You may receive threats that appear to have an extended occurrence-to-detection time due to retroactive hunts. This is denoted by an analyst note in the threat timeline.
These threats are generated by our retroactive hunt process, which queries all available customer data for newly identified Indicators of Compromise (IOCs). Red Canary curates an internal IOC repository containing hashes and IPs that we have high confidence are malicious. With each update of that repository, our engine automatically reviews customer data to identify potential threats. This process is designed to analyze data as far back as possible to ensure the best coverage for our customers, which means we may publish threats for activity that occurred many days in the past.
FAQ
What is the timespan for these retroactive hunts? Should I expect threats for activity from two weeks ago?
The actual timespan of the retroactive hunt varies depending on your EDR’s retention policies. They can range from two weeks to 30 days, but our process is configured to review all available telemetry.
Can customers add Red Canary IOCs to their own EDR systems?
No, we keep our IOC store private since it can contain sensitive information. Additionally, adding our IOCs to your EDR would essentially double the work since our detection engine is already monitoring for these indicators.
Can customers query or review Red Canary IOCs to verify coverage for a specific threat?
No, we keep our IOC store private since it can contain sensitive information. However, if you have a specific concern about a tactic/technique or threat actor, please reach out to your Threat Hunting team.
Can customers request specific IOCs be added to the Red Canary IOC repository?
This repository is curated by the Red Canary team to ensure only high-confidence indicators are added, to limit noise and false positives. If you have specific IOCs you want detected or blocked, we recommend configuring your security policies to meet your specific use-cases. You can also reach out to your Threat Hunting team for advice on the various ways to mitigate a specific threat.