Connecting your Microsoft Threat Protection deployment to Red Canary consists of three steps:
- Set up data export from your Microsoft Defender ATP instance to Red Canary’s Azure event hub. This configuration instructs the Microsoft Defender ATP platform to begin sending your telemetry to Red Canary for processing.
- Grant Red Canary permissions to your Microsoft Defender ATP API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints.
- Grant your Red Canary incident handlers read-only access to your Microsoft Defender ATP console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment.
Setting up a Red Canary onboarding account
Before beginning the onboarding process, you need to provide Red Canary with the name and email address for an account with Global Administrator privileges within your Azure organization. If you do not have a Global Administrator account to use for onboarding, please follow the instructions below.
To set up the onboarding account:
- Log into your Azure tenant at https://portal.azure.com.
- Follow the steps listed in Microsoft's Azure user creation documentation here.
- Assign Global Administrator to the new user using the Microsoft assign role documentation here.
- Confirm that permissions are correct by logging into Azure, searching for Users and validating that the user belongs to the Global Administrators role.
- Red Canary will invite this user as a Guest User in the Red Canary Azure tenant.
- The user will receive an email with an invitation to accept access permissions.
Setting up data export
In this step, you will set up data export from your Microsoft Defender ATP instance to Red Canary’s Azure event hub. This configuration instructs the Microsoft Defender ATP platform to begin sending your telemetry to Red Canary for processing.
To set up data export:
- Log into your Microsoft Defender ATP Security Center using the Global Administrator account that has been granted access to the Red Canary Azure tenant.
- Navigate to Partners & APIs → Data export settings.
- Click + Add data export settings.
- Choose a name for the new data export settings, such as red-canary-data-export.
- Click Forward events to Azure Event Hub.
Fill in the following values:
Event-Hub Resource Id: test-event-hub-resource-id-string
Event Hub Name: test-event-hub-name
- Ensure that all Event types are selected.
- Click Save.
Granting permissions to your Microsoft Defender ATP API
In this step, you will grant Red Canary permissions to your Microsoft Defender ATP API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints.
To grant permissions to your Microsoft Defender ATP API:
- While logged in as a Global Administrator, approve permissions for Red Canary API integration by clicking this link: https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=69561a74-a59d-43f4-a113-8bc2da00f822&response_type=code&sso_reload=true
Granting Red Canary analysts read-only access to your Microsoft Defender ATP console
In this step you will grant your Red Canary incident handlers read-only access to your Microsoft Defender ATP console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment.
To grant Red Canary analysts read-only access:
- Log into your Azure portal (https://portal.azure.com/) with administrator privileges.
- Navigate to the Azure Active Directory blade within your Azure Portal. (https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview)
Navigate to Groups and add a + New Group with the following settings:
- Group type: Security
- Group name: red-canary
- Group description: (optional)
- Membership type: Assigned
- Navigate to Users and add a + New guest user.
Complete the following step for each Red Canary user requiring access:
- Cordell BaanHofman (email@example.com)
- Julie Brown (firstname.lastname@example.org)
- Matt Tanous (email@example.com)
Choose Invite User and add the information below provided by your Red Canary team:
Name [see Step 5]
Email address [see Step 5]
First name (optional)
Last name (optional)
Personal Message (optional)
Block sign in No
Usage location (blank)
Job title (blank)
- Click the Invite button to send the invitation. Repeat the previous step for all accounts.
- Log into the Microsoft Defender ATP Portal (https://securitycenter.windows.com) with a Global Admin role.
- Navigate to Settings → Permissions → Roles.
- Select + Add Role.
Navigate to General and add the information below:
- Role Name:
- Description: Red Canary read-only access to view alerts and investigate events.
- Permissions: Select “View Data”, “Security operations”, and “Threat and vulnerability management.” Deselect all other permissions.
- Navigate to Assigned user Groups.
- Select the red-canary group previously created in Azure AD. Add that group to “Azure AD user groups with this role” and click Save.
To grant Red Canary users permission to view all machine groups in your environment:
- Navigate to Settings → Permissions → Machine groups.
- Click on the first machine group name and navigate to User access.
- Select the checkbox to grant access to the red-canary group.
- Repeat the previous step for all machine groups.