Threat. The email will automatically include the Threat information and your reason for not remediating.

• Click Mark as will not remediate.

  Note: If you change your mind and want to remediate the Threat, scroll to the bottom of the Threat Timeline and click the Re-open this Threat button.