- 12 Jun 2025
- 3 Minutes to read
- PDF
Troubleshooting Alert Investigations
- Updated on 12 Jun 2025
- 3 Minutes to read
- PDF
When investigating third-party alerts, Red Canary uses relevant telemetry data to assess whether or not the alert represents a threat. If telemetry is not available at the time the alert is processed, the alert is assigned to the customer for review.
Telemetry data can be missing for different reasons. This page describes why data may be missing for a particular set of alerts so that you can (when possible) take corrective action to ensure that future alerts are investigated as thoroughly as possible by Red Canary.
General Alert Issues
Why is data unavailable for a security alert investigation?
When a security alert is triggered, Red Canary attempts to gather relevant data to provide context and support our investigation. Occasionally, this data may not be immediately available for one of the following reasons:
Recently-configured integration
It takes some time for a new integration to begin collecting and processing information for all identities and activities. If the system responsible for feeding the necessary information for this alert's investigation was set up within the last 1-2 days, data for the specific identity or event triggering this alert may not have arrived in the system yet. Contact Red Canary Support if the problem persists for more than 48 hours after you set up the integration.
Integration configuration or health issues
The integration that provides information for this type of alert is either not fully configured or is experiencing operational issues. If an integration isn’t correctly set up or has stopped working, the system won’t receive the necessary data to enrich the alert. Review the configuration settings for the integration to make sure all required permissions, credentials, and connection details are correct, then look at the status checks page to see if there are any error messages or alerts related to the integration. Contact Red Canary Support if you need assistance troubleshooting issues with the integration
Data correlation issues or missing information
The system is unable to find or correlate sufficient data for the specific identity or event associated with this alert. This can happen for various reasons, including:
The identity in the alert does not have a corresponding match in the integrated data sources
There are inconsistencies or errors in the data being received
The specific type of data needed for this alert isn’t being collected or is missing for the relevant time period
Review the configuration settings for the integration to make sure all required permissions, credentials, and connection details are correct, then look at the status checks page to see if there are any error messages or alerts related to the integration. Contact Red Canary Support if the problem persists.
Microsoft Alert Issues
Why was a Microsoft Entra ID Identity Protection alert assigned to my team for investigation?
Red Canary assigned the alert to you because there was no associated Entra ID telemetry available at the time of processing. This may be due to one of the following reasons.
You don’t have an Entra ID, Azure, or Office 365 integration correctly configured in your environment
If none of these integrations are set up, Red Canary won’t have access to the logon telemetry needed to investigate Entra ID Protection alerts. Please follow the instructions to configure an Entra ID, Azure, or Office 365 integration.
You have an Office 365 integration but no Entra ID integration correctly configured in your environment
Login telemetry from the Office 365 integration isn’t immediately made available by Microsoft and can be delayed by hours. The Entra ID integration sends login data in near real time, and for this reason we highly recommend that you configure an Entra ID integration in addition to Office 365. Please follow the instructions to configure the Entra ID integration.
You added an Entra ID, Office 365, or Azure integration within the last 24 hours
These integrations do not import historical data, so they require at least 24 hours to collect user data before there’s enough telemetry to be useful in investigating Entra ID Identity Protection alerts. This issue should resolve itself as more telemetry comes in. Again, we recommend that you configure both the Office 365 integration and the Entra ID integration to avoid telemetry delays in general.
An error occurred
Sometimes Red Canary doesn’t properly associate the identity in the alert to the identity telemetry collected in our database. If both the Office 365 integration and the Entra ID integration are configured properly and have been active for more than 24 hours, please contact Red Canary Support if you encounter an error on an Entra ID Identity Protection alert.