Learn how Red Canary ingests security data from several different third-party alert sources. Adding supported alert sources to Red Canary ensures that you are getting the most out of your security products. Your options will differ depending on the available methods that are supported and the data output that is provided by the third-party platform. The information included covers the ingestion method for supported source platforms, configuration of source data, and potential requirements regarding digital certificates and Transport Layer Security (TLS) for specific ingestion methods.
Estimated procedure time: 10 minutes
If you don't see your security product, check out Suggest a New Security Product in the Red Canary Help Center.
- In the Alert Sources search bar, enter and select the name of the security product you want to add.
- Once added, click the product name to configure the alert source.
Configure the source platform
- Click Configure.
- In the Name field, enter the security product.
- Select a display category.
- Select an ingest format or method.
- API Poller: Red Canary pulls new alerts every five minutes from the alert source API using credentials that you provide.
- Email: Red Canary provides an email address that you can configure your alert source to send alerts to.
- Syslog: Red Canary provides a URL and port for you to configure your alert source to send alerts to via the syslog network logging protocol. This requires TLS v1.2+.
- HTTP: Red Canary provides a URL and port for you to configure your alert source to send alerts to via HTTPS webhooks. This requires TLS v1.2+.
- TCP: Red Canary provides a URL and port for you to configure your alert source to send alerts to via TCP with TLS. This requires TLS v1.2+.
- Click Save.
- You now need to parse the alerts that will be coming into Red Canary. Click Activate it to begin processing alerts.
- Click Configure to view the URL that you will be sending alerts to. From here you will notice a new section on the window. You will be able to view the URL and Port where your security product will send the alerts to.
Red Canary TLS Certificate for Ingest over TLS (Recommended)
Red Canary requires that you configure your third party product to send alerts to the Provided URL and Port number highlighted below. When you are finished, click Save or exit the modal.
Custom TLS Certificate for Ingest over TLS (Optional)
If your company has security requirements, or if the third-party product you are adding requires a custom certificate, you can use a custom TLS server certificate.
Note: Red Canary supports customer self-signed certificates but doesn’t support the uploading of third-party CA signed certificates.
- Select Use custom TLS server certificate for ingest over TLS?. Click Choose File, then select the certificate and private key files. You can also enter a private key passphrase if you choose to.
- Click Save.
You’ll receive an update in the Red Canary platform that the external alert source was successfully updated.
Deactivate alert sources
You can deactivate an alert source and remove it from Red Canary.
- Click Alert Sources in the site navigation.
- Click the name of the alert source.
- Click the ICON_TRASH icon.
Test the integration
For email-based alerts, trigger an alert or email in the source platform.
Note: There is no integrated test functionality for API-based alerts at this time.