External alerts are the alerts from your security products that are processed by Red Canary. Many security teams receive alerts from dozens of sources. These alerts are often difficult to investigate conclusively because they only describe part of the story of what happened.
Red Canary takes alerts from these sources, correlates them together, and—most importantly—determines if there was any activity on your endpoints that corroborates the activity described by the alert. This process of “alert validation” oftentimes dramatically reduces the number of alerts your team needs to review.
The security products that generate these alerts are represented by alert sources in the Red Canary platform. An alert source is a distinct deployment of a security product in your organization. For example, if you have multiple deployments of an IDS/IPS product for different locations, each will be a unique alert source.
Viewing your alert sources
Your alert sources are grouped according to a set of categories defined originally by Millennium Partners’ Cyberscape. These provide a helpful visualization of your security stack:
How are alerts ingested from alert sources?
Alerts can be collected from alert sources in a number of ways. The ideal transport is the one that allows the highest fidelity alerts to be processed by Red Canary. The transports supported by alert sources differ per source and can be one of the following:
- TCP/TLS
- HTTP/S POST
- Syslog
- Aggregator / SIEM
- API polling
How do I get started with alert sources?
Get started by adding certain alert sources to your security stack and configuring each to send alerts to Red Canary. Once configured, alerts will be processed and validated by the Red Canary platform.
Learn more about creating and managing alert sources and the resulting process of alert validation.