Supported Integrations (Security Data Lake)
- 23 Jul 2025
- 3 Minutes to read
- PDF
Supported Integrations (Security Data Lake)
- Updated on 23 Jul 2025
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Red Canary supports a diverse array of security providers for both Managed Detection and Response (MDR) and storage in the Security Data Lake.
To add your data to the data lake, you can enable storage on any of your active MDR integrations. Alternatively, you can configure a data lake-only integration — this enables Security Data Lake support for data sources without a product-specific integration or in cases where you need to store additional data that isn’t used for MDR.
MDR integrations
Note: MDR integrations for the Security Data Lake are available as an Early Access offering for data lake customers. If you are interested in this feature, contact your Red Canary account representative to request participation.
On the Integrations page in the Red Canary portal, there are many product-specific MDR integrations specified. If a source is listed as Stored and Investigated, Red Canary can help you with configuration of that integration. If a source is listed as Stored Only, Red Canary can help with troubleshooting, but cannot guide the setup of the external data source.
Integrations with configuration support
Provider | Supported Platform | Class of Security Data | Data Lake Use Case |
|---|---|---|---|
Amazon Web Services | Cloud | Retention-only | |
Broadcom | EDR | Retention-only | |
Broadcom | EDR | Retention-only | |
Cisco | Identity | Retention-only | |
Cisco | Network | Retention-only | |
Cisco | Network | Retention-only | |
Cisco | Network | Retention-only | |
CrowdStrike | Identity | Retention-only | |
CrowdStrike | EDR | Retention-only | |
Darktrace | Network | Retention-only | |
Dragos | Operational Technology (OT) | Retention-only | |
ExtraHop | Network | Retention-only | |
ExtraHop | Network | Retention-only | |
Fortinet | Network | Retention-only | |
Fortinet | Network | Retention-only | |
Cloud | Retention-only | ||
SaaS | Retention-only | ||
Jamf | EDR | Retention-only | |
Lacework | Cloud | Retention-only | |
Microsoft | Cloud | Retention-only | |
Microsoft | Cloud | Retention-only | |
Microsoft | Identity | Retention-only | |
Microsoft | EDR | Retention-only | |
Microsoft | Identity | Retention-only | |
Microsoft | Retention-only | ||
Microsoft | Identity | Retention-only | |
Microsoft | Identity | Retention-only | |
Microsoft | Aggregate | Retention-only | |
Microsoft | SIEM | Retention-only | |
Okta | Identity | Retention-only | |
Palo Alto Networks | EDR | Retention-only | |
Palo Alto Networks | Network | Retention-only | |
Palo Alto Networks | Network | Retention-only | |
Palo Alto Networks | Network | Retention-only | |
Proofpoint | Retention-only | ||
SentinelOne | EDR | Retention-only | |
Trend Micro | EDR | Retention-only |
Self-configured integrations
The list of available contextual integrations is too long to list. To check if a product-specific integration is available, log into your Red Canary portal, navigate to the Integrations page, and search for the desired source platform.
Enabling data lake retention on an MDR integration
From your Red Canary portal, navigate to Integrations and select the integration of interest.
.png?sv=2022-11-02&spr=https&st=2025-07-25T17%3A44%3A03Z&se=2025-07-25T17%3A54%3A03Z&sr=c&sp=r&sig=%2BufsUgGmZtYdYRbNepPco0%2Bj2Yn2ifF9KYY49JOGQQg%3D)
Find Customize how this data is retained, and select Store in the Security Data Lake.
.png?sv=2022-11-02&spr=https&st=2025-07-25T17%3A44%3A03Z&se=2025-07-25T17%3A54%3A03Z&sr=c&sp=r&sig=%2BufsUgGmZtYdYRbNepPco0%2Bj2Yn2ifF9KYY49JOGQQg%3D)
Specify the desired data retention period in days and click Save.
.png?sv=2022-11-02&spr=https&st=2025-07-25T17%3A44%3A03Z&se=2025-07-25T17%3A54%3A03Z&sr=c&sp=r&sig=%2BufsUgGmZtYdYRbNepPco0%2Bj2Yn2ifF9KYY49JOGQQg%3D)
Data Lake-only integrations
For product-specific integrations, Red Canary can help you with configuration of the data source. For generic integrations, Red Canary can help with troubleshooting, but cannot guide the setup of the external data source.
If a data source can be configured to write logs to an Amazon S3 bucket or securely forward logs to an external syslog server, it can be integrated with the Security Data Lake using a generic integration. If you need help validating if a specific data source is supported, please contact your Red Canary account representative.
Product-specific integrations (Integrations with configuration support)
Provider | Supported Platform | Class of Security Data | Data Lake Use Case |
|---|---|---|---|
Zscaler | Network | Retention and Search |
Generic integrations (Self-configured integrations)
Ingest Method | Data Format | Example Sources | Data Lake Use Case |
|---|---|---|---|
Line-delimited JSON (Plain text supported for retention-only) | Cloudflare, Logstash | Retention and Search | |
Line-delimited JSON (Plain text supported for retention-only) | AWS, Cato Networks, Netskope | Retention and Search | |
RFC 3164 or RFC 5424 | NetScaler WAF, NXLog, PAN-OS, rsyslog, syslog-ng, Zscaler Private Access | Retention and Search |
Configuring a data lake-only integration
Depending on the data source you are interested in configuring, follow the desired link in the tables above to see setup instructions, prerequisites, available search fields, etc.
When would I use an MDR integration versus a data lake-only integration?
If you have data you are sending to Red Canary for MDR that you would also like to store long-term (e.g.: to comply with data retention policies), enabling data lake storage on your existing MDR integration ensures that you only have to send the data once, and can minimize the setup needed.
When would I use a data lake-only integration versus an MDR integration?
There are a few instances where a data lake-only integration is a preferred approach:
When the data being sent to Red Canary for MDR does not contain all the logs you need to store. For example, if you have configured a PAN-OS integration to forward Wildfire alerts for investigation, but you would like to retain additional firewall logs for long-term retention, you can set up a generic syslog integration that forwards the firewall telemetry of interest.
When there is not a product-specific MDR integration available. While Red Canary offers hundreds of MDR integrations, there are many more security products our customers use than we can directly support. For many of those products, they can be configured to forward logs via Amazon S3, syslog, or a third-party log collector. For help validating the best integration path for a specific data source, please contact your Red Canary account representative.
Was this article helpful?