Red Canary Release Notes
- 06 Sep 2024
- 45 Minutes to read
- PDF
Red Canary Release Notes
- Updated on 06 Sep 2024
- 45 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Note: This page does not include updates to the Linux EDR sensor. For information about updates the Linux EDR sensor, check out our Linux EDR version history page.
August 2024
Changes and resolved issues
Entra ID Telemetry Integration
We’ve expanded our identity threat detection capabilities with the new Microsoft Entra ID integration. This integration allows us to access and analyze a broader range of Entra ID events in near real-time, enhancing your overall security visibility and response.
Enhanced Okta Workforce Identity Telemetry Collection
We’ve made significant improvements to our Okta Workforce Identity telemetry collection, providing more detailed and timely data to enhance your security posture. This upgrade ensures that your identity-related alerts are based on the most comprehensive and up-to-date information available.
New supported sources for Red Canary Copilot Alert Summarization
This feature helps you better understand the context of your alerts, provides recommendations for response, and highlights the critical data points that guided our investigation.
Supported alert sources now include:
VMware Carbon Black Cloud Endpoint Standard
Crowdstrike Falcon Insight: EDR
Jamf
Microsoft ATP API Poll Alerts
Microsoft Defender for Identity v2
Microsoft Defender for Endpoint v2
Microsoft Entra ID Identity Protection v2
Palo Alto Networks Cortex XDR Alerts
Palo Alto Networks Threat Prevention
SentinelOne Singularity
Amazon GuardDuty
Fortinet FortiGate (NGFW)
Proofpoint Targeted Attack Protection (TAP)
Okta Workforce Identity
Timeline Tabs for Threat Metadata
We’ve introduced a new feature on the Threat timeline: Timeline Tabs. Each timeline entry now includes two clickable tabs:
Details Tab: This tab displays standard information, as well as additional Cloud Provider data such as process names and network IP addresses.
Location Tab: This tab stores metadata about where the threat occurred, including endpoint details, Kubernetes (K8s) info, container information, and cloud instance provider details.
This enhancement provides you with a clearer and more organized view of your threat metadata.
Ephemeral Server Counting Update
Starting this month, we’re updating how we count ephemeral servers in heavily dynamic environments. Instead of counting every unique server, we’ll now calculate the server count based on a monthly average. This change applies to new Red Canary customers and those with a Cloud SKU, helping to prevent unexpected licensing overages.
EDR Tenant Names on Hover
We’ve introduced a simple popover feature that displays the name of the external service when you hover over the EDR logo to make it easier for customers with multiple EDRs of the same type. This update helps you quickly identify which tenant corresponds to each EDR instance. Identifying and Communicating Precursor Activity
Precursor labels
Our Intelligence team has enhanced our ability to identify and communicate “precursor” activities—behaviors that often precede more serious threats like ransomware. By labeling these activities as precursors, we can provide more accurate threat assessments and better metrics on how often these activities escalate.
Consolidated Retrospectives in Red Canary Readiness
Readiness Exercises Retrospectives now have one unified feedback field and maturity dropdown per skill, rather than per discussion question. This consolidated experience enables teams to more effectively review and provide feedback to help them continuously improve their ability to respond.
Bug fixes
Inactive Subdomains and Alert Backlog Handling
We’ve changed the way Red Canary handles alerts for inactive subdomains to prevent backlogs and improve the timeliness of alert processing. Now, when a subdomain is reactivated, we will only process alerts from the time of reactivation forward, ensuring that old alerts are not processed.’
“Detected Threats: How timely were we at remediating them?” Report Fix
We’ve fixed a bug in the calculation of the Median Time to Remediate (MTTR) in the “Detected Threats: How timely were we at remediating them?” report. The updated report now accurately reflects MTTR values and replaces the “-” value with “<1” when the calculated time is less than one day.
New documentation
Support Center and Documentation Site Redesign
We’re excited to announce the launch of our redesigned Red Canary Support Center and Documentation site! The new site separates product documentation from support ticketing and knowledge base articles, making it easier for you to find the information you need. Please update any bookmarks that direct you to submit a support case.
July 2024
Changes and resolved issues
Alerts timeline: To improve activity display consistency in the Alerts timeline and resolve an issue with incorrect timestamps on some activities, some entries that previously appeared at the very end might now appear closer to the end (but with the correct timestamp).
New documentation
June 2024
Changes and resolved issues
Identity Detection Updates
Red Canary identity flow investigations: We introduced GenAI agent flows to help us evaluate large volumes of complicated alerts, make good decisions, and explain those decisions clearly. We have tripled the number of alerts investigated as events, and our mean time to publish a threat dropped by 60 percent without quality degradation.
We now have both Guard Duty and Entra integrations using these new flow investigations
For more information, see Accelerating identity threat detection and response with GenAI.
User and entity behavior analytics (UEBA) detectors: For the first time in Red Canary’s history, we have detectors that use dynamically-populated prevalence indexes per subdomain, which means we can find activity unique to a particular user. These new user behavior detectors look for successful rare VPN, ISP, and device logins, based on what is normal in a user's environment.
New Entra and Okta data standardization is increasing our detection capabilities. The Okta data has unblocked one detector, which searches for users attempting to access the Okta admin console.
New identity enrichment fields were added to increase our ability to catch threats.
Three new email detectors are looking for suspicious activity in user email mailboxes.
GenAi Investments
Alert Summarization Beta Launch: We have a new BETA UI feature that summarizes an individual alert with everything we know or have done with that alert. This update backs up our investigation, offers suggested next steps, and is available in Red Canary to try right now.
Below is a list of alert integrations that are supported today:
Endpoint
Crowdstrike Falcon Insight: EDR
Microsoft Defender for Endpoint v2
Palo Alto Cortex XDR Alerts
SentinelOne Singularity
VMware Carbon Black Cloud Endpoint Standard
Jamf Pro/Protect
Identity
Microsoft EntraID Identity Protection v2
Microsoft Defender for Identity v2
Cloud
AWS GuardDuty
Integrating Red Canary CoPilot with Microsoft’s CoPilot: Earlier this year we built a plugin for Microsoft’s CoPilot and recently Microsoft released our plugin globally to all Microsoft Security Copilot customers.
