Red Canary Security Operations Center Investigation Tools


The Red Canary Security Operations team triages and investigates every potentially threatening endpoint event on your behalf


Red Canary casts an extremely wide detection net. In order to identify the 1 out of 100 malicious uses of PowerShell, the other 99 must also be surfaced for investigation.

To handle this volume of potential threats, Red Canary has innovated and improved its internal triage and investigation process. The team has built and refined dozens of tools that help our security team expedite investigations and amplify our analysts’ expertise and intuition.


Do customers investigate potential threats?

As one of our customers, you never use or seen any of these investigation tools. Our Threat Analysts investigate every potential threat on your behalf. However, it is important you understand the depth and scope of each investigation our team conducts.


“Our hospital has seen instant benefit from Red Canary. The outsourced review, triage, and investigation of alerts cuts away the false positives and allows our information security team to focus on responding to the threats that present the most risk. I sleep more soundly knowing our environment is in good hands with Red Canary.”

Information Security Manager, Regional Hospital


The Red Canary Analysis Platform: Built for EDR Investigations


Red Canary’s Analysis Platform was custom-built based on the feedback from our Threat Analysts to give them the data, context, and tools to quickly respond to potential threats on your endpoints. Analysts are presented with a clear picture of what is happening, why the detection technology believes it to be bad, other intelligence sources, and tools for deeper investigation

Historical Data for Root Cause Analysis

Threat Analysis have the ability to dive from a potentially threatening event down to the root data- what user started the process, when it executed, and exactly what it did.

Event Correlation

The Analysis Platform automatically correlates all associated endpoint events together by process, time, application, and endpoint. This presents analysts with the full chain-of-events rather than just a snapshot of a threat.

Event Enrichment

Every event is enriched with the information that supports the analyst decision making process. Specific examples include full details on the number of netconns, childprocs, regmods, filemods and modloads and matched Yara Rules.

Binary & Indicator Metadata

Metadata about binaries including AV hits, signing data, capabilities, reputation, and static/dynamic data

Integrated Customer Feedback

Customer feedback on specific detections, users, endpoints, and tools are tightly integrated into the analysts’ heads up display. The context analysts need from a customer’s environment is automatically presented when reviewing every threat.

See how Beebe Healthcare defends its endpoints with Red Canary


WATCH THE FULL VIDEO

Learn why a leading bank and investment firm chose Red Canary


READ THE CASE STUDY TO LEARN MORE