Skip to main content
Red Canary help

Integrate Microsoft Sentinel with Red Canary

  • Updated .

This article leads you through the process of integrating Microsoft Sentinel with Red Canary. Follow the procedure from beginning to end. 

Prerequisites

  • From your Azure environment, locate the following data points to configure your Red Canary source platform:
    • Azure Tenant ID
    • Azure Subscription ID
    • Sentinel Resource Group Name
    • Sentinel Workspace Name
    • Log Analytics Workspace ID
  • You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration and add the required role assignments in Azure.

Step 1: Microsoft Azure–Locate your Microsoft Azure IDs

Start the integration process by locating your Microsoft Azure IDs.

  1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
  2. In the search bar, type and then select Tenant properties.
  3. Copy and save your Tenant ID. You’ll use this in a later step.
    1.png
  4. In the search bar, type and then select Subscriptions.
  5. Copy and save your Subscription ID. You’ll use this in a later step.
    2.png
  6. Click on your subscription name.
  7. Select your log analytics workspace ID, copy and save your workspace ID. You’ll use this in a later step.
  8. In the search bar, type and then select Resource Groups.
  9. Copy and save the Resource Group Name your setting up a subscription for. You’ll use this in a later step.
  10. In the search bar, type and then select Workspaces.
  11. Copy and save the Workspace Name you're setting up a subscription for. You’ll use this in a later step.

Step 2: Red Canary–Input your Microsoft Azure information

Enter your Microsoft Azure information into Red Canary to start sending your alerts.

  1. From your Red Canary homepage, click Integrations.
  2. From the Integrations section, locate and then click the security product you want to integrate with Red Canary.
    Note: If you do not see your security product listed, click See all integrations.
     
  3. In the search bar, type and then select your third-party security source.
  4. Continue onto the next step by configuring your third-party security source in Red Canary.
    Note: Your third-party security source may require that you contact Red Canary to configure.
  5. Enter a Name for your external alert source.  
  6. Select a Display Category.
  7. Under the Ingest Format/Method dropdown, select Microsoft Azure Sentinel via API Poll.
  8. Enter your Microsoft Azure Tenant ID from Step 1.3.
  9. Enter your Microsoft Azure Subscription ID from Step 1.5.
  10. Enter your Microsoft Sentinel Resource Group Name from Step 1.9.
  11. Enter your Microsoft Sentinel Workspace Name from Step 1.11.
  12. Enter your Microsoft Log Analytics Workspace ID from Step 1.7.
  13. Click Save Configuration.
  14. Click Edit Configuration.
  15. Under the Permissions section, click the Azure consent link.
    Click_here.png

Step 3: Microsoft Azure–Confirm that Red Canary has been configured in Azure

Confirm that the Red Canary enterprise application has been configured in your Azure Active Directory.

  1. Login to the Microsoft Azure account you want to integrate with Red Canary.
  2. Click Accept.
    5.png
  3. Login into your Microsoft Azure account again.

Step 4: Microsoft Azure–Add a Security Reader role assignment to Red Canary

Grant Red Canary permission to read your Microsoft azure telemetry to start sending security data for ingestion. 

  1. In the search bar, type and then select Subscriptions.
  2. Click on your Azure Sentinel subscription name.
  3. Click Access Control (IAM).
  4. Click +Add, and then click Add role assignment.
  5. In the search bar, type and then select Security Reader.
  6. Click Next.
  7. From the Assign access to section, select User, group, or service principal.
  8. Click Select Members.
  9. In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
    Reader.png
  10. Click Select.
  11. To review your role assignment, click Next.
  12. Click Review + assign.

Step 5: Microsoft Azure–Add a Log Analytics Contributor role assignment to Red Canary

Grant Red Canary permission to read and analyze your Microsoft Azure telemetry to start sending security data for ingestion. 

  1. In the search bar, type and then select Subscriptions.
  2. Click on your Azure Sentinel subscription name.
  3. Click Access Control (IAM).
  4. Click +Add, and then click Add role assignment.
  5. In the search bar, type and then select Log Analytics Contributor.
  6. Click Next.
  7. From the Assign access to section, select User, group, or service principal.
  8. Click Select Members.
  9. In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
    Contributor.png
  10. Click Select.
  11. To review your role assignment, click Next.
  12. Click Review + assign.

Step 6: Microsoft Azure–Add a Sentinel Responder role assignment to Red Canary

Grant Red Canary permission to edit data, incidents, and manage incidents in Microsoft Azure. 

  1. In the search bar, type and then select Subscriptions.
  2. Click on your Azure Sentinel subscription name.
  3. Click Access Control (IAM).
  4. Click +Add, and then click Add role assignment.
  5. In the search bar, type and then select Sentinel Responder.
  6. Click Next.
  7. From the Assign access to section, select User, group, or service principal.
  8. Click Select Members.
  9. In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
    Responder.png
  10. Click Select.
  11. To review your role assignment, click Next.
  12. Click Review + assign.

Step 7: Red Canary–Activate your Microsoft Azure Sentinel alert source

Enable your new Microsoft Azure Sentinel alert source in Red Canary.

  1. From your Red Canary homepage, click Integrations.
  2. Scroll down, and then select your third-party security source.
  3. Click Edit Configuration.
  4. With all of the required permission settings completed, select Confirm Microsoft Sentinel API Access Granted.
    7.4.png
  5. Click Save Configuration.
  6. Click Edit Configuration.
  7. Click Activate

Step 8: Microsoft Azure–Deploy an ARM template

Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.

  1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
  2. In the search bar, type and then select Service providers.
  3. Click Service Provider Offers.
    9.png
  4. Click +Add offer, and then click Add via template.
  5. Upload the Red Canary provided ARM Template, and then click Upload.
    10.png
  6. From the Subscription dropdown, select the subscription that your Sentinel instance resides in.
  7. From the region dropdown, select the region your Sentinel instance is deployed in.
    11.png
  8. Click Next: Review + create >.
  9. Click Create.

Comments

0 comments

Please sign in to leave a comment.