Resources • Videos
Security operations

Red Canary Office Hours: Episode 44 – Naughty or nice: decoding normal vs. anomalous behavior

Air Date: December 9, 2025

Decoding normal vs. anomalous behavior

Keith is joined by Brittany Sattler and Tyler Winchester, threat hunters at Red Canary, as they break down why context matters when trying to decode between normal and anomalous behavior. A big part of this comes from having a baseline of how a user typically behaves, by identifying network spikes or abuse of normal protocols.

The two outline how Red Canary plans, executes, and reports on hunts, and give tips on how teams can better operationalize their own through tools like Surveyor.

Episode 43: Naughty or nice

Resources mentioned in this episode

Red Canary blog

Creating user baseline reports to identify malicious logins

Open source tool

Surveyor is a Python utility that queries Endpoint Detection and Response (EDR) products and summarizes the results. Security and IT teams can use Surveyor to baseline their environments and identify abnormal activity.

Related Resources

Red Canary Office Hours: Episode 46 – Strengthening app control in the new year

Videos| Security operations

Red Canary Office Hours: Episode 46 – Strengthening app control in the new year

Red Canary Office Hours: Episode 45 – Unwrapping the mysteries of Shai Hulud

Videos| Security operations

Red Canary Office Hours: Episode 45 – Unwrapping the mysteries of Shai Hulud

Red Canary Office Hours: Episode 43 – Defense-in-depth strategies to keep you warm

Videos| Security operations

Red Canary Office Hours: Episode 43 – Defense-in-depth strategies to keep you warm

Red Canary Office Hours: Episode 42 – A cornucopia of Intelligence Insights

Videos| Security operations

Red Canary Office Hours: Episode 42 – A cornucopia of Intelligence Insights

Security gaps? We got you.

Sign up for our monthly email newsletter for expert insights on MDR, threat intel, and security ops—straight to your inbox.

Back to Top