Upgraded GenAI models to leverage GPT-4o for all its agents and LLM calls.
Detecting Threats
6 new intelligence profiles introduced, including Sugarghost, Cuckoo Stealer, Storm-1811; WARMCOOKIE, EditBot, and Cleanuploader.
5 new insights published, including the High Volume of ChromeLoader activity stemming from PDF Installer Lures, Open With Notepad: Protecting Users By Changing Default Behavior, and Voice phishing campaign leads to Black Basta.
Trend Micro EDR discovery and MVP translators have been completed. We can now generate tip-offs from Trend Micro EDR data.
Readiness Exercises
Updated 2 scenarios that include customizable fields and media prompts (“Are we ready for ransomware?” and “Compromised Third-Party Software”).
Added support for free-form attendee input during exercise set-up so that participants can be defined regardless of their subdomain user status.
Added new readiness subdomain user roles to allow MDR and Readiness users more flexibility in managing users across the two products within the same subdomain.
Introduced archiving and search for the Exercises and Action pages.
Bug fixes
UI Update: Users can now create exclusions for identity tags. This update was a commonly requested feature enhancement that saves time so that identities don’t need to be individually excluded.
New documentation
May 2024
Changes and resolved issues
Cloud MDR Update
You can now integrate Red Canary with Google Cloud Platform (GCP). Red Canary can detect suspicious activity across all major cloud environments and seamlessly correlate that data with other leading cloud security products, enabling enterprises to find and stop threats before they can cause damage. Red Canary’s vendor-agnostic approach underpins these new capabilities, providing security teams with actionable threat intelligence and comprehensive visibility from the control plane to containers and workloads. For more information, see Integrate Google Cloud Platform (GCP) with Red Canary.
New documentation
April 2024
Changes and resolved issues
MDR Detection Updates
New identity detectors
ANY-LOGON-TOR: This detector identifies any logon from a TOR node based on IP enrichment from the IP Quality Score.
IDENTITY-OKTA-MFA-TOR-LOGIN: This detector identifies a successful MFA authentication sourcing from a TOR proxy IP address.
IDENTITY-LOGON-PERFECTDATA: This detector identifies suspicious logins to the “PerfectData Software” Entra ID application, which may indicate a Business Email Compromise (BEC) attack.
IDENTITY-LOGON-EM-CLIENT: This detector identifies suspicious logins to the “eM Client” Entra ID application, which may indicate a Business Email Compromise (BEC) attack.
EMAIL-RULE-CREATE-FRAUD-IP: This detector identifies email rule creation from IP addresses associated with VPN/proxy services with a high fraud score according to IP enrichment data.
More Okta Telemetry
We enhanced the standardization of logon attempt Okta event types and added new telemetry.
user.session.access_admin_app
user.session.start
user.authentication.auth_via_AD_agent
user.authentication.auth_via_IDP
user.authentication.auth_via_inbound_delauth
user.authentication.auth_via_inbound_SAML
user.authentication.auth_via_iwa
user.authentication.auth_via_LDAP_agent
user.authentication.auth_via_radius
user.authentication.auth_via_richclient
user.authentication.auth_via_social
user.authentication.authenticate
app.generic.unauth_app_access_attempt
Application.policy.sign_on.deny_access
Detecting threats
New intelligence profiles: We have three new profiles, ten new hints, and eight new detection coverage gap issues, including requests to bolster detection for 8base ransomware, RCRU64 ransomware, Koi Stealer, Bundlebo, D3F@CK loader, and XZ util sshd backdoor. The Intel Team researched the Koi Stealer and Loader malware, resulting in a new profile, a new hint, a detection coverage gap issue, and 11 new intelligence profile associations on threats.
Forty-nine new detectors are available across Google Cloud Platform (GCP), Windows, macOS, Linux, Identity and Email.
GenAI investments
Copilot for Security plugin available for Microsoft customers: Red Canary is the first MDR/MSSP to have a plugin published with Microsoft Security Copilot. We will also be the first plugin to ship with promptbooks that integrate our plugin capabilities to automate investigation tasks across the Microsoft Copilot for Security datasets. Users who own both Red Canary and Microsoft Copilot for Security can access their Red Canary data via Microsoft Security Copilot’s chatbot interface. Microsoft Security Copilot is a tool for defenders that helps them easily access and synthesize data from Red Canary while in the Defender console. The plugin is available today.
Readiness Exercises now support customizable scenario inputs that users can specify during the exercise setup stage. These inputs are then leveraged to create more realistic incident triggers using actual employee names, roles, and company tools currently in place at the organization.
New documentation
March 2024
Changes and resolved issues
Cloud MDR Update
LEDR update. We added functionality to our Linux EDR sensor to show users more metadata related to the location of their Kubernetes pods and containers. This update helps users locate assets, leading to faster threat response times.
More AWS telemetry. We extended the Software Asset Management (SAM) to support AWS telemetry around assumed roles, and a new translator was shipped to standardize this telemetry.
More cloud metadata in Red Canary's automated emails. The XDR team added container-specific information to emails that we send to users via Automate, which streamlines the users' response process to issues in their cloud environments.
Detecting Threats
Intelligence-driven detection in action. Our Intelligence Team researched new TTPs used by a nefarious macOS malware family called Atomic Stealer and then worked with Detection Engineering to create new detectors.
44 new behavioral detectors were deployed.
Bug fixes
Alert timelines. The XDR team fixed an issue where Alert Timeline entries were out of order.
MDE Response Actions for Linux. We have added isolation support for Linux users.
Improved reporting performance. We updated the Median Time to Remediation and Intelligence & Detection Engineering Reports. The report previously took 7-12 seconds to load and now takes just under 1 second.
February 2024
Changes and resolved issues
Automated Response. Red Canary now supports Automated response actions via Defender for Endpoint targeting MacOS and Linux systems. As a reminder, Red Canary Active Remediation does not currently support Linux on Defender or any sensor.
