This article leads you through the process of integrating Microsoft Sentinel with Red Canary. Follow the procedure from beginning to end.
Prerequisites
- From your Azure environment, locate the following data points to configure your Red Canary source platform:
- Azure Tenant ID
- Azure Subscription ID
- Sentinel Resource Group Name
- Sentinel Workspace Name
- Log Analytics Workspace ID
- You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration and add the required role assignments in Azure.
Step 1: Microsoft Azure–Locate your Microsoft Azure IDs
Start the integration process by locating your Microsoft Azure IDs.
- Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
- In the search bar, type and then select Tenant properties.
- Copy and save your Tenant ID. You’ll use this in a later step.
- In the search bar, type and then select Subscriptions.
- Copy and save your Subscription ID. You’ll use this in a later step.
- Click on your subscription name.
- Select your log analytics workspace ID, copy and save your workspace ID. You’ll use this in a later step.
- In the search bar, type and then select Resource Groups.
- Copy and save the Resource Group Name your setting up a subscription for. You’ll use this in a later step.
- In the search bar, type and then select Workspaces.
- Copy and save the Workspace Name you're setting up a subscription for. You’ll use this in a later step.
Step 2: Red Canary–Input your Microsoft Azure information
Enter your Microsoft Azure information into Red Canary to start sending your alerts.
- From your Red Canary homepage, click Integrations.
- From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
Note: If you do not see your security product listed, click See all integrations. - In the search bar, type and then select your third-party security source.
- Continue onto the next step by configuring your third-party security source in Red Canary.
Note: Your third-party security source may require that you contact Red Canary to configure. - Enter a Name for your external alert source.
- Select a Display Category.
- Under the Ingest Format/Method dropdown, select Microsoft Azure Sentinel via API Poll.
- Enter your Microsoft Azure Tenant ID from Step 1.3.
- Enter your Microsoft Azure Subscription ID from Step 1.5.
- Enter your Microsoft Sentinel Resource Group Name from Step 1.9.
- Enter your Microsoft Sentinel Workspace Name from Step 1.11.
- Enter your Microsoft Log Analytics Workspace ID from Step 1.7.
- Click Save Configuration.
- Click Edit Configuration.
- Under the Permissions section, click the Azure consent link.
Step 3: Microsoft Azure–Confirm that Red Canary has been configured in Azure
Confirm that the Red Canary enterprise application has been configured in your Azure Active Directory.
- Login to the Microsoft Azure account you want to integrate with Red Canary.
- Click Accept.
- Login into your Microsoft Azure account again.
Step 4: Microsoft Azure–Add a Security Reader role assignment to Red Canary
Grant Red Canary permission to read your Microsoft azure telemetry to start sending security data for ingestion.
- In the search bar, type and then select Subscriptions.
- Click on your Azure Sentinel subscription name.
- Click Access Control (IAM).
- Click +Add, and then click Add role assignment.
- In the search bar, type and then select Security Reader.
- Click Next.
- From the Assign access to section, select User, group, or service principal.
- Click Select Members.
- In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
- Click Select.
- To review your role assignment, click Next.
- Click Review + assign.
Step 5: Microsoft Azure–Add a Log Analytics Contributor role assignment to Red Canary
Grant Red Canary permission to read and analyze your Microsoft Azure telemetry to start sending security data for ingestion.
- In the search bar, type and then select Subscriptions.
- Click on your Azure Sentinel subscription name.
- Click Access Control (IAM).
- Click +Add, and then click Add role assignment.
- In the search bar, type and then select Log Analytics Contributor.
- Click Next.
- From the Assign access to section, select User, group, or service principal.
- Click Select Members.
- In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
- Click Select.
- To review your role assignment, click Next.
- Click Review + assign.
Step 6: Microsoft Azure–Add a Sentinel Responder role assignment to Red Canary
Grant Red Canary permission to edit data, incidents, and manage incidents in Microsoft Azure.
- In the search bar, type and then select Subscriptions.
- Click on your Azure Sentinel subscription name.
- Click Access Control (IAM).
- Click +Add, and then click Add role assignment.
- In the search bar, type and then select Sentinel Responder.
- Click Next.
- From the Assign access to section, select User, group, or service principal.
- Click Select Members.
- In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
- Click Select.
- To review your role assignment, click Next.
- Click Review + assign.
Step 7: Red Canary–Activate your Microsoft Azure Sentinel alert source
Enable your new Microsoft Azure Sentinel alert source in Red Canary.
- From your Red Canary homepage, click Integrations.
- Scroll down, and then select your third-party security source.
- Click Edit Configuration.
- With all of the required permission settings completed, select Confirm Microsoft Sentinel API Access Granted.
- Click Save Configuration.
- Click Edit Configuration.
- Click Activate.
Step 8: Microsoft Azure–Deploy an ARM template
Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.
- Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
- In the search bar, type and then select Service providers.
- Click Service Provider Offers.
- Click +Add offer, and then click Add via template.
- Upload the Red Canary provided ARM Template, and then click Upload.
- From the Subscription dropdown, select the subscription that your Sentinel instance resides in.
- From the region dropdown, select the region your Sentinel instance is deployed in.
- Click Next: Review + create >.
- Click Create.
Comments
0 comments
Please sign in to leave a comment.