Red Canary’s partnership with Elastic and integration with the Endgame platform leverages the complete telemetry collected by the Endgame sensor that is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.
While most companies’ Endgame integrations are focused on the alerts generated by the Endgame platform, Red Canary’s deep integration leverages the raw telemetry via an event relay developed jointly by Endgame and Red Canary.
This combination of Endgame alerts, Endgame telemetry, and Red Canary’s detection and response delivers the best security outcomes for Endgame users.
How it works
Red Canary and Endgame use several integration points to implement exceptional security operations.
Connect your Elastic Endgame deployment to Red Canary by following these simple steps:
- Create an administrative account for the Red Canary platform in your Endgame console and provide the credentials to your Red Canary contact.
- Red Canary will use that account to configure telemetry transmission from Endgame and notify you when data is successfully flowing between the platforms.
- Red Canary will configure an alert source for Endgame that sends each Endgame alert to Red Canary for investigation.
This process generally takes three to five days, depending on Endgame’s responsiveness on setting up their side of the integration.
What kind of Endgame data does Red Canary process?
We receive all of the data collected by your Endgame sensors. This endpoint telemetry is used for detection purposes, as are the alerts generated by Endgame’s detection rules.
What happens to my Endgame alerts when I activate Red Canary?
Every alert generated by Endgame’s detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.
You can enable “alert synchronization” to automatically update and close the alerts in the Endgame platform once Red Canary has completed our review to keep your console tidy.
Can I export the data collected by Endgame?
Yes. You can use the Canary Exporter to export Endgame telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. For more information, see Exporting telemetry from Red Canary in the Red Canary Help Center.