New documentation
Migrate your existing SentinelOne console to Red Canary’s SentinelOne console
Provision and Integrate a Microsoft Defender for Endpoint instance with Red Canary
January 2024
Changes and resolved issues
Cloud Updates. You can now integrate Red Canary with Microsoft Azure. For more information, see Integrate Microsoft Azure with Red Canary.
New updates in the UI
New Intel Profile UI. Intelligence Profiles have officially converted from Early Access (EA) to General Availability.
New Status Checks UI. We have a new status check area in Red Canary that helps users know if their integrations are healthy. It allows users that have multiple integrations to navigate seeing information more easily.
New view of User Protection usage. We have completed our new view in Red Canary so users can see their User Protection usage against what they purchased.
SentinelOne Pivot in Red Canary. All SentinelOne users can now pivot via DeepLink to an individual SentinelOne alert from the Red Canary alert page. This update addressed an issue where finding the source alert in SentinelOne from Red Canary was extremely difficult. Additionally, this update provides parity with other EDRs.
Detecting Threats
We have updated 47 existing detectors.
33 new detectors were built that span cloud and endpoint.
We enhanced our automation around multi-source threats, combining AADIP and MDE AITM alerts.
Readiness Updates
We continue to add new capabilities to our latest product area.
Fresh Readiness Scenarios. We added a new scenario for triaging a Microsoft SQL Brute Force attack. Additionally, we improved the flow in scenarios, including Atomic Red Team testing with prerequisites/ART guidance outlined in the scenario details section to ensure the team is prepared to exercise the scenario.
Bug fixes
MDE Response Actions for MacOS (and soon Linux). We have added isolation support for MDE on MacOS, and are implementing Active Remediation (AR) support as well.
New documentation
December 2023
New documentation
November 2023
Changes and resolved issues
New detectors. Thirty-six new detectors were developed and deployed across AWS, Azure, Linux, MacOS, and Windows.
New Intelligence Profile UI. The new UI, available to Early Access users, features a more digestible presentation format so that we can continue to differentiate ourselves with our incredible Threat Intelligence content. The full GA release is set for early January.
New Intelligence Profiles. The Intelligence Team constantly updates our profiles based on the latest threats. This month, we added three new profiles and updated four existing profiles.
New Scattered Spider Readiness Exercise. We have a new readiness exercise to help our users prepare for one of today’s most challenging adversaries.
Bug fixes
We added several fixes to MDE’s Automate actions related to isolation including Defender for Endpoint Isolation Cancellation. We fixed an issue where users could not cancel an isolation request for a device that was still pending isolation.
New documentation
October 2023
Changes and resolved issues
New Intelligence Profiles. The Intelligence Team created nine new Intelligence Profiles and updated fifteen Intelligence Profiles to provide additional threat context to our users. A notable new profile is Nitrogen, a malware family delivered via malvertising that often leads to follow-on activity.
Surveyor on Rails. The Threat Hunting Team recently released a new internal hunting tool called Surveyor on Rails. This tool allows our Threat Hunters to efficiently hunt across user environments as we investigate and seek to identify new threats. Surveyor on Rails has enabled the team to hunt across user environments in a fraction of the time that it used to.
Wiz update. Red Canary has teamed up with Wiz as its first certified MDR partner. For more information, see our latest blog post on what’s coming up.
Bug fixes
Fixed Automate on-demand search. We fixed an issue that prevented users from searching for the desired target to run an on-demand playbook against.
We refactored the Lacework integration for improved integration reliability and performance.
Portal SMS MFA can now be disabled on a subdomain level.
New documentation
September 2023
Changes and resolved issues
Thwarted Ransomware. On 9/15/23 the night crew helped thwart a Ransomware attack against one of our users. One of our Detection Engineers saw suspicious usage of the bitsadmin tool and determined this threat was likely a “hands on keyboard” situation, and coordinated a call across threat hunting specialists here at Red Canary. Ultimately this threat was confirmed, blocked, and attributed to the ALPHV/BlackCat Ransomware affiliate.
New detectors. Thirty-three new detectors were developed and deployed across Windows, MacOS, Linux, AWS, and Identity.
Readiness Exercises Updates. We released ten new scenarios in the portal focused on Cloud and ICS readiness.
Bug fixes
Forensics Package overhaul. We addressed a known issue for users of this feature, as the forensic package required an overhaul for the majority of the EDRs for which we provide the capability. Users who have utilized the updated capabilities have reported a better experience.
Improved Microsoft Graph v2 ingestion and sync. Due to a change in Microsoft’s data strategy we had to navigate a back office change with significant customer impact. We re-designed the way we ingest, delay, and queue data from Microsoft sources. This change improves the quality of data for these Microsoft products
Fixed reporting loading errors. We fixed known issues with high endpoint count users that would previously error out. These include the Collections Report and the By The Number Report.
New documentation
OAuth Scopes for Google Workspace Integration with Red Canary
Google Workspace ingest details (signed in users only)
Okta Workforce Identity ingest details (signed in users only)
How to deploy the CrowdStrike Falcon sensor using Microsoft InTune (signed in users only)
August 2023
Changes and resolved issues
You can now integrate Red Canary with Amazon Web Services (AWS) GuardDuty across all accounts and regions within your AWS Organization. This new integration lets Red Canary assume a role in your AWS environment, eliminating the need for a dedicated IAM user. In addition, Red Canary will detect when a new account or region appears, and automatically begin collecting GuardDuty findings. For more information, see Integrate Amazon Web Services with Red Canary.
The integrations table now includes a Data Is column that describes the current status of your ingested data. This update gives you better insight into what Red Canary does with your data after ingestion.
Data will be stored and investigated: indicates that the data investigation has been assigned to Red Canary
Data will be stored: indicates that the data investigation has been assigned to the user.
For more information, see Integrations
New documentation
July 2023
Changes and resolved issues
The Linux EDR sensor now collects Scriptload and file modification telemetry. Collecting these types of telemetry enables our users to gain deeper insights into potential threats. For more information, see Release v1.5.0 and Release v1.5.1.
