Issue
When resolving a Threat as Not Remediated, selecting This is authorized, non-testing activity shows a checkbox stating I would prefer not to see threats in the future. What does this checkbox do and how does it work?
Environment
Red Canary Portal
Resolution
The effect of the I would prefer not to see threats in the future regarding... checkbox depends on the Threat's Severity and Classification.
Unwanted Software Threats (Low-Severity
Only)
For low-severity Unwanted Software threats, checking this box creates an explicit exclusion. These exclusions are automatically added to your Customizations Applications page. Going forward, new threats matching your exclusion rules should not be generated for executions of that specific PUP.
If a PUP performs suspicious or malicious actions, those activities should trigger other detectors that Red Canary triages separately from product detectors that only look for the presence of the product.
For more details on PUP exclusions, see Unwanted Software Threat Published for PUP That Needs Exclusion.
All Other Threat Classifications
For all other threat types, including medium or high-severity severity or identity-based threats, this checkbox does not create an exclusion for the threat activity but instead a persistent note is added to your account profile. This note serves as context and guidance for the Red Canary team by signaling your preference to our internal teams when deciding whether to publish a threat.
While we will use this note to inform our decision-making process as a preference-only. It does not guarantee that future Threats of this type will be suppressed because the decision to publish a threat is based on the specific characteristics and risk profile of each event. If the underlying behavior changes or appears in a different context, Red Canary may still notify you to ensure full visibility into potentially suspicious activity.
Suspicious Activity Threats
While the explanation above also true for threats classified as Suspicious Activity, you can configure explicit instructions for threats of this type to dictate times when the Threat Review Agent should suppress a threat from being published. The "in the future" checkbox may also be used to compile inferred instructions. Red Canary may override instructions if necessary to alert you about activity that’s highly likely to be a genuine threat.
For more detailed instructions on managing your detections, please refer to our Official Documentation for Resolving Threats.
Comments
0 comments
Please sign in to leave a comment.