The telemetry processed by Red Canary and the refined data we generate are useful to many security teams. The possibilities are endless, but common use cases include:
- Sending raw telemetry to a long-term storage system like Amazon Web Services (AWS) S3 Glacier for compliance and archival purposes
- Sending network connection records to a Security information and event management (SIEM)
to correlate with threat intelligence sources
- Sending records of process starts to a custom analytics pipeline for outlier detection
Canary Exporter is an application that allows you to subscribe to Red Canary’s feed of your native or standardized data and export it to other systems or locations.
Estimated procedure time: 5 minutes
How data exporting works
Canary Exporter is packaged as a Docker container that connects to Red Canary resources in AWS, retrieves your data, and outputs it as files on the system running the exporter.
To run Canary Exporter, you will need:
- Docker running on a system of your choice (the free Community Edition will work)
- Credentials retrieved from Red Canary (see below)
- Network connectivity to AWS’s S3 and SQS services
Exporting data from Red Canary
To use Canary Exporter to export data from Red Canary:
- In Red Canary, click your profile icon, and then click Canary Exporter.
- Select which type of data you’d like to export:
- Native is data formatted as it was received by the EDR/EPP platform. This format is ideal when using third-party applications that expect data from a specific product, such as Carbon Black Response or CrowdStrike Falcon.
- Standardized is data formatted according to Red Canary's standardized format. This format tends to be easier to read and parse, and is product-agnostic.
- Click Generate Credentials. This will revoke any previously generated credentials, so use this with care.
Credentials are organization-wide, not specific to your user account. You will receive one AWS key pair for your organization, which should be documented and kept as safe as you would any other password. If you lose your key material, generate a new set of credentials immediately.
- Create and customize your configuration file by following the instructions on the page.
- Run one or more exporters on a host inside your network by following the instructions on the page.