Scriptload Telemetry:
The Linux EDR sensor now collects the contents of scripts that start with a shebang (#!), ensuring we have granular visibility into script execution within environments protected by Linux EDR. With this valuable information, Red Canary identifies and analyzes potentially malicious scripts and detects script-based attacks.
File Modification Telemetry:
The Linux EDR sensor offers real-time visibility into any changes (creates, writes, deleters) made to critical system files. Red Canary quickly identifies unauthorized alterations and detects file-based attacks by capturing these modifications.
With these enhanced telemetry capabilities, the Linux EDR sensor becomes an even more powerful ally in our user’s security arsenals. This telemetry will be collected regardless of user subscription (CWP or Linux EDR).
The integrations page now shows the correct Alert and Telemetry information in their appropriate columns. This data provides insight on the amount and type of information that Red Canary is receiving from your third-party alert source. For more information, see Integrations.
New documentation
June 2023
Changes and resolved issues
Red Canary’s Integration section is now easier to locate. From your Red Canary homepage, click Integrations to be taken to our main Integrations page. Start by typing in the name of your third-party security source, or scroll through the list to find the correct source. For more information, see Integrations.
Red Canary’s Events API now includes MITRE ATT&CK Tactics, Techniques, and Procedures (TTP) identifier information. Users can easily extract TTP data, enabling them to discover what types of adversary motives and techniques their network is most vulnerable to, and security weaknesses that can be exploited.
New documentation
MDR Identities Licensing: How licensing and usage is determined
MDR Email & Productivity Suites Licensing: How licensing and usage is determined
MDR Cloud Control Plane Licensing: How licensing and usage is determined
(Internal Only) Provisioning Engagement Details
May 2023
Changes and resolved issues
SentinelOne alerts now automatically close in Red Canary when they have been reviewed by Red Canary’s Cyber Incident Response Team (CIRT) team. The alert's status and any closing comments made by Red Canary will automatically update in the SentinelOne console. This update provides users with a consistent experience between the two integrated platforms.
Cortex alerts now automatically close in Red Canary when they have been reviewed by Red Canary’s CIRT team. The alert's status and any closing comments made by Red Canary will automatically update in the Cortex console. This provides users with a consistent experience between the two integrated platforms.
Red Canary now automatically adds additional analyst context to SentinelOne alerts that have been reviewed by Red Canary’s CIRT team. Any notes made by Red Canary’s analysts during the review and disposition of a SentinelOne alert will now display as a Note attached to SentinelOne’s Incidents in the SentinelOne console. This update enables users to see why an alert was given a disposition by the Red Canary team, further enhancing the clarity of Red Canary’s review.
Data Loss Prevention (DLP) alerts from Microsoft Graph v2 integrations will no longer be ingested by Red Canary. This alert source lacked sufficient security context for Red Canary to review and will require the user to review future instances.
Red Canary's integration with SentinelOne for Ban Binary response actions now standardizes on SHA1 hashes. This update allows for the consistent banning of hashes when utilizing SentinelOne as an EDR platform. In addition, this update enables users to respond quickly to found threats.
Red Canary users can now adjust the Jamf Isolation group chosen for SOAR response actions with Jamf Pro using the Red Canary console. This update allows for quick updates to the Jamf integration while maintaining quality isolation outcomes.
April 2023
Changes
Red Canary has launched Red Canary Readiness, a new portfolio of offerings that gives teams a whole new way to train and prepare for incidents. The initial Readiness product is Readiness Exercises, a first-of-its-kind continuous learning platform that delivers realistic training, tabletops, and atomic testing in a single unified experience. For more information, see Red Canary Readiness.
Red Canary has added a new Request Remediation button which enables on-demand requests for remediation on a published High or Medium severity Threat. The goal of this feature is to give the user a way to request additional support in instances where:
User did not tag the endpoint correctly or opted to not tag it due to isolation concerns.
User Acknowledged (AR stop) but then reconsidered and now wants Active Remediation (AR) intervention.
User removes the endpoint from the network and needs a way to notify the Active Remediation team when it's back online.
User discusses the threat with the Threat Hunting team and becomes comfortable with Active Remediation actions.
User can request AR actions on an old threat (prior to tagging) that generates additional activity without a substantial update.
New Readiness documentation
New Active Remediation documentation
New documentation
March 2023
Changes and resolved issues
Red Canary now supports SentinelOne’s latest data ingest mechanism, Cloud Funnel 2.0. With this upgrade, our new SentinelOne customers can easily set up and configure data integration with Red Canary using just a few pieces of information. This upgrade offers additional enrichment to XDR data from SentinelOne’s Singularity data lake streamed directly into Red Canary’s AWS S3 storage. An example of this is the inclusion of OsSource process data, which improves how Red Canary determines process lineage, resulting in increased detection coverage and investigative efficiency. We will automatically migrate all existing customers to this new mechanism over the next few weeks. For more information, see Integrate SentinelOne Cloud Funnel 2.0 with Red Canary.
Azure AD response actions can now fire optionally without user approval and be triggered by alerts, not just detections. These changes expand the scope and increase the speed by which customers respond to threats impacting their users, thus decreasing their mean time to respond. This new update is especially beneficial for users who have set up automation in Red Canary for Microsoft 365 Defender alerts. For more information, see Utilize Azure AD response actions.
The Linux EDR sensor now captures “shebang” script load information. If a process start invokes a "shebang" script (a file beginning with '#!'), the sensor now outputs information about that script’s content (currently limited to 1KB) as well as any middle interpreters of that script, in addition to the executable information.
Linux EDR customers can now hunt and interact with telemetry more efficiently. The search tool has been improved to make it easier for users to search while keeping the original search functionality for our experienced users. In addition, one of our new features enables you to easily specify date and time ranges within a search. Finally, a slide-out panel has been added to make it easier to view telemetry details.
Filtering for threats is now even more extensive with the new threat table matrix. Customers can now filter by 10 attributes. The table order has been rearranged to make filtering and searching more intuitive. For more information, see Filter for specific threats.
