Collect Red Canary EDR logs
This document explains how to ingest Red Canary EDR logs to Google Security Operations using Google Cloud Storage V2.
Red Canary is a managed detection and response (MDR) platform that provides endpoint threat detection and investigation. Because Red Canary exports telemetry and detection data as files, you must upload those logs to a Google Cloud Storage (GCS) bucket, and then configure a Google SecOps feed to ingest them.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- A Google Cloud project with billing enabled
- Privileged access to the Red Canary console with permissions to configure data export
- Access to Red Canary EDR log files
Create a Google Cloud Storage bucket
- Go to the Google Cloud Console.
- Select your project or create a new one.
- In the navigation menu, go to Cloud Storage > Buckets.
- Click Create bucket.
Provide the following configuration details:
Setting Value Name your bucket Enter a globally unique name (for example, redcanary-edr-logs)Location type Choose based on your needs (Region, Dual-region, Multi-region) Location Select the location closest to your Google SecOps instance (for example, us-central1)Storage class Standard (recommended for frequently accessed logs) Access control Uniform (recommended) Protection tools Optional: Enable object versioning or retention policy Click Create.
Export Red Canary EDR logs to GCS
Red Canary provides a Canary Exporter tool (Docker container) for bulk data export, plus webhook automation for pushing data to external destinations.
Option A: Use Canary Exporter
- Deploy the Canary Exporter Docker container on a host with network access to GCS.
- Configure the exporter with your Red Canary API credentials.
- Set the export destination to a local directory or AWS S3.
- Upload exported files from the local directory to GCS using a Cloud Run function or the Google Cloud Console.
Option B: Configure webhook automation
- In the Red Canary portal, go to Integrations > Automation.
- Create a webhook that sends detection data to a Cloud Run function endpoint, which writes the data to GCS.
Retrieve the Google SecOps service account
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Red Canary EDR Logs). - Select Google Cloud Storage V2 as the Source type.
- Select Red Canary as the Log type.
- Click Get Service Account.
A unique service account email will be displayed, for example:
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.comCopy this email address for use in the next step.
Grant IAM permissions to the Google SecOps service account
The Google SecOps service account needs Storage Object Viewer role on your GCS bucket.
- Go to Cloud Storage > Buckets.
- Click on your bucket name (for example,
redcanary-edr-logs). - Go to the Permissions tab.
- Click Grant access.
- Provide the following configuration details:
- Add principals: Paste the Google SecOps service account email (for example,
chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com). - Assign roles: Select Storage Object Viewer.
- Add principals: Paste the Google SecOps service account email (for example,
Click Save.
Configure the Google SecOps feed
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- Click Configure a single feed.
- In the Feed name field, enter a name for the feed (for example,
Red Canary EDR Logs). - Select Google Cloud Storage V2 as the Source type.
- Select Red Canary as the Log type.
- Click Next.
Specify values for the following input parameters:
Storage bucket URL: Enter the GCS bucket URI:
gs://redcanary-edr-logs/redcanary-logs/- Replace
redcanary-edr-logswith your GCS bucket name - Replace
redcanary-logswith your configured prefix path
- Replace
Source deletion option: Select the deletion option according to your preference:
- Never delete files: Never deletes any files after transfers (recommended for testing).
Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
Maximum File Age (Days): Include files modified in the last number of days (default is 180 days).
Asset namespace: The asset namespace.
Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
endpoint_status_label |
about.labels |
Merged |
endpoint_type_label |
about.labels |
Merged |
event_type_cd |
about.labels |
Mapped values (9 total, e.g. endpoint_metadata → endpoint_status_label, `endpoint_metada... |
is_telemetry_collection_enabled_label |
about.labels |
Merged |
monitoring_status_label |
about.labels |
Merged |
physical_memory_bytes_label |
about.labels |
Merged |
process_standard_error_label |
about.labels |
Merged |
process_standard_input_label |
about.labels |
Merged |
process_standard_output_label |
about.labels |
Merged |
remote_location_cd_label |
about.labels |
Merged |
activity_at_ts |
metadata.event_timestamp |
Parsed as ISO8601 |
registration_time |
metadata.event_timestamp |
Parsed as ISO8601 |
event_type_cd |
metadata.event_type |
Mapped: endpoint_metadata → STATUS_HEARTBEAT, network_connection → `NETWORK_CONNECTION... |
event_type_cd |
metadata.product_event_type |
Renamed/mapped |
sensor_product_ver |
metadata.product_version |
Renamed/mapped |
direction_cd |
network.direction |
Renamed/mapped |
protocol_cd |
network.ip_protocol |
Renamed/mapped |
sensor_product_cd |
observer.application |
Renamed/mapped |
sensor_id |
observer.asset_id |
Directly mapped |
user_domain |
principal.administrative_domain |
Renamed/mapped |
domain |
principal.hostname |
Renamed/mapped |
host_name |
principal.hostname |
Renamed/mapped |
hostname |
principal.hostname |
Renamed/mapped |
event_type_cd |
principal.ip |
Mapped: endpoint_metadata → ips, network_connection → local_ip |
ips |
principal.ip |
Merged |
local_ip |
principal.ip |
Merged |
mac_addresses |
principal.mac |
Renamed/mapped |
endpoint_platform |
principal.platform |
Renamed/mapped |
endpoint_operating_system |
principal.platform_version |
Renamed/mapped |
local_port |
principal.port |
Renamed/mapped |
user_name |
principal.user.user_display_name |
Renamed/mapped |
user_uid |
principal.user.userid |
Renamed/mapped |
process_name |
target.application |
Renamed/mapped |
event_type_cd |
target.ip |
Mapped: network_connection → remote_ip |
remote_ip |
target.ip |
Merged |
remote_port |
target.port |
Renamed/mapped |
process_command_line |
target.process.command_line |
Renamed/mapped |
process_path |
target.process.file.full_path |
Renamed/mapped |
process_md5 |
target.process.file.md5 |
Renamed/mapped |
process_sha1 |
target.process.file.sha1 |
Renamed/mapped |
process_sha256 |
target.process.file.sha256 |
Renamed/mapped |
parent_process_command_line |
target.process.parent_process.command_line |
Renamed/mapped |
parent_process_path |
target.process.parent_process.file.full_path |
Renamed/mapped |
parent_process_md5 |
target.process.parent_process.file.md5 |
Renamed/mapped |
parent_process_sha1 |
target.process.parent_process.file.sha1 |
Renamed/mapped |
parent_process_sha256 |
target.process.parent_process.file.sha256 |
Renamed/mapped |
parent_process_pid |
target.process.parent_process.pid |
Renamed/mapped |
parent_process_native_id |
target.process.parent_process.product_specific_process_id |
Directly mapped |
process_pid |
target.process.pid |
Renamed/mapped |
process_native_id |
target.process.product_specific_process_id |
Directly mapped |
| N/A | metadata.event_type |
Constant: STATUS_HEARTBEAT |
| N/A | metadata.product_name |
Constant: EDR |
| N/A | metadata.vendor_name |
Constant: REDCANARY |
Need more help? Get answers from Community members and Google SecOps professionals.