Red Canary ingests security data from multiple third-party security platforms spanning Endpoints, Networks, Identity, Cloud, and more. Adding supported security data sources to Red Canary ensures that you’re getting the most out of your security products and Red Canary. The article covers the ingestion methods for supported source platforms, configuration of source data, and potential requirements regarding digital certificates and Transport Layer Security (TLS) for specific ingestion methods.
Estimated procedure time: 10 minutes
If you don't see your security product, check out Suggest a New Security Product in the Red Canary Help Center.
- From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
- In the Alert Sources search bar, enter and select the name of the security product you want to add.
- Once added, click the product name to configure the alert source.
Configure the source platform
- Click Edit Configuration.
- In the Name field, enter the security product.
- Select a display category.
- Select an ingest format or method.
- API Poller: Red Canary pulls new alerts every five minutes from the alert source API using credentials that you provide.
- Email: Red Canary provides an email address that you can configure your alert source to send alerts to.
- Syslog: Red Canary provides a URL and port for you to configure your alert source to send alerts to via the syslog network logging protocol. This requires TLS v1.2+ (see below).
- HTTP: Red Canary provides a URL and port for you to configure your alert source to send alerts to via HTTPS webhooks. This requires TLS v1.2+ (see below).
- TCP: Red Canary provides a URL and port for you to configure your alert source to send alerts to via TCP with TLS. This requires TLS v1.2+ (see below).
- Click Save Configuration.
- You now need to parse the alerts that will be coming into Red Canary. Click Activate to begin processing alerts.
- Click Edit Configure to view the URL that you will be sending alerts to. From here you will notice a new section on the window. You will be able to view the URL and Port where your security product will send the alerts to.
Red Canary TLS Certificate for Ingest over TLS (Recommended)
If you are using Syslog, HTTP, or TCP, Red Canary requires that you configure your third party product to send alerts to the Provided URL and Port number highlighted below. When you are finished, click Save Configuration or exit the modal.
Custom TLS Certificate for Ingest over TLS (Optional)
If you do not want to use the recommended configuration, you can use this one. If your company has security requirements, or if the third-party product you are adding requires a custom certificate, you can use a custom TLS server certificate.
Note: Red Canary supports customer self-signed certificates but doesn’t support the uploading of third-party CA signed certificates.
- Select Use custom TLS server certificate for ingest over TLS?. Click Choose File, then select the certificate and private key files. You can also enter a private key passphrase if you choose to.
- Click Save.
You’ll receive an update in the Red Canary platform that the external alert source was successfully updated.
Test the integration
For email-based alerts, trigger an alert or email in the source platform.
Note: There is no integrated test functionality for API-based alerts at this time.