New documentation
February 2023
Changes and resolved issues
Red Canary now supports response actions for Azure Active Directory (AzureAD). Using Red Canary's updated playbook features, Threat Investigation customers can manually or automatically revoke session tokens, and suspend and unsuspend users. This new feature provides you with advanced remediation options to quickly respond to and stop threats. For more information, see Utilize Azure AD response actions.
Red Canary now utilizes Palo Alto Cortex XQL capabilities to retroactively search for developing threats in historical process telemetry. This update ensures Palo Alto Cortex customers are protected from the latest emerging threats by retroactively hunting for suspicious activity when new attacker IOCs are identified.
Integrate Proofpoint Targeted Attack Protection (TAP) with Red Canary
January 2023
Changes and resolved issues
Red Canary now supports MDR for Lacework. Lacework looks for abnormal behavior rather than using a strict rules-based analytics approach. As such, there can be higher false positives in Lacework, but this approach can be more flexible to changing threats in your cloud environment. Red Canary monitors Lacework alerts for threats and correlates this telemetry to other threats and alerts in your cloud environment. Today, Red Canary is focused on detecting active (post compromise) threats in your environment, and in the near future we’ll be able to help you identify and respond to critical misconfigurations as well. For more information, see Integrate Lacework with Red Canary.
We have expanded the content and filter options on Homepage’s Activity Feed to include Intelligence Profiles. Red Canary develops Profiles to help describe threats and summarize their associated behaviors. Customers can now have their Activity Feed inform them when Red Canary publishes new Intelligence Profiles.
You can now create an automation action to apply reporting tags to endpoints. Reporting tags allow you to add additional metadata to help organize and categorize endpoints within their environment. This feature enables you to automatically apply existing or new tags to endpoints based on an endpoint trigger event. When an endpoint changes statuses or exceeds a last check-in time threshold, you can immediately apply relevant tags to help manage the endpoints without human intervention.
We have updated our API to reflect that Threats can be remediated as TEST. Although the Red Canary platform offered four options for not remediating threats, the API documentation only had three. We added
"not_remediated_authorized_testing"to our API to match the content found in the platform. You can therefore choose not to remediate the threat and mark it as “This was testing” for clarification.We’ve expanded our integration with Microsoft Sentinel to harness the power of SIEM (Security information and event management) for threat detection and response. Red Canary integrates with Microsoft Sentinel incidents generated from Microsoft’s built-in analytics. By ingesting and reviewing your Microsoft incidents, Red Canary can help protect against identity-based threats, improve your cloud security coverage, and operationalize more of Microsoft’s security tools. Check out our blog for detailed information. For integration directions, see Integrate Microsoft Sentinel with Red Canary.
Red Canary now supports MDR for CrowdStrike endpoint logon telemetry for all CrowdStrike EDR customers. Red Canary ingests, normalizes, and investigates device logon telemetry from CrowdStrike Falcon agents. This new visibility means Red Canary can detect brute force and other identity based threats using the CrowdStrike agents that customers have deployed in their environment. For more information, see Identity detection support for CrowdStrike EDR.
Red Canary now supports MDR for Microsoft Defender for Cloud. Defender for Cloud enables you to continually assess, secure, and defend your Azure, AWS, and Google Cloud Platform infrastructure. Red Canary assesses Defender for Cloud alerts and threats that are correlated to other threats and alerts in your cloud environment. For more information, see Integrate Microsoft Defender for Cloud with Red Canary.
You can now verify Red Canary’s handling of Microsoft Sentinel incidents. When Red Canary publishes a threat related to a Microsoft Sentinel incident, you will now see a comment in Red Canary on the incident in Microsoft Sentinel with a link to the published threat in Red Canary. This update enables you to easily pivot from Microsoft Sentinel to Red Canary and verify that Red Canary is investigating your Microsoft Sentinel Incidents.
We have expanded our Intelligence Products by adding Industry News as its own section. The Red Canary Intelligence team reviews and curates the latest cybersecurity news that is relevant. This new page keeps you abreast of emerging and prevalent threats, allowing you to make informed decisions regarding your security posture. Check out Intelligence Products for more information.
New documentation
New video
December 2022
Changes and resolved issues
You can now protect your Google Workspace with Red Canary MDR. Google Workspace (formerly known as G Suite) includes Gmail, Sheets, Drive, Docs, and many other productivity tools. Gmail is a critically important tool to protect, and Red Canary has stepped up as an MDR partner to protect the entire Google Workspace suite. Our integration collects telemetry and alert data from the entire Google Workspace productivity suite, giving the Red Canary team better visibility into potential threats in your environment. For more information, see Integrate Google Workspace with Red Canary.
Our new PDF and report subscriptions feature enables you to track the impact and effectiveness of your security operations program. Reports can now be saved to PDF format, which matches what is displayed in Red Canary. Reports can also be executed on a schedule (weekly, monthly, quarterly, etc) and distributed via email with a PDF attachment. For more information, see Report library overview.
Our updated Threat Timeline is now easier to understand and work with, providing the information that you need in a more consistent, accessible, and concise experience. Every Activity in a Threat Timeline now has the same core components: Title, Narrative, and Details. A new “badge” system, on the left side of an Activity, shows information such as Threat Occurred, Indicator of Compromise, or the Endpoint Specified in the Activity. The Annotations and Notes experience is now simply “Comments”. For more information, see Confidence from Context: The Red Canary threat timeline.
We’ve released a new integration with Palo Alto Networks, adding Cortex XDR and broadening its detection coverage for mutual customers. Red Canary can now investigate Cortex XDR detections from all Cortex XDR data sources, including network, endpoint, cloud, and third-party data, helping to provide enterprise-wide monitoring. Cortex XDR’s Native Incident Alerts, triggered off of IOCs and BIOCs, are correlated with Red Canary’s detections across the IT environment to provide additional validation and context, all delivered in a unified timeline. Cortex XDR offers various response actions that enable customers to investigate the endpoint and take immediate action to remediate it. You can now use response actions to isolate an endpoint and ban suspicious file hashes environment-wide for faster remediation and ongoing security posture enhancements. For more information, see Integrate Cortex XDR with Red Canary.
