The telemetry processed by Red Canary and the refined data we generate are useful to many security teams. The possibilities are endless, but common use cases include:
- Sending raw telemetry to a long-term storage system like AWS S3 Glacier for compliance and archival purposes
- Sending network connection records to a SIEM to correlate with threat intelligence sources
- Sending records of process starts to a custom analytics pipeline for outlier detection
Canary Exporter is an application that allows you to subscribe to Red Canary’s feed of your native or standardized data and export it to other systems or locations.
How data exporting works
Canary Exporter is packaged as a Docker container that connects to Red Canary resources in Amazon Web Services, retrieves your data, and outputs it as files on the system running the exporter.
To run Canary Exporter, you will need:
- Docker running on a system of your choice (the free Community Edition will work).
- Credentials retrieved from Red Canary (see below).
- Network connectivity to AWS’s S3 and SQS services.
Exporting data from Red Canary
To use Canary Exporter to export data from Red Canary:
- Click your profile > Canary Exporter.
- Select which type of data you’d like to export:
- Native is data formatted as it was received by the EDR/EPP platform. This format is ideal when using third-party applications that expect data from a specific product, such as Carbon Black Response or CrowdStrike Falcon.
- Standardized is data formatted according to Red Canary's standardized format. This format tends to be easier to read and parse, and is product-agnostic.
- Generate credentials for the exporter by clicking Generate Credentials. Clicking this button will revoke any previously generated credentials, so use this with care.
Credentials are organization-wide, not specific to your user account. You will receive one AWS key pair for your organization, which should be documented and kept as safe as you would any other password. If you lose your key material, generate a new set of credentials immediately.
- Create and customize your configuration file by following the instructions on the page.
- Run one or more exporters on a host inside your network by following the instructions on the page.