External alerts are the alerts from your security products that are processed by Red Canary. Many security teams receive alerts from dozens of sources. These alerts are often difficult to investigate conclusively because they only describe part of the story of what happened.
Red Canary takes alerts from these sources, correlates them together, and—most importantly—determines if there was any activity on your endpoints that corroborates the activity described by the alert. This process of “alert validation” oftentimes dramatically reduces the number of alerts your team needs to review.
The security products that generate these alerts are represented by alert sources in the Red Canary platform. An alert source is a distinct deployment of a security product in your organization. For example, if you have multiple deployments of an IDS/IPS product for different locations, each will be a unique alert source.
View your alert sources
Red Canary provides a visual grouping of the security source platforms in your environment. This detailed view provides a helpful image of your security and can highlight gaps in your security data for source platforms you may want to add to your MDR coverage.
How are alerts ingested from security source platforms?
Alerts are collected from alert sources in a number of ways. The ideal transport is to allow the highest fidelity alerts to be processed by Red Canary. The transports supported by alert sources differ depending on the source and can ingested using one of the following methods:
- API Poller: Red Canary pulls new alerts every five minutes from the alert source API using credentials that you provide.
- Email: For some supported alert sources, Red Canary ingests alerts only via email. For supported alert sources, Red Canary provides an email address that you can use to configure your alert source so as to send alerts to Red Canary. This email address enables you to send emails to an email ingest destination inbox created in Red Canary’s email domain. Once an email arrives in this inbox, Red Canary parses and correlates the alert details. Ingested and processed alerts appear in the Alert section of Red Canary. For alert sources that support TLS, Red Canary supports encryption in-transit via TLS 1.2. If your alert source supports TLS, you’ll typically see a TLS toggle when adding your alert source to Red Canary.
- Syslog: Red Canary provides a URL and port for you to configure your alert source to send alerts to via the syslog network logging protocol. This requires TLS v1.2+.
- HTTP: Red Canary provides a URL and port for you to configure your alert source to send alerts to via HTTPS webhooks. This requires TLS v1.2+.
- TCP: Red Canary provides a URL and port for you to configure your alert source to send alerts to via TCP with TLS. This requires TLS v1.2+.
Learn more about adding third-party EDR platforms to Red Canary.
How do I get started with alert sources?
Get started by adding certain alert sources to your security stack and configuring each to send alerts to Red Canary. Once configured, alerts will be processed and validated by the Red Canary platform.
Learn more about creating and managing alert sources and the resulting process of alert validation.