You can configure Red Canary to ingest external alerts from a supported security product, allowing you to correlate external alerts with a process or endpoint in a centralized place where you can review and search all alerts ingested, the alert’s status, and results of any alert investigations.
Connecting a new alert source to Red Canary
You can configure Red Canary to receive alerts from your security products using a number of collection methods.
To add a new alert source:
- Navigate to Record > External Alert Sources.
- Start typing the name of your alert source. If your security product is not listed, click Suggest a new addition and let us know!
- Select your alert source from the list.
- Click the title of the alert source, then click Configure.
- Follow the instructions on the form to select how Red Canary will receive alerts and in which format. Not all formats are supported; we prioritize the highest quality formats whenever possible.
- Configure your security product to send alerts to the provided Red Canary email address or collector, or provide the information needed for API polling.
How can I test the integration?
For email-based alerts, trigger an alert/email in the source platform. There is no integrated test functionality for API-based alerts at this time.