Login
      Contents x
      Identify Retroactive Threat Insights
      • 21 Aug 2024
      • 1 Minute to read
      • PDF
      Contents

      Identify Retroactive Threat Insights

      • Updated on 21 Aug 2024
      • 1 Minute to read
      • PDF
      Article summary

      Customers may receive threats that appear to have an extended occurrence-to-detection time due to retroactive hunts. This is denoted by an analyst note in the threat timeline.

      These threats are generated by our retroactive hunt process, which queries all available customer data for newly identified Indicators of Compromise (IOCs). Red Canary curates an internal IOC repository with hashes and IPs we have high confidence are malicious. With each update of that repository, our engine automatically reviews customer data to identify potential threats. This process is designed to analyze data as far back as possible to ensure the best coverage for our customers, which means we may publish threats for activity that occurred many days in the past.

      FAQs

      What is the timespan for these retroactive hunts? Should I expect threats for activity from two weeks ago?

      The actual timespan of the retroactive hunt varies depending on your EDR’s retention policies. They can range from two weeks to 30 days, but our process is configured to review all available telemetry.

      Can customers add Red Canary IOCs to their own EDR systems?

      No, our IOC store is private as it can contain sensitive information. Additionally, adding our IOCs to your EDR would essentially double the work since our detection engine is already monitoring for these indicators.

      Can customers query or review Red Canary IOCs to verify coverage for a specific threat?

      No, our IOC store is private as it can contain sensitive information. However, if you have a specific concern about a tactic/technique or threat actor, reach out to your Threat Hunting team for more information.

      Can customers request specific IOCs be added to the Red Canary IOC repository?

      This repository is curated by the Red Canary team to ensure only high-confidence indicators are added to limit noise and false positives. If you have specific IOCs you want detected or blocked, we recommend configuring your security policies to meet your specific use-cases. You can also reach out to your Threat Hunting team for advice on the various ways to mitigate a specific threat.


      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout