Red Canary supports a diverse array of security providers for both Managed Detection and Response (MDR) and storage in the Security Data Lake.
To add your data to the data lake, you can enable storage on any of your active MDR integrations. Alternatively, you can configure a data lake-only integration — this enables Security Data Lake support for data sources without a product-specific integration or in cases where you need to store additional data that isn’t used for MDR.
MDR integrations
On the Integrations page in the Red Canary portal, there are many product-specific MDR integrations specified. For core anchor integrations, Red Canary can help you with configuration of that integration. For other integrations, Red Canary can help with troubleshooting, but cannot guide the setup of the external data source.
Integrations with configuration support
Provider | Supported Platform | Class of Security Data | Data Lake Use Case |
|---|---|---|---|
Amazon Web Services | Cloud | Retention, Search, Context | |
Broadcom | EDR | Retention, Search, Context | |
Broadcom | EDR | Retention, Search, Context | |
CrowdStrike | EDR | Retention, Search, Context | |
Cloud | Retention, Search, Context | ||
SaaS | Retention, Search, Context | ||
Microsoft | Cloud | Retention, Search, Context | |
Microsoft | EDR | Retention, Search, Context | |
Microsoft | Identity | Retention, Search, Context | |
Microsoft | SaaS | Retention, Search, Context | |
Okta | Identity | Retention, Search, Context | |
Palo Alto Networks | EDR | Retention, Search, Context | |
Red Canary | EDR | Retention, Search, Context | |
SentinelOne | EDR | Retention, Search, Context | |
Trend Micro | EDR | Retention, Search, Context |
Self-configured integrations
Provider | Supported Platform | Class of Security Data | Data Lake Use Case |
|---|---|---|---|
Cisco | Identity | Retention, Search, Context | |
Cisco | Network | Retention, Search, Context | |
Cisco | Network | Retention, Search, Context | |
Cisco | Network | Retention, Search, Context | |
CrowdStrike | Identity | Retention, Search, Context | |
Darktrace | Network | Retention, Search, Context | |
Dragos | Operational Technology (OT) | Retention, Search, Context | |
ExtraHop | Network | Retention, Search, Context | |
ExtraHop | Network | Retention, Search, Context | |
Fortinet | Network | Retention, Search, Context | |
Fortinet | Network | Retention, Search, Context | |
Fortinet | Cloud | Retention, Search, Context | |
Jamf | EDR | Retention, Search, Context | |
Microsoft | Cloud | Retention, Search, Context | |
Microsoft | Identity | Retention, Search, Context | |
Microsoft | Identity | Retention, Search, Context | |
Microsoft | Retention, Search, Context | ||
Microsoft | Identity | Retention, Search, Context | |
Microsoft | SIEM | Retention, Search, Context | |
Palo Alto Networks | Network | Retention, Search, Context | |
Palo Alto Networks | Network | Retention, Search, Context | |
Palo Alto Networks | Network | Retention, Search, Context | |
Proofpoint | Retention, Search, Context | ||
Wiz | Cloud | Retention, Search, Context |
In addition to the list of investigated sources above, there are also hundreds of contextual sources (marked as “stored only” in the Red Canary portal). The list of contextual integrations is too long to list, so to check if a product-specific integration is available, log into your Red Canary portal, navigate to the Integrations page, and search for the desired source platform. If there is a tile available, the data can be stored in the Security Data Lake.
Enabling data lake retention on an MDR integration
From your Red Canary portal, navigate to Integrations and select the integration of interest.
.png?sv=2022-11-02&spr=https&st=2026-04-11T12%3A24%3A03Z&se=2026-04-11T12%3A38%3A03Z&sr=c&sp=r&sig=vT9PWBKqCU72%2FPt4wQD8KfY9BLfl21bLhuJ4HGTQ%2BnE%3D)
Find Customize how this data is retained, and select Store in the Security Data Lake.
.png?sv=2022-11-02&spr=https&st=2026-04-11T12%3A24%3A03Z&se=2026-04-11T12%3A38%3A03Z&sr=c&sp=r&sig=vT9PWBKqCU72%2FPt4wQD8KfY9BLfl21bLhuJ4HGTQ%2BnE%3D)
Specify the desired data retention period in days and click Save.
.png?sv=2022-11-02&spr=https&st=2026-04-11T12%3A24%3A03Z&se=2026-04-11T12%3A38%3A03Z&sr=c&sp=r&sig=vT9PWBKqCU72%2FPt4wQD8KfY9BLfl21bLhuJ4HGTQ%2BnE%3D)
Data Lake-only integrations
For all data lake-only integrations, Red Canary can help with troubleshooting, but cannot guide the setup of the external data source.
For a few external sources, there are dedicated product-specific integrations offered. For other situations where you need a data lake-only integration, we recommend using a generic integration. If a data source can be configured to write logs to an Amazon S3 bucket or securely forward logs to an external syslog server, it can be integrated with the Security Data Lake using a generic integration. If you need help validating if a specific data source is supported, please contact your Red Canary account representative.
Product-specific integrations
Provider | Supported Platform | Class of Security Data | Data Lake Use Case |
|---|---|---|---|
Cisco | Network | Retention, Search, Context | |
Cisco | Network | Retention, Search, Context | |
Zscaler | Network | Retention, Search, Context |
Generic integrations
Ingest Method | Data Format | Example Sources | Data Lake Use Case |
|---|---|---|---|
Line-delimited JSON (Plain text supported for retention-only) | Cloudflare, Logstash | Retention, Search, Context | |
Line-delimited JSON (Plain text supported for retention-only) | AWS, Cato Networks, Netskope | Retention, Search, Context | |
RFC 3164 or RFC 5424 | NetScaler WAF, NXLog, PAN-OS, rsyslog, syslog-ng, Zscaler Private Access | Retention, Search, Context |
Configuring a data lake-only integration
Depending on the data source you are interested in configuring, follow the desired link in the tables above to see setup instructions, prerequisites, available search fields, etc.
When would I use an MDR integration versus a data lake-only integration?
If you have data you are sending to Red Canary for MDR that you would also like to store long-term (e.g.: to comply with data retention policies), enabling data lake storage on your existing MDR integration ensures that you only have to send the data once, and can minimize the setup needed.
When would I use a data lake-only integration versus an MDR integration?
There are a few instances where a data lake-only integration is a preferred approach:
When the data being sent to Red Canary for MDR does not contain all the logs you need to store. For example, if you have configured a PAN-OS integration to forward Wildfire alerts for investigation, but you would like to retain additional firewall logs for long-term retention, you can set up a generic syslog integration that forwards the firewall telemetry of interest.
When there is not a product-specific MDR integration available. While Red Canary offers hundreds of MDR integrations, there are many more security products our customers use than we can directly support. For many of those products, they can be configured to forward logs via Amazon S3, syslog, or a third-party log collector. For help validating the best integration path for a specific data source, please contact your Red Canary account representative.