Skip Navigation
Get a Demo
Resources Blog Security operations

Accelerating identity threat detection and response with GenAI

Process flows that combine GenAI agents with human experts can save time on investigations and reduce drudgery in the security operations center (SOC)

Sam Straka

We’ve been actively exploring the potential of generative AI (GenAI) since early 2023. We are now confident that, when applied judiciously, it can significantly benefit defenders. We recently wrote about how Red Canary uses GenAI technology to take some of the toil out of security operations. In this follow-up post, we detail how we use this technology to tackle a longstanding source of drudgery in security operations: alert triage and investigation.

To ensure the effectiveness of GenAI in our security operations center (SOC), we focus on clear security goals informed by quality data and always include human experts in the investigative process. Our primary objective is to deliver accurate, complete, and timely information to our customers, enabling rapid remediation before a threat significantly impacts the business. We continuously monitor and strive to improve our threat accuracy, completeness, and timeliness through internal telemetry and customer feedback. Any new tool we introduce must enhance our performance across these metrics.

Our SOC hits the gas with GenAI

We are confident in Red Canary Copilot, our internal GenAI agent, because we feed a large volume of trustworthy historical and real-time data into the large language models (LLM) we use. Over the past decade, we’ve developed thousands of behavior-based detection analytics, mapped them to MITRE ATT&CK®, recorded their conversion rates to confirmed threat detections and their severity levels, and provided response and remediation guidance to customers. Additionally, we’ve continuously updated hundreds of adversary and threat profiles, aligning them with corresponding detection analytics.

In the more than 10 years that we’ve been doing security operations work for thousands of customers, we’ve learned a lot of lessons and applied just as many time-tested decisions that are the perfect input to supercharge Red Canary Copilot’s ability to assist with alert and detection triage and investigation. Red Canary reviewed approximately 37 million potentially malicious events last year, gleaned from 200+ petabytes of security telemetry. To ensure that we’re suppressing noisy nothing alerts, and shining the light on suspicious activity, we have to be efficient and consistent in our approach to alert triage and investigation. We use GenAI agent flows to make sure that we can get through lots of alerts, make good decisions, and explain those decisions clearly.

In areas of investigation where we have enabled Red Canary Copilot flow investigations, our mean time to publish a threat dropped 60 percent without degradation of quality (i.e., completeness and accuracy).

We call this technique Red Canary Copilot flow investigations. When an alert is ingested, it is directed through a pre-planned set of decision points. Developed by our security experts, this plan leverages GenAI to accelerate the process. This type of application is called flow engineering, and is on the cutting edge of GenAI applications in security.

A chart depicting each step of a flow investigation for an identity alert

A flow investigation, step by step

The specific decision points that we apply to an investigation depend on the source of the alert in question, but take for example an Entra ID suspicious login alert. Once this alert hits our system, the flow begins:

As a first step, the alert is submitted to a highly optimized LLM agent to extract entities we use for correlation. Using a LLM to parse this data makes the investigation resilient to unexpected schema changes or new alert types. Once the key entities are extracted, the data is transformed, cleaned, and enriched, and the flow investigation begins.

Do we have access to more data about this user?

If no: Copilot concludes the investigation right away, since neither human nor machine can add more context and value without data to review.

If yes: We proceed.

Was the logon successful?

If no: Copilot recommends that this event by itself doesn’t represent an immediate threat. We will continue to track other logins that may represent a broader pattern of behavior (like brute forcing, for example). But on this alert, we can conclude that IAM controls successfully blocked this login and we can move on.

If yes: We proceed.


In the case of a successful suspicious login, the Red Canary flow investigation really accelerates. The agent in this step automatically pulls together contextual data that would take much longer for an analyst to put together manually. Red Canary Copilot asks the following (not comprehensive) list of questions in an order defined by our security experts:

  • Is this login from an ISP that typically produces false positives for risky sign-in alerts? For example, an authorized VPN in the environment?
  • Is there overlap with known customer IPs?
  • Does the login have a bad reputation, based on IP, ISP, Tor connection, VPN, or previous bad behavior?
  • Are the logon characteristics normal in this environment, or is this behavior new and different?


After completing the steps, one final call is made to the LLM with a custom crafted prompt, including all the context that previous steps in the flow have assembled and the final recommendation of the flow investigation. The LLM summarizes all the context that leads to the decision, and how that context justifies the final decision.

Red Canary identity detection alert with context added by GenAI and verified by human experts


At this point, the output goes straight to a Red Canary detection engineer, who reviews the data, reviews the recommendation, and makes appropriate edits and a final determination before sending the results on to the customer. Our human-guided approach ensures that any GenAI funny business (e.g., hallucination) doesn’t misinform a customer. Since the flow has asked the questions that our detection engineers designed it to ask, they already have all the information they need to make a decision.

Go with the flow

By taking 10 years of security operations expertise, and baking that into a Red Canary flow investigation, we can deliver investigations 60 percent faster than before, without sacrificing quality or accuracy. This ultimately means that we can investigate threats and deliver high-quality information to customers faster than ever without placing undue burden on our team of security experts.


The unsung security benefits of cloud migration


The role of GenAI in Red Canary’s security evolution


What to consider when evaluating EDR


How cloud architects and detection engineers can work together

Subscribe to our blog

Back to Top