Red Canary ingests security data from multiple third-party security platforms spanning Endpoints, Networks, Identity, Cloud, and more. Adding supported security data sources to Red Canary ensures that you’re getting the most out of your security products and Red Canary. The article covers the ingestion methods for supported source platforms, configuration of source data, and potential requirements regarding digital certificates and Transport Layer Security (TLS) for specific ingestion methods.
If you don't see your security product, check out Suggest a New Security Product in the Red Canary Help Center.
Step 1: Getting started
- From your Red Canary dashboard, click the Integrations dropdown, and then click Alert Sources.
- In the Alert Sources search bar, enter and select the name of the security product you want to add.
- Once added, click the product name to configure the alert source.
Step 2: Configure the source platform
- Click Edit Configuration.
- In the Name field, enter the security product.
- Select a display category.
- Select an ingest format or method. For example, API Poller, Email, Syslog, HTTP, TCP; click here for more information about supported formats and methods.
- What does Enable process correlation for user-defined alerts mean? Many EDR platforms allow users to create their own list of rules that can trigger alerts. These alerts are typically high volume and, from a threat investigation perspective, usually have little to no value and may even hinder alert analysis. Process correlation requires Red Canary to make additional calls to EDR APIs, so enabling process correlation for these alerts may cause Red Canary to exceed rate-limits. Therefore, process correlation for these alerts is not enabled by default on new and existing alert sources.
- Click Save Configuration.
- You now need to parse the alerts that will be coming into Red Canary. Click Activate to begin processing alerts.
- Click Edit Configure to view the URL that you will be sending alerts to. From here you will notice a new section on the window. You will be able to view the URL and Port where your security product will send the alerts to.
Red Canary TLS Certificate for Ingest over TLS (Recommended)
If you are using Syslog, HTTP, or TCP, Red Canary requires that you configure your third party product to send alerts to the Provided URL and Port number highlighted below. When you are finished, click Save Configuration or exit the modal.
Custom TLS Certificate for Ingest over TLS (Optional)
If you do not want to use the recommended configuration, you can use this one. If your company has security requirements, or if the third-party product you are adding requires a custom certificate, you can use a custom TLS server certificate.
Note: Red Canary supports customer self-signed certificates but doesn’t support the uploading of third-party CA signed certificates.
- Select Use custom TLS server certificate for ingest over TLS?. Click Choose File, then select the certificate and private key files. You can also enter a private key passphrase if you choose to.
- Click Save.
You’ll receive an update in the Red Canary platform that the external alert source was successfully updated.
Step 3: Test the integration
For email-based alerts, trigger an alert or email in the source platform.
Note: There is no integrated test functionality for API-based alerts at this time.