We’ve expanded MDR coverage of users’ Network environment by adding support for Cisco Meraki. Red Canary now investigates and correlates security alerts from Cisco Meraki products to better detect and respond to Threats for users. For more information, see Integrate Cisco Meraki with Red Canary.
We've expanded our description of the Notification Summary. The new article describes what notification summary is, and a link to updating the user profile to make any changes to how the customer receives notifications. For more information, see Notification Summary.
New documentation
New videos
November 2022
Changes and resolved issues
Red Canary now syncs the SentinelOne analyst verdicts and the incident status fields used to triage and record investigation status and disposition inside of the SentinelOne console with the alert record maintained within Red Canary. This update keeps SentinelOne in lockstep with Red Canary by preventing duplicate efforts and easing user analyst response time and workload.
When responding to threats in a CrowdStrike environment, users can now use the automate action, Delete a Registry Key, in the automation section of Red Canary. This enables remediation and incident response to occur without human involvement.
We’ve expanded MDR coverage of users' IT environments by adding support for the latest version of Microsoft Graph API. Red Canary investigates and correlates security alerts from third-party security products to better detect and respond to Threats for users and is pleased to recommend the enhanced v2 of this API. For more information, see Integrate Microsoft Graph V2 with Red Canary and Use the Microsoft Graph security API.
We’ve expanded MDR coverage of customers’ SaaS environments by adding support for Microsoft Defender for Cloud Apps. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate Microsoft Defender for Cloud Apps with Red Canary.
Logon events can now be viewed in your identity threat timeline. Red Canary can now add more context to identity threat timelines. For example, if we publish a threat concerning a suspicious email rule, you will see relevant logon events from the user in question. This context helps you better understand why the threat was published, what happened, and what you can do to respond and prevent future threats.
'Threat' has replaced 'detection' as the trigger option for automation.To standardize terminology throughout the platform, the term ‘threat’ has replaced ‘detection’ since it more clearly describes the trigger action to be performed. The dropdown menus in Triggers reflect this update.
Live Response Command and Live Response Isolation have been added as Audit Log Trigger options. This was previously accessible only to CarbonBlack Response customers, and is now available for customers using the VMWare CarbonBlack Cloud EDR platform, giving them more Trigger options.
New documentation
Integrate Microsoft 365 Defender for Endpoint with Red Canary
Integrate Microsoft Azure Active Directory Identity Protection with Red Canary
New videos
October 2022
Changes and resolved issues
Manual approval for Okta playbooks is no longer required. Manual approval is now optional and can be automated.
Expanded MDR coverage of customers’ network environment by adding support for ExtraHop Reveal (x) 360. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate ExtraHop Reveal (x) 360 with Red Canary.
Expanded MDR coverage of customers’ network environment by adding support for ExtraHop Reveal X Enterprise. Red Canary investigates and correlates security alerts from these products to better detect and respond to Threats for customers. For more information, see Integrate ExtraHop Reveal X Enterprise with Red Canary.
If a webhook fails, Red Canary will notify your technical contacts, by sending an email detailing the failure, so you can troubleshoot. To prevent flooding the inbox, we will only send one Webhook Failure email per playbook every 24 hours. In addition to sending an email, we will create an Audit Log (https://my_customer_domain.co/audit_logs) with "Action: Automate Action Executed", and include details about the error in the Details section.
Google Workspace is now available in public preview as a supported MDR integration. Red Canary monitors raw telemetry from Google and publishes threats based on our proprietary analytics.
Note: As of October 31, 2022, this integration is available as a public preview feature only. For access to the preview, reach out to your Red Canary account team for access.
You can now view raw JSON data within your Red Canary dashboard by clicking Alerts, selecting an Alert ID, and then clicking the Show original alert drawer.
Red Canary can now push status updates for alerts back to the SentinelOne Singular platform so that users will see the updated status in their SentinelOne dashboard.
The Alert List view in the Alerts section has been updated so that it displays the list of associated Events or Threats for an Alert.
The Red Canary Hosted VMware Carbon Black EDR fleet has been upgraded to version 7.6.2. This upgrade incorporates the latest Red Canary tested and validated Carbon Black Response features and security patches. Additionally, a new telemetry source that captures fileless script loads has been added to provide enhanced security coverage of malicious process execution.
New documentation
Integrate Google Workspace with Red Canary (Public preview only)
Integrate Microsoft Graph V2 with Red Canary (Public preview only)
New video
September 2022
Changes and resolved issues
When you click a link to an Endpoint, Identity, or Intelligence Profile on the Threats page of Red Canary, we now show some of that page’s content in a slide-out panel so that you can view it without having to open another page or tab.
You can now add an external service in Microsoft Office 365 without accidentally adding a duplicate external service in Office 365.
Red Canary now supports an additional automation action for Sentinel One users. This automation action enables you to configure Red Canary responses to execute processes on endpoints based on your playbook triggers.
Forensic packages will now be collected and executed correctly. You can now automatically collect additional forensic information from endpoints for preservation purposes with increased resilience and accuracy.
Dark Mode is now available for your homepage setup. For more information, see the Homepage article.
Your Red Canary homepage now includes an alerts section with telemetry and alert data types. For more information, see the Homepage article.
A new plugin for Response Actions is available for Linux users. The response actions plugin enables you to run actions on a Linux endpoint triggered in response to threats. This update also applies to the Red Canary Portal Automations feature. For more information, see Plugin: Response Actions.
New documentation
New videos
August 2022
Changes and resolved issues
Customers who subscribe to Linux EDR can now filter and review telemetry observed within the last 7 days. To learn more, see Filtering telemetry.
When you log in to Red Canary, enjoy a newly redesigned homepage that now displays vital threat information front and center. Additional data is also now available on the homepage, including:
Key activities Red Canary has performed in the last 90 days, such as the number of leads investigated and threats discovered
The number of endpoints monitored over a specified timeframe
An enhanced activity feed that not only shows you security actions executing in your environment, such as playbooks firing, but also additional industry news, blog posts, and more.
