Integrate Cisco Firepower with Red Canary

  • Updated on Mar 18, 2026
  • Published on Jan 24, 2024
  • 3 minute(s) read
Prev Next

Integrating Cisco Firepower with Red Canary enhances threat detection and response capabilities by centralizing security data and automating incident response workflows. To integrate Cisco Firepower with Red Canary, follow the procedure below.

Prerequisites

Before you start the Firepower integration, please make sure the following requirements are met:

  • You have a Firepower Management Center (FMC) login account with sufficient administrator permissions to configure the Syslog settings.

1 Red Canary | Add the Integration

The first step is to add the new integration in Red Canary.

  1. From your Red Canary homepage, go to the Integrations page then click Add Integration.
    Add a new Red Canary integration

  2. On the Add integration dialog, search for the Cisco Firepower integration then click Configure.

  3. On the Add Integration page, enter a name for the integration.

2 Red Canary | Choose How Red Canary Receives the Data

Setting the ingest method determines how Red Canary will receive data from the FortiAnalyzer.

  1. In the Choose how Red Canary will receive this data section, select Cisco Firepower via Syslog (recommended) or Cisco Firepower via Email.

  2. Click Next.

3 Red Canary | Configure Red Canary to Retrieve the Data

The integration will automatically provision a Red Canary email address to which Firepower can send its logs.

  1. In the Configure Red Canary to retrieve data from this integration section, make sure the Use TLS to deliver alerts box is checked.

    Note

    You should only uncheck Use TLS to deliver alerts if you’re testing the integration and don’t need Transport Layer Security (TLS) certificates enabled. Production integrations should alway use TLS certificates to protect the integrity of the email data in transit to Red Canary.

  2. Click Provision to generate an email address to receive the log data sent from Firepower.

  3. After a few seconds, Red Canary will display the provisioned email. Copy the address so you can enter it into the Firepower Management Center (FMC) in the next step.

4 Firepower | Configure Email Forwarding

In order for Firepower to pass alerts to Red Canary, you need to forward the logs to the email address provisioned in the previous section.

  1. Log in to the Firepower Management Center (FMC).

  2. Go to Device > Platform Setting > Threat Defense Policy > Syslog > Email Setup.

  3. Click Add.

  4. In the Destination Email Address field, enter the Red Canary email address provisioned above.

  5. In the Syslog Severity drop-down, choose warning.

  6. Click OK to save the configuration.

  7. Click Save to save the platform settings.

  8. Go to Deploy, choose the FTD appliance where you want to apply the changes, then click Deploy.

For additional information, please see the Cisco FMC documentation.

Email Format

Red Canary needs to ingest the log as originally formatted by Firepower. Make sure that any perimeter devices in line between Firepower and Red Canary aren’t subsequently reformatting the email to HTML.

5 Red Canary | Confirm the Configuration

  1. In the Configure Red Canary to retrieve data from this integration section, go to Section 2b (Send data to Red Canary) and check the I’ve configured this integration to send data to Red Canary box. (This confirms that you’ve completed the Configure Email Forwarding steps above.)

  2. Click Next.

6 Red Canary | Customize Data Handling

[OPTIONAL] In the Customize how data from this integration is handled section, enable Process Correlation if appropriate.

What is Process Correlation?

If a third-party alert platform lets you create your own rules to trigger alerts, Red Canary can correlate with the rule metadata when it displays the alerts in the timeline. To conserve API bandwidth and compute cycles, process correlation for user-defined alerts is disabled by default.

7 Red Canary | Activate the Integration

After you’ve finished the configuration, click Save to activate the integration.

The Firepower integration is now live!

You should see alerts start appearing in Red Canary within 24 hours.

8 Red Canary | Modifying the Integration

Once the integration is active, there are no routine maintenance tasks to perform. However, you’ll need to modify the configuration if you want to deactivate or remove the integration.

To modify the configuration:

  1. From your Red Canary homepage, go to the Integrations page then click on the name of the integration you want to modify.

Deactivating the Integration

To suspend alerts for this integration, click the button. The status displayed on the Integrations page changes to “Inactive” and no alerts will be passed to Red Canary. If necessary, you can reactivate it later by clicking .

Note

Deactivating or reactivating the integration takes effect immediately. You don’t need to click Save to confirm the action.

Decommissioning the Integration

To remove the integration from Red Canary, click the button then click OK to confirm.

Important

If you decommission the integration, no new alerts will be sent to Red Canary and all processed alerts will be deleted. This action cannot be undone.