Red Canary Investigation Tools


The Red Canary Cyber Incident Response Team (CIRT) investigates and triages every potentially threatening endpoint event on your behalf


Red Canary casts an extremely wide detection net. In order to identify the 1 out of 100 malicious uses of PowerShell, the other 99 must also be surfaced for investigation.

To handle this volume of potential threats, Red Canary has innovated and improved its internal triage and investigation process. The team has built and refined dozens of tools that help our Detection Engineering team expedite investigations and amplify our analysts’ expertise and intuition.


Do customers investigate potential threats?

As one of our customers, you never use or see any of these investigation tools. Our Detection Analysts investigate every potential threat on your behalf. However, it is important you understand the depth and scope of each investigation our team conducts.


“Our hospital has seen instant benefit from Red Canary. The outsourced review, triage, and investigation of alerts cuts away the false positives and allows our information security team to focus on responding to the threats that present the most risk. I sleep more soundly knowing our environment is in good hands with Red Canary.”

Information Security Manager, Regional Hospital


The Red Canary Operations Platform: Built for EDR Investigations


Red Canary’s Operations Platform was custom-built based on the feedback from our Cyber Incident Response Team (CIRT) to give them the data, context, and tools to quickly respond to potential threats on your endpoints. Detection Engineers are presented with a clear picture of what is happening, why the detection technology believes it to be bad, other intelligence sources, and tools for deeper investigation.

Historical Data for Root Cause Analysis

Detection Engineers have the ability to dive from a potentially threatening event down to the root data to understsand what user started the process, when it executed, and exactly what it did.

Event Correlation

The Red Canary Operations Platform automatically correlates all associated endpoint events together by process, time, application, and endpoint. This presents Detection Engineers with the full chain-of-events rather than just a snapshot of a threat.

Event Enrichment

Every event is enriched with the information that supports the Red Canary Detection Engineer’s decision making process. Specific examples include full details on the number of netconns, childprocs, regmods, filemods and modloads and matched Yara Rules.

Binary & Indicator Metadata

The event includes metadata about binaries including AV hits, signing data, capabilities, reputation, and static/dynamic data

Integrated Customer Feedback

Customer feedback on specific detections, users, endpoints, and tools are tightly integrated into the detection engineer’s head-up display. Individualized context from each respective customer environment is automatically presented when reviewing every threat.

See how Beebe Healthcare defends its endpoints with Red Canary


WATCH THE FULL VIDEO

Learn why a leading bank and investment firm chose Red Canary


READ THE CASE STUDY TO LEARN MORE