The amount of telemetry and number of alerts Red Canary has ingested and analyzed from your integrated security products over a specified timeframe
Highlighting any actionable items, such as unresolved threats, endpoints not sending telemetry, and alert sources needing configuration
Okta Workforce Identity Events with the classification of “A bypass of MFA may have been attempted for this user“ will now be ingested as alerts and triaged for Threat Investigation users.
Palo Alto Networks Threat Prevention now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
When you resolve a SentinelOne alert in Red Canary, the resolution status updates automatically in SentinelOne.
New documentation
Integrate Palo Alto Networks Threat Prevention with Red Canary
Integrate Palo Alto Networks Wildfire with Red Canary via syslog
Integrate Defender for Identity and Azure AD Identity Protection Alerts
New videos
July 2022
Changes and resolved issues
Microsoft Defender for Endpoint customers can now quickly identify which of their endpoints are Live Response capable in the Red Canary portal. Live Response through the Microsoft Defender for Endpoint sensor requires specific Windows versions and builds, and endpoints are now automatically tagged to identify which endpoints are Live Response capable.
Red Canary Analytics now incorporates CrowdStrike notifications that relate to detected ransomware creating files on an endpoint. This provides us further ability to monitor and alert you when ransomware attacks occur.
In the Expert Analysis & Investigation report, we updated “Investigated Events” to “Analyzed Events,” which now matches the corresponding By the Numbers report value.
Cisco Umbrella now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
Palo Alto Networks WildFire now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
Red Canary now automatically synchronizes SentinelOne site names to a Red Canary reporting tag. Reporting tags can be used in automations and endpoint filtering.
You can now click on correlated identities and navigate to the identities detail page from the Alerts table page.
Red Canary’s parsing logic has been enhanced to account for certain Dragos alerts that include special characters as leading or trailing identifiers in the alert. These characters were causing errors when parsing the alert data.
Darktrace parsing is now enhanced to handle nested JSON data in the native alert information.
Alerts that are re-ingested will no longer be escalated as a new event. This issue was duplicating events when ingesting occurred.
PAN-OS alerts that contain multiple nested alerts are now parsed correctly as separate, individual alerts within Red Canary.
Playbook triggers have been updated to replace the legacy “Priority” attributes with the new “Status” attributes. You do not need to take any action with this update.
Parsing for FortiNet FortiGate alerts is now updated to correctly map the data attributes to the Red Canary data schema.
New documentation
Integrate Palo Alto Networks Wildfire with Red Canary via email
Okta Advanced Threat Detection (For Threat Investigation users only)
New videos
June 2022
Changes and resolved issues
Alerts are now assigned to either “Red Canary” or “Your Team” based on which team is responsible for the alert during its investigation.
You can now create, edit, and delete endpoint and identity tags in bulk, speeding up the process of updating your endpoint and identify environment.
You can now more easily determine where your attention is most needed by viewing and sorting Intelligence Profiles based on how prevalent they are in an environment.
When searching for alerts in a specified timeframe, the results correctly aggregate and display the alerts within that range.
The GuardDuty network connection parser now creates a single correlated device for the internal IP address.
New documentation
May 2022
Changes and resolved issues
Red Canary looks a little different! We’re updating the interface to be easier to navigate and more user-friendly. Most notably, the left navigation menu has been updated to include subpages for faster navigation, and the background has been changed to provide more contrast for better readability. Be on the look out for updates as we continue to finesse these exciting changes.
The Alerts page has been updated to support Red Canary’s alert management service. You can now review all your alerts ingested by Red Canary in one place while also being able to search for a set of alerts or individual alerts, view an alert’s details, determine the current status of an alert, and see if an alert is part of an ongoing event or threat. Learn more about managing alert data.
Red Canary Alerts now have new Status states and an updated workflow that better supports the new end-to-end Manage, Detection and Response (MDR) service. With this update, Red Canary can provide detection and response beyond the traditional EDR endpoints.
To help you find threats of account takeover, Red Canary now examines raw telemetry from Microsoft Office 365. To learn more about integrating Office 365 with Red Canary, check out Connect Red Canary to Office 365.
VMware Carbon Black Response customers hosted by Red Canary will now expedite data archival.
The
is_protectedstatus has been removed from Red Canary to prevent inaccurate reporting and playbook actions. This status was originally intended to show that an endpoint was both checking in and sending telemetry to Red Canary within the previous 3 hours, but because of the random nature of EDR telemetry collection, it wasn’t a reliable measure of an endpoint’s status. With this change, playbooks using theis_protectedstatus as a trigger will no longer work.VMware Carbon Black Response users will now see status check help text in Red Canary that is updated to match the VMware features and setting name changes introduced in version 7.5.1.
New documentation
April 2022
Changes and resolved issues
VMware Carbon Black EDR Windows Sensor Version 7.3.0 is now available across the Red Canary hosted Carbon Black server fleet. Learn more about Sensor Version 7.3.0.
You can now use the CrowdStrike kill process response action to quickly remediate process threats.
Jamf users can now update their Jamf isolation group using Red Canary’s external service configuration.
We’ve updated the term “detections” and “confirmed threats” in Red Canary to just “threats.” This is part of a larger initiative to streamline the threat timeline to provide a more holistic view of what is or has occurred during a threat. This change won’t impact your APIs and URLs. Look for more information about the updated threat timeline in the coming weeks.
You’re now able to respond and isolate any endpoints in your Jamf environment. Jamf was previously limited to the first 100 endpoints, which limited response actions.
You can now collect forensic packages on CrowdStrike endpoints. Users managed by Red Canary’s Managed Security Service Provider (MSSP) will notice the addition of a “run” permission in a real-time response, which enables this collection to occur.
New documentation
March 2022
Changes and resolved issues
Four new Security Alert Automation Playbooks were added to Red Canary. The new playbooks include Assign an alert to a user, Unassign an alert, Set alert investigation result, and Add note to an alert. These new playbooks provide more flexibility to users when managing alerts.
The integration between Red Canary and Okta Workforce Identity was enhanced to capture additional alert information types related to account locks, privilege escalation, privilege revoke, password reset, and secondary email creation. These alert types are potential indicators of compromise (IOC) and are useful data points for threat investigations.
