This article leads you through the process of integrating Microsoft Defender for Cloud with Red Canary. Follow the procedure from beginning to end.
Prerequisites
- You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration, and add the required role assignments in Azure.
Step 1: Microsoft Azure–Locate your Microsoft Azure ID’s
Start the integration process by locating your Microsoft Azure ID’s.
- Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
- In the search bar, type and then select Subscriptions.
- Copy and save your Subscription ID. You’ll use this in a later step.
- In the search bar, type and then select Tenant properties.
- Copy and save your Tenant ID. You’ll use this in a later step.
Step 2: Red Canary–Input your Microsoft Azure ID information
Enter your Microsoft Azure ID information into Red Canary to connect your Microsoft security product to Red Canary.
- From the Red Canary homepage, click Integrations, and then click Alert Sources.
- In the search bar, type and then select Microsoft Defender for Cloud.
- To configure your new alert source, scroll down and then click Microsoft Defender for Cloud.
- Click Edit Configuration.
- Enter a Name for your external alert source.
- Select a Display Category.
- Under the Ingest Format/Method dropdown, select Microsoft Defender for Cloud via API Poll.
- Enter your Microsoft Subscription ID from Step 1.3.
- Enter your Microsoft Tenant ID from Step 1.5.
- Click Save Configuration.
- Click Edit Configuration.
- Under the Permissions section, click the Microsoft consent link.
Step 3: Microsoft Azure–Add a Security Reader role assignment to Red Canary
To start sending security data for ingestion, grant Red Canary permission to read your Microsoft Azure telemetry.
- Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
- In the search bar, type and then select Subscriptions.
- Click on your Microsoft Defender for Cloud subscription name.
- Click Access Control (IAM).
- Click +Add, and then click Add role assignment.
- In the search bar, type and then select Security Reader.
- Click Next.
- From the Assign access to section, select User, group, or service principal.
- Click Select Members.
- In the search bar, type and then select Red Canary + Defender for Cloud.
- Click Select.
- To review your role assignment, click Next.
- Click Review + assign.
Step 4: Microsoft Azure–Add a Security Admin role assignment to Red Canary
Grant Red Canary permission to read your Microsoft Defender for Cloud alerts and recommendations, and then update the alerts within Defender for Cloud.
- In the search bar, type and then select Subscriptions.
- Click on your Microsoft Defender for Cloud subscription name.
- Click Access Control (IAM).
- Click +Add, and then click Add role assignment.
- In the search bar, type and then select Security Admin.
- Click Next.
- From the Assign access to section, select User, group, or service principal.
- Click Select Members.
- In the search bar, type and then select Red Canary + Defender for Cloud. (This enterprise application is created when you approve the consent link mentioned in Step 2.12).
- Click Select.
- To review your role assignment, click Next.
- Click Review + assign.
Step 5: Red Canary–Activate your Microsoft Defender for Cloud alert source
Enable your new Microsoft Defender for Cloud source in Red Canary.
- From the Red Canary homepage, click Integrations, and then click Alert Sources.
- Click Microsoft Defender for Cloud.
- Click Edit Configuration.
- With all of the required permission settings completed, select Confirm Microsoft Microsoft Defender for Cloud API Access Granted.
- Click Save Configuration.
- Click Edit Configuration.
- Click Activate.
Step 6: Microsoft Azure–Deploy an ARM template
Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.
- Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
- In the search bar, type and then select Service providers.
- Click Service Provider Offers.
- Click +Add offer, and then click Add via template.
- Upload the Red Canary provided ARM Template, and then click Upload.
- From the Subscription dropdown, select the subscription that your Defender for Cloud instance resides in.
- From the Region dropdown, select the region in which your Defender for Cloud instance is deployed.
- Click Next: Review + create >.
- Click Create.
Comments
0 comments
Please sign in to leave a comment.