This article is part of an overview of getting started with Red Canary:
- Collect endpoint telemetry
- Collect external alerts
- Monitor endpoints
- Detect potential threats (performed by Red Canary)
- Investigate potential threats (performed by Red Canary)
- Respond to threats using automation
For organizations using Red Canary to collect and prioritize alerts, the next step after deploying endpoint sensors that collect endpoint telemetry is to begin sending the alerts from your other security products to Red Canary. These external alerts are the alerts from your security products, services, cloud provider, etc. These alerts are often difficult to investigate conclusively because they only describe part of the story of what happened.
For customers with the external alerts feature enabled, Red Canary takes these alerts, correlates them together, and—most importantly—determines if there was any activity on your endpoints that corroborates the activity described by the alert. This process of “alert validation” oftentimes dramatically reduces the number of alerts your team needs to review.
Define your security stack
The first step to collect alerts is to record the security products your organization uses. In Red Canary, add products to your security stack by clicking Integrations and then Alert Sources. In the Alert Sources search bar, begin typing the name of a security product and select it to add the product to your security stack.
Some security products are used for more than one purpose and will appear in multiple categories. If you use the product for more than one purpose, you can add it multiple times for each categorized use.
Configure Red Canary to accept alerts from your security products
Red Canary’s Alert Sources view allows you to manage the collection of alerts from your other security products. You can use this view to configure alert sources by clicking their name and then Configure.
The transports supported by alert sources differ per source and include email, TCP/TLS, HTTP/S POST, Syslog, aggregators / SIEMs, API polling, etc.
Follow the resulting instructions to configure the alert source to send alerts to Red Canary. Once configured in Red Canary, configure the security product to send alerts to Red Canary using that transport mechanism.
Verify that alerts are being collected and validated
Once configured, alerts will be collected and processed by Red Canary. Use the External Alerts view to review the alerts collected by Red Canary and the results of our processing.
Your Red Canary dashboard reports the number of alerts ingested and analyzed by Red Canary: