Skip to main content
Red Canary help

Connecting Red Canary to Microsoft Defender for Endpoint

  • Updated .

Connecting your Microsoft Defender for Endpoint instance to Red Canary consists of three steps:

  1. Set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender platform to begin sending your telemetry to Red Canary for processing.
  2. Grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints.
  3. Grant your Red Canary incident handlers read-only access to your Defender console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment. 

Setting up a Red Canary onboarding account

Before beginning the onboarding process, you need to provide Red Canary with the name and email address for an account with Global Administrator privileges within your Azure organization. This Global Administrator account will also be used throughout your setup as detailed in the sections below.

If you do not have a Global Administrator account to use for onboarding and setup, please follow the instructions below:

To set up the Global Administrator account for onboarding and setup:

  1. Log into your Azure tenant at https://portal.azure.com
  2. Follow the steps listed in Microsoft's Azure user creation documentation here
  3. Assign Global Administrator or Security Administrator to the new user using the Microsoft assign role documentation here
  4. Confirm that permissions are correct by logging into Azure, searching for Users and validating that the user belongs to the Global Administrators role.
  5. Red Canary will invite this user as a Guest User in the Red Canary Azure tenant.
  6. The user will receive an email with an invitation to accept access permissions. 

Setting up data export

In this step, you will set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender for Endpoint platform to begin sending your telemetry to Red Canary for processing.

To set up data export:

  1. Log into your Microsoft Defender Security Center using the Global Administrator account that has been granted access to the Red Canary Azure tenant.
  2. Navigate to Partners & APIs → Data export settings.
  3. Click + Add data export settings.
  4. Choose a name for the new data export settings, such as red-canary-data-export.
  5. Click Forward events to Azure Event Hub.
  6. Fill in the values for the below fields--which will be provided to you once you are provisioned--in an automatically-generated email:
    Event-Hub Resource Id
    Event Hub Name
  7. Ensure that all Event types are selected.
  8. Click Save.

Granting permissions to your Microsoft Defender for Endpoint API

In this step, you will grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints. 

To grant permissions to your Microsoft Defender for Endpoint API:

  1. While logged in as a Global Administrator, approve permissions for Red Canary API integration by clicking this link: https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=69561a74-a59d-43f4-a113-8bc2da00f822&response_type=code&sso_reload=true

Granting Red Canary analysts read-only access to your Microsoft Defender console

In this step, you will grant Red Canary read-only access to your Microsoft Defender for Endpoint console using role based access control (see this help article for more information). This enables your Red Canary teams, such as Incident Handling and Detection Engineering, to perform ad-hoc hunting and investigation of potential threats in your environment.

This process requires a P2 type Azure license, and applies to customers with E5/A5 Microsoft Licenses. If you have a P1 type Azure license, please reference this help article.

Preparing Microsoft Azure group for RBAC and linking Red Canary AD Tenant 

  1. Navigate to https://portal.azure.com and log in with your Global Administrator Microsoft account. 
    1. Expand the navigation pane on the left hand side of the page and select Azure Active Directory. 
    2. Select Groups. 
    3. Click “New Group” 
    4. Fill in the group parameters with the following: 
      • Group Type: Security
      • Group Name: Red Canary
      • Group Description: Red Canary Access Group
      • Azure AD roles can be assigned to the group (Preview): Yes
      • Membership Type: Assigned
      • Owners: No owners selected
      • Members: No members selected
    5. Click “Create
    6. Select “Identity Governance” 
    7. Under Entitlement management on the left of the page, select “Connected organizations
    8. Click “Add connected organization” 
    9. Fill in the Add connected organization wizard with the following parameters
      • Basics
        • Name: Red Canary
        • Description: Red Canary Access Group
      • Directory + domain
        • Click “add directory + domain
        • Insert "redcanary.com" into the search field for tenant ID.
        • Highlight the entry and click Select
      • Sponsors
        • Under Add Internal Sponsor click Add/Remove
        • Search for the name of your Active Directory administrator, highlight the account and click Select
      • Review + Create
    10. Review the parameters and click Create to link the Red Canary Active Directory Tenant. 

Enabling Role Based Access Controls in Microsoft Defender for Endpoint

  1. Navigate to https://security.microsoft.com and log in with your Global Administrator Microsoft account. 
    • Click on Settings
    • Click on Roles
    • Click Add Item
  2. Configure permissions for the new role. 
    • Role Name: Red Canary
    • Description: Red Canary Access Role
    • Check the following Permissions boxes only. 
      • View Data
        • Security Operations
        • Threat and Vulnerability Management
      • Active Remediation Actions
        • Security Operations
      • Alerts Investigation
      • Live Response Capabilities
        • Basic
    • Click on “Assigned user groups” 
    • Select the group named Red Canary
    • Click Add Selected Groups
  3. Click Save

Configuring Identity Governance Access Packages in Microsoft Azure

  1. Navigate to https://portal.azure.com and log in with your Global Administrator Microsoft account. 
  2. Expand the navigation pane on the left hand side of the page and select Azure Active Directory. 
  3. Select Identity Governance
  4. Under Entitlement Management on the left, select “Catalogs 
  5. Select “New Catalog” 
  6. Complete the New catalog form with the following parameters
    • Name: Red Canary Access
    • Description: Red Canary MTP Service Access Catalog
    • Enabled: Yes
    • Enabled for external users: Yes
  7. Under Entitlement Management on the left, select “Access Packages
  8. Click “New Access Package
  9.  Complete the New access package forms using the following parameters
    • Basics
      • Name: Red Canary Access Package
      • Description: Red Canary Access
      • Catalog: Red Canary Access
    • Resource Roles
      • Select Groups and Teams
      • Click the group “Red Canary”
      • Select “Member” 
      • Click “Select” to add the group resource role to the Access package. 
    • Requests
      • Select “For users not in your directory
      • Select “Specific connected organizations
      • Select “Red Canary”
      • Require Approval: No
      • Enable new requests and assignments: Yes
    • Lifecycle
      • Access package assignments expire: never 
      • Require access reviews: Yes
      • Starting on: (today's date)
      • Review frequency: Bi-annually
      • Duration in days: 90
      • Reviewers: Specific reviewers
        • Select “Add reviewers” 
        • Select members of your organization responsible for IAM review procedures. 
    • Review + Create
      • Review the parameters to ensure the above criteria are satisfied. 
      • Click “Create” to create the access package.  
  10. Select the new access package under Azure Portal → Active Directory → Identity Governance → Access Packages → Red Canary.  
  11. Under “Properties” copy the “My Access Portal link” click the copy button in the selection field. 
  12. Provide the link to the Red Canary account team contact.

If used, add permissions to Device Groups

  1. Navigate to https://security.microsoft.com
  2. Select Settings → endpoints → Device Groups
  3. Navigate to ​Assigned User Groups
  4. Select the Red Canary group previously created in Azure AD. Add that group to “Azure AD user groups with this role” and click​ Save
  5. Grant Red Canary users permission to view all machine groups in your environment. 
    • Navigate to Settings → Permissions → Machine groups
  6. Click on the first machine group name and navigate to​ User Access​.
  7. Select the checkbox to grant access to the ​Red Canary ​group.
  8. Repeat the previous step for all machine groups.

 

Related articles