Q: How does Red Canary differ from any other Defender ATP integration?
A: Unlike most managed detection and response (MDR) solutions and managed security security providers (MSSP) that simply take in alerts from security products, perform basic investigation and send them back to you, we are the only ones using raw telemetry that was designed in partnership with Microsoft.
Q: So you just look at the Microsoft Defender ATP alerts?
A: No, Red Canary’s main source of data from your environment is the raw endpoint telemetry used to perform our behavior-based detections that are continuously updated to keep pace with changes in attacker behavior.
Q: How complicated is it to implement Red Canary?
A: Simply add a data export (from your Microsoft Defender ATP console) to start sending telemetry to our Event Hub. Within minutes we will begin ingesting, processing and examining all your endpoint data.
Q: How does Red Canary get access to my Microsoft Defender ATP telemetry?
A: It is all configured from your side. Setting up a data export and allowing access to the Microsoft Defender ATP APIs is completely controlled by you and your Microsoft Defender ATP administrators.
Q: Is Red Canary 24/7?
A: Yes, our cyber incident response team (CIRT) monitors security events in your environment 24/7 and notifies your team when needed. For more detail on how this works, check out our post on Microsoft’s Security blog.