This article leads you through the process of integrating Microsoft Defender for Cloud with Red Canary. Follow the procedure from beginning to end. 

Prerequisites

• You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration, and add the required role assignments in Azure.

Step 1: Microsoft Azure–Locate your Microsoft Azure ID’s

Start the integration process by locating your Microsoft Azure IDs.

1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
2. In the search bar, type and then select Subscriptions.
3. Copy and save your Subscription ID. You’ll use this in a later step.
   
   
4. In the search bar, type and then select Tenant properties.
5. Copy and save your Tenant ID. You’ll use this in a later step.
   
   

Step 2: Red Canary–Input your Microsoft Azure ID information

Enter your Microsoft Azure ID information into Red Canary to connect your Microsoft security product to Red Canary.

1. From your Red Canary homepage, click Integrations.
   
2. From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
   Note: If you do not see your security product listed, click See all integrations.
    
3. In the search bar, type and then select your third-party security source.
   
4. Continue onto the next step by configuring your third-party security source in Red Canary.
   Note: Your third-party security source may require that you contact Red Canary to configure.
   
5. Enter a Name for your external alert source.  
6. Select a Display Category.
7. Under the Ingest Format/Method dropdown, select Microsoft Defender for Cloud via API Poll.
8. Enter your Microsoft Subscription ID from Step 1.3. 
9. Enter your Microsoft Tenant ID from Step 1.5.
10. Click Save Configuration.
11. Click Edit Configuration.
12. Under the Permissions section, click the Microsoft consent link.
    

Step 3: Microsoft Azure–Add a Security Reader role assignment to Red Canary

To start sending security data for ingestion, grant Red Canary permission to read your Microsoft Azure telemetry.

1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
2. In the search bar, type and then select Subscriptions.
3. Click on your Microsoft Defender for Cloud subscription name.
4. Click Access Control (IAM).
5. Click +Add, and then click Add role assignment.
6. In the search bar, type and then select Security Reader.
   
   
7. Click Next.
8. From the Assign access to section, select User, group, or service principal.
9. Click Select Members.
10. In the search bar, type and then select Red Canary + Defender for Cloud.
    
    
11. Click Select.
12. To review your role assignment, click Next.
13. Click Review + assign.

Step 4: Microsoft Azure–Add a Security Admin role assignment to Red Canary

Grant Red Canary permission to read your Microsoft Defender for Cloud alerts and recommendations, and then update the alerts within Defender for Cloud.

1. In the search bar, type and then select Subscriptions.
2. Click on your Microsoft Defender for Cloud subscription name.
3. Click Access Control (IAM).
4. Click +Add, and then click Add role assignment.
5. In the search bar, type and then select Security Admin.
   
   
6. Click Next.
7. From the Assign access to section, select User, group, or service principal.
8. Click Select Members.
9. In the search bar, type and then select Red Canary + Defender for Cloud. (This enterprise application is created when you approve the consent link mentioned in Step 2.12).
   
   
10. Click Select.
11. To review your role assignment, click Next.
12. Click Review + assign.

Step 5: Microsoft Azure–Add a Managed Services Registration assignment Delete Role to Red Canary

Grant Red Canary permission to read your Microsoft Defender for Cloud alerts and recommendations, and then update the alerts within Defender for Cloud.

1. In the search bar, type and then select Subscriptions.
2. Click on your Microsoft Defender for Cloud subscription name.
3. Click Access Control (IAM).
4. Click +Add, and then click Add role assignment.
5. In the search bar, type and then select Managed Services Registration assignment Delete Role.
   
6. Click Next.
7. From the Assign access to section, select User, group, or service principal.
8. Click Select Members.
9. In the search bar, type and then select Red Canary + Defender for Cloud. (The enterprise application is created when you approve the consent link mentioned in Step 2.12).
   
10. Click Select.
11. To review your role assignment, click Next.
12. Click Review + assign.

Step 6: Red Canary–Activate your Microsoft Defender for Cloud alert source

Enable your new Microsoft Defender for Cloud source in Red Canary.

1. From your Red Canary homepage, click Integrations.
   
2. Scroll down, and then select your third-party security source.
3. Click Edit Configuration.
4. With all of the required permission settings completed, select Confirm Microsoft Microsoft Defender for Cloud API Access Granted.
   
   
5. Click Save Configuration.
6. Click Edit Configuration.
7. Click Activate. 

Step 7: Microsoft Azure–Deploy an ARM template

Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.

1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
2. In the search bar, type and then select Service providers.
3. Click Service Provider Offers.
   
   
4. Click +Add offer, and then click Add via template.
5. Upload the Red Canary provided ARM Template, and then click Upload.
   
   
6. From the Subscription dropdown, select the subscription that your Defender for Cloud instance resides in.
7. From the Region dropdown, select the region in which your Defender for Cloud instance is deployed.
   
   
8. Click Next: Review + create >.
9. Click Create.