A new status monitoring and notification feature was added to the Status Checks interface in Red Canary. This notification will alert users if the API polling for their configured Alert Source platforms stops responding and requires attention.
The Jamf provisioning process no longer requires the Jamf Support team to engage. This helps streamline the provisioning process.
The Top 20 observed MITRE ATT&CK techniques have been updated based on the 2022 Threat Detection Report.
We’ve added the following examples of our Incident Handling team’s playbooks to Red Canary:
IH - Phone Escalation: calls and texts specified phone numbers in the event of a detection
IH - Isolate: automatically isolates an endpoint without requiring human approval
IH - Isolate Approval: sends an email requesting approval to isolate an endpoint
IH - IOC Remediation: runs through a series of processes to remediate indicators of compromise (IOC)
IH - Notify Customer of New Note: sends an email when Red Canary creates a new note
To provide a more accurate view of SentinelOne Singularity alerts, the alerts detail display was updated to include the correct corresponding detail information.
The Red Canary by the Numbers report now returns an accurate count of investigative leads.
The Confirmed Threats report has been updated to more accurately reflect where confirmed threats came from.
If you had received an email with a link to a specific page in Red Canary but weren’t signed in through single sign-on, you would have been directed to authenticate then redirected to the Red Canary dashboard. Now, after authenticating through single sign-on, you’ll be directed to the correct page that was linked.
The security alert data parser has been updated to resolve problems with identifying native Cylance security scoring data. This update provides more context to the alert and allows for better prioritization of information.
The Alert Source integration configuration now decommissions previous data collectors when customers change their data ingest method (API, Syslog, TCP, HTTPS). Prior to this fix, you could receive redundant Alerts due to both the old and new ingest methods remaining enabled.
There was an issue where a user could receive a “404 - Not Found” error when searching for
Automate Playbook Executedin an audit log. Audit logs should now return all results.Previously, if a user entered an invalid search term on the Endpoints page, the page would error without notifying the user. Now if a user’s search fails, they will receive a notification that links them to information about valid search terms.
Sorting on the Applications page now takes numbers in an application’s name into account. Previously, names that contained numbers were ignored.
New documentation
February 2022
Changes and resolved issues
Imperva Web Application Firewall (WAF) security related alerts are now supported in Red Canary. You can view Imperva WAF security related notifications in Red Canary to prioritize and manage your security alerts.
Jamf now generates external alerts within Red Canary. You now have another option when it comes to third-party security platforms that generate external alerts.
Cisco Firepower is now supported as part of the threat investigation service. You can configure the ingestion of Cisco Firepower alerts via email. These alerts are aggregated and correlated to endpoint and identity data across your enterprise. For users with the threat investigation service, Red Canary analysts will provide Tier 1 triage and prioritization of these network alerts to help streamline your threat remediation process.
GitHub security-related alerts are now supported in Red Canary. You can view GitHub security-related notifications in Red Canary to prioritize and manage your security alerts.
The detection timeline now uses the term “blocklist” instead of “blacklist” as part of our inclusive language effort.
We’re excited to announce that Intelligence Insights are now available in Red Canary. Intelligence Insights are researched and developed by the Red Canary Intelligence Team and designed to provide you with both long-term trends and time-sensitive threat intelligence so you can make informed decisions about your security posture.
All existing customers are enrolled to receive Intelligence Insights emails, and you can also view them directly in Red Canary by clicking Analytics & Intelligence, and then clicking Intelligence Insights. You’ll find all previously published Intelligence Insights here as well.
To opt-out of receiving Intelligence Insight emails, navigate to your user profile, and then unselect Email me when Red Canary publishes an intelligence insight.
Sorting on the Applications page now takes into account lowercase names.
The Getting Help page in Red Canary was updated with information about who to contact at Red Canary for technical support and emergencies.
Jamf Pro and Jamf Protect sensor IDs now correlate within Red Canary for all supported macOS versions. The full hostname and endpoint data from Jamf Pro is now related to your Jamf Protect telemetry.
New documentation
January 2022
Changes and resolved issues
Alert Filters replaced the Suppression Rules tab under External Alerts. Previously, you could only mark alerts as "Not a threat." Now, you can proactively change alert status, assign alerts to specific users, and add comments. These additions greatly improve your alert management capabilities by automatically advancing known or previously triaged alert types through your alert management process.
Response actions have been added to the Red Canary and Jamf integration. You can now add and remove Jamf endpoints from network isolation groups enabling rapid remediation. For more information, see Isolating and deisolating endpoints using Jamf.
Red Canary now collects identity information about confirmed threats from Okta Workforce Identity. This enables us to provide a faster, more complete response for customers using Okta.
As a customer_admin, you are now able to reset the Carbon Black Live Response using the Getting Help page. This is useful when Live Response becomes non-responsive. This function is only available for Red Canary-hosted Carbon Black Response servers at this time.
You can now import security alert data from FortiNet FortiGate for analysis and management within the Red Canary platform using syslog ingestion.
Additional security data attribute aggregation has been added to Palo Alto PAN-OS source platforms. These additional attribute fields will allow us to correlate alerts to endpoints and provide threat identification data for PAN-OS alerts.
Endpoints running Jamf Protect can now be added and removed from network isolation in Red Canary.
Automated playbook actions will now trigger based on the alert priority.
In accordance with our end of life policy, the following recently outdated sensor versions will be supported until April 7, 2022.
Alert data from Proofpoint Targeted Attack Protection now correlates to endpoints correctly. In previous versions, a data parsing issue resulted in erroneous endpoint identification.
Jamf timelines now include all process trees and related file modification indicators. This data helps to improve clarity and analysis of confirmed threats by including context around detections.
SentinelOne users now have a streamlined view of tip-offs, due to correlated external alerts generating unique tip-offs on a per-event basis.
Cisco Umbrella and Cisco Duo alerts will no longer experience data ingestion failures due to security data parsing issues.
API polling for Sentinel One security alert data ingestion now includes the correct identification of account ID information.
New documentation
MDR for Production Systems (formerly CWP) Version History. This information enables you to compare and contrast versions before you upgrade.
Was this article helpful?
