Issue
Red Canary publishes a Suspicious Activity (Anomalous Identity Behavior) Threat for unusual or anomalous behavior from identity sources, like Okta or Entra ID, that deviates from an organization's normal activity baseline.
Environment
Red Canary
Identity Threats
Cause and Goal
What is Changing: Severity and Sub-classification
Starting Wednesday, October 8, Red Canary is introducing a new sub-classification and adjusting the severity rating for threats based solely on anomalous activity to help security teams better focus on high-priority events.
New Sub-classification: Anomalous Identity Behavior
Threats of all severities in the "Suspicious Activity" classification may be published with a new sub-classification called Anomalous Identity Behavior.
This classification includes activity that deviates from established baselines or expected norms within an enterprise environment, potentially indicating suspicious actions. These behaviors may involve legitimate users, processes, or tools performing tasks in unusual ways or at unexpected times. Even without an overt link to malicious activity, these anomalous activities warrant investigation to determine if they present a security risk or operational concern. Examples include logins with unusual characteristics (such as a new VPN provider), atypical API calls, or a user accessing unusual applications.
Adjusted Severity Rating
Threats classified as "Suspicious Activity" based solely on anomalies (for example, a login via an unusual VPN provider) will now be rated as "Low" severity by Red Canary.
If further suspicious behavior associated with the anomalous activity is detected, the threat will be published with Medium or High severity as defined in our documentation here.
Malicious activity is typically associated with an unusual login, but unusual logins are often associated with benign activity (e.g., an employee traveling around to meet with customers or attend conferences).
Goal
Red Canary's goal is to ensure malicious activity is never missed, and therefore will surface and publish threats related to suspicious activity. By assigning a lower severity to anomalies that lack further suspicious context, Red Canary enables security teams to better focus their efforts on high-priority threats while still keeping an eye on unusual events. This refined classification helps create more actionable threats and boosts the overall effectiveness of threat detection and response. For more information on what goes into these detections, see Red Canary's blog on establishing user baselines and identifying anomalies.
Red Canary customers should expect fewer Medium Severity “Suspicious Activity” threats as a result of this change.
Resolution
For Benign True Positives
Red Canary establishes baseline activity for each identity (e.g. IP address, VPNs, browsers, etc.). As the data collection of an identity's activity increases over time, recurrent benign true positives are progressively minimized, eventually leading to a well-established activity baseline.
If the detected activity is found to be benign by an organization, provide feedback on the Threat with a note indicating how it was determined the activity was benign.
If the anomalous IP is in a CIDR range assigned to the organization by an ISP, the addresses can also be added to My Network under the Company Profile.
Beyond immediate feedback and documentation of known-good networks, no additional action is required to reduce anomaly detection on benign activity or tune identity threats.
Actions You Can Take
If you use Automate Triggers based on Threat Severity or Classification, Red Canary advises reviewing those configurations. Use the Threat Secondary Classification condition to trigger on specific sub-classifications of Threats, for example:
Immediate action (for example, paging your team after hours) on Low Severity Threats is not generally recommended, as these types of threats typically indicate either unusual behavior from an authorized user or a control gap, rather than an urgent threat.