Login
      Contents x
      Troubleshooting Alert Investigations
      • 07 Jan 2025
      • 1 Minute to read
      • PDF
      Contents

      Troubleshooting Alert Investigations

      • Updated on 07 Jan 2025
      • 1 Minute to read
      • PDF
      Article summary

      When investigating third-party alerts, Red Canary uses relevant telemetry data to assess whether or not the alert represents a threat. If telemetry is not available at the time the alert is processed, the alert is assigned to the customer for review.

      Telemetry data can be missing for different reasons. This page describes why data may be missing for a particular set of alerts so that you can (when possible) take corrective action to ensure that future alerts are investigated as thoroughly as possible by Red Canary.

      Microsoft Alerts

      Why was an Entra ID Identity Protection alert assigned to my team for investigation?

      Red Canary assigned the alert to you because there was no associated Entra ID telemetry available at the time of processing. This may be due to one of the following reasons.

      You don’t have an Entra ID, Azure, or Office 365 integration correctly configured in your environment
      If none of these integrations are set up, Red Canary won’t have access to the logon telemetry needed to investigate Entra ID Protection alerts. Please follow the instructions to configure an Entra ID, Azure, or Office 365 integration.

      You have an Office 365 integration but no Entra ID integration correctly configured in your environment
      Login telemetry from the Office 365 integration is not made immediately available by Microsoft and therefore can be delayed by hours. The Entra ID integration sends login data in near real time, and for this reason we highly recommend that you configure an Entra ID integration in addition to Office 365. Please follow the instructions to configure the Entra ID integration.

      You added an Entra ID, Office 365, or Azure integration within the last 24 hours
      These integrations do not import historical data, so they require at least 24 hours to collect user data before there is enough telemetry to be useful in investigating Entra ID Identity Protection alerts. This issue should resolve itself as more telemetry comes in. Again, we recommend that you configure both the Office 365 integration and the Entra ID integration to avoid telemetry delays in general.

      An error occurred
      Sometimes Red Canary doesn’t properly associate the identity in the alert to the identity telemetry collected in our database. If both the Office 365 integration and the Entra ID integration are configured properly and have been active for more than 24 hours, please reach out to Red Canary support if you encounter an error on an Entra ID Identity Protection alert.

      Was this article helpful?
      What's Next
      PRODUCTS
      OPEN SOURCE
      PLATFORM
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout