Synchronize Alert States and Comments
- 06 Oct 2025
- 3 Minutes to read
- PDF
Synchronize Alert States and Comments
- Updated on 06 Oct 2025
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Red Canary syncs updated states and comments from its platform to your connected security tools. As alerts are processed and validated within Red Canary, their statuses and comments are pushed to your security platforms. This synchronization ensures your tools are kept updated, saving you time by avoiding the need to review alerts already handled by Red Canary.
Supported Alert Sources for State and Comment Sync
Red Canary can add comments to alerts and update their states for several supported alert sources. This is known as “state and comment synchronization.” We support state and comment synchronization for alert sources listed in the table below.
Data Source | State Sync | Comment Sync |
|---|---|---|
CrowdStrike Falcon Identity Protection | ✅ | ✅ |
CrowdStrike Falcon Insight XDR | ✅ | ✅ |
Microsoft ATP API Poll Alerts | ✅ | ✅ |
* Microsoft Defender for Cloud | ✅ | ❌ |
* Microsoft Defender XDR | ✅ | ✅ |
* Microsoft Defender for Endpoint | ✅ | ✅ |
* Microsoft Defender for Identity | ✅ | ✅ |
* Microsoft Defender for Office 365 | ✅ | ✅ |
* Microsoft Entra ID Protection | ✅ | ✅ |
Microsoft Graph | ✅ | ✅ |
** Microsoft Sentinel | ✅ | ✅ |
Palo Alto Networks Cortex XDR Alerts | ✅ | ✅ |
** SentinelOne Singularity | ✅ | ✅ |
Note
* To configure syncing between Red Canary and these Microsoft sources, you’ll need to set up our Microsoft Graph integration, which controls alert ingestion into Red Canary.
** Only Sentinel and SentinelOne Singularity support notes to be added as comments in Red Canary.
Enable Comment Sync
You can instruct the Red Canary platform to add comments to alerts in the source platform during the process of alert validation.
To enable alert commenting for supported alert source platforms:
From your Red Canary homepage, click Integrations.
Scroll down and click an alert source.
Scroll down to the substep “Actions in the Source Platform.”
Under the Add comments to alerts in… section, check the desired options described in the table below.
Option
Description
As Red Canary validates the alert
Enabled by default.
If enabled, Red Canary adds comments to the alert in the external alert source as the alert is investigated and resolved.
When Red Canary determines the alert is not a strong investigative lead
Enabled by default.
If enabled, Red Canary adds a comment to the alert in the external alert source that the alert is not a strong investigative lead. Learn more about Red Canary’s approach to security data.
Click Save.
Enable State Sync
You can instruct the Red Canary platform to automatically resolve alerts in the source platform when alert validation is completed by Red Canary.
To enable state synchronization for supported alert source platforms:
From your Red Canary homepage, click Integrations.
Scroll down and click an alert source.
Scroll down to the substep “Actions in the Source Platform.”
Under the Close alerts in… section, check the desired options described in the table below.
Option
Description
When Red Canary validates the alert as non-threatening
Enabled by default.
If enabled, Red Canary resolves the alert in the external alert source if the state is “Not a Threat.”
When Red Canary validates the alert as suspicious
Enabled by default.
If enabled, Red Canary resolves the alert in the external alert source if the state is “Suspicious,” “Highly Suspicious,” or “Threat” but no threat has been published.
When Red Canary publishes a threat involving the alert
Enabled by default.
If enabled, Red Canary resolves the alert in the external alert source as “True Positive” if the state is “Threat” and a threat has been published.
Click Save.
FAQ
Why do I see more than one comment stating that Red Canary is validating the same alert?
Red Canary’s alert validation process involves continuous attempts to correlate alerts to associated endpoint and process activity (every 30 minutes for two days). When alert state commenting is enabled, a comment will be added to the alert at the beginning of each correlation pass.
This will result in multiple comments being added to an alert as it goes through multiple correlation passes. This is useful so you can identify and confirm that Red Canary is continuing to validate the alert.
How can I tell if Red Canary updated an alert automatically within Defender for Endpoint?
Red Canary can automatically update alerts within Defender, but other mechanisms can also update Defender alerts automatically. You can tell if Red Canary closed an alert in Defender by looking for this comment in the Alert History within the Defender portal:
This alert has been validated by Red Canary and deemed a false positive because all
of the reviewed activity was deemed to be non-threatening.If you don't see that comment, a different system (not Red Canary) closed the alert.
Was this article helpful?