Skip to main content
Red Canary help

Integrate Microsoft Defender for Cloud with Red Canary

  • Updated .

This article leads you through the process of integrating Microsoft Defender for Cloud with Red Canary. Follow the procedure from beginning to end. 

Prerequisites

Step 1: Microsoft Azure–Locate your Microsoft Azure ID’s

Start the integration process by locating your Microsoft Azure ID’s.

  1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
  2. In the search bar, type and then select Subscriptions.
  3. Copy and save your Subscription ID. You’ll use this in a later step.
    1.png
  4. In the search bar, type and then select Tenant properties.
  5. Copy and save your Tenant ID. You’ll use this in a later step.
    2.png

Step 2: Red Canary–Input your Microsoft Azure ID information

Enter your Microsoft Azure ID information into Red Canary to connect your Microsoft security product to Red Canary.

  1. From the Red Canary homepage, click Integrations, and then click Alert Sources.
  2. In the search bar, type and then select Microsoft Defender for Cloud.
    3.png
  3. To configure your new alert source, scroll down and then click Microsoft Defender for Cloud.
  4. Click Edit Configuration
  5. Enter a Name for your external alert source.  
  6. Select a Display Category.
  7. Under the Ingest Format/Method dropdown, select Microsoft Defender for Cloud via API Poll.
  8. Enter your Microsoft Subscription ID from Step 1.3
  9. Enter your Microsoft Tenant ID from Step 1.5.
  10. Click Save Configuration.
  11. Click Edit Configuration.
  12. Under the Permissions section, click the Microsoft consent link.
    4.png

Step 3: Microsoft Azure–Add a Security Reader role assignment to Red Canary

To start sending security data for ingestion, grant Red Canary permission to read your Microsoft Azure telemetry.

  1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
  2. In the search bar, type and then select Subscriptions.
  3. Click on your Microsoft Defender for Cloud subscription name.
  4. Click Access Control (IAM).
  5. Click +Add, and then click Add role assignment.
  6. In the search bar, type and then select Security Reader.
    6.png
  7. Click Next.
  8. From the Assign access to section, select User, group, or service principal.
  9. Click Select Members.
  10. In the search bar, type and then select Red Canary + Defender for Cloud.
    7.png
  11. Click Select.
  12. To review your role assignment, click Next.
  13. Click Review + assign.

Step 4: Microsoft Azure–Add a Security Admin role assignment to Red Canary

Grant Red Canary permission to read your Microsoft Defender for Cloud alerts and recommendations, and then update the alerts within Defender for Cloud.

  1. In the search bar, type and then select Subscriptions.
  2. Click on your Microsoft Defender for Cloud subscription name.
  3. Click Access Control (IAM).
  4. Click +Add, and then click Add role assignment.
  5. In the search bar, type and then select Security Admin.
    8.png
  6. Click Next.
  7. From the Assign access to section, select User, group, or service principal.
  8. Click Select Members.
  9. In the search bar, type and then select Red Canary + Defender for Cloud. (This enterprise application is created when you approve the consent link mentioned in Step 2.12).
    9.png
  10. Click Select.
  11. To review your role assignment, click Next.
  12. Click Review + assign.

Step 5: Red Canary–Activate your Microsoft Defender for Cloud alert source

Enable your new Microsoft Defender for Cloud source in Red Canary.

  1. From the Red Canary homepage, click Integrations, and then click Alert Sources.
  2. Click Microsoft Defender for Cloud.
  3. Click Edit Configuration.
  4. With all of the required permission settings completed, select Confirm Microsoft Microsoft Defender for Cloud API Access Granted.
    10.png
  5. Click Save Configuration.
  6. Click Edit Configuration.
  7. Click Activate

Step 6: Microsoft Azure–Deploy an ARM template

Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.

  1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
  2. In the search bar, type and then select Service providers.
  3. Click Service Provider Offers.
    11.png
  4. Click +Add offer, and then click Add via template.
  5. Upload the Red Canary provided ARM Template, and then click Upload.
    12.png
  6. From the Subscription dropdown, select the subscription that your Defender for Cloud instance resides in.
  7. From the Region dropdown, select the region in which your Defender for Cloud instance is deployed.
    13.png
  8. Click Next: Review + create >.
  9. Click Create.

Comments

0 comments

Please sign in to leave a comment.