This article is part of a walkthrough of getting started with Red Canary:
For organizations using Red Canary to collect and prioritize alerts, the next step after deploying endpoint sensors that collect endpoint telemetry is to begin sending the alerts from your other security products to Red Canary. These external alerts are the alerts from your security products, services, cloud provider, etc. These alerts are often difficult to investigate conclusively because they only describe part of the story of what happened.
For customers with the external alerts feature enabled, Red Canary takes these alerts, correlates them together, and—most importantly—determines if there was any activity on your endpoints that corroborates the activity described by the alert. This process of “alert validation” oftentimes dramatically reduces the number of alerts your team needs to review.
Defining your security stack
The first step in collecting alerts is to record the security products your organization uses. These are grouped according to a set of categories defined originally by Millennium Partners’ Cyberscape. These provide a helpful visualization of your security stack:
Add products to your security stack by clicking your company name in the site navigation. Below My security stack, begin typing the name of a security product and press Enter to add the product to your security stack.
Some security products are used for more than one purpose and will appear in multiple categories. If you use the product for more than one purpose, you can add it multiple times for each categorized use.
Configuring Red Canary to accept alerts from your security products
Red Canary’s Alert Sources view allows you to manage the collection of alerts from your other security products. You can use this view to configure alert sources by clicking their name and then Configure.
The transports supported by alert sources differ per source and include email, TCP/TLS, HTTP/S POST, Syslog, aggregators / SIEMs, API polling, etc.
Follow the resulting instructions to configure the alert source to send alerts to Red Canary. Once configured in Red Canary, configure the security product to send alerts to Red Canary using that transport mechanism.
Verifying that alerts are being collected and validated
Once configured, alerts will be collected and processed by Red Canary. Use the External Alerts view to review the alerts collected by Red Canary and the results of our processing.
Your Red Canary dashboard reports the number of alerts ingested and analyzed by Red Canary: