Skip to main content
Red Canary help

Connecting Red Canary to Microsoft Defender for Endpoint

  • Updated .

This article guides you through the process of connecting your Red Canary portal to your Microsoft Defender for Endpoint instance.

Estimated procedure time: 2 hours

Overview

Connect Red Canary to Microsoft Defender for Endpoint by completing these steps:

  1. Set up a Red Canary onboarding account.
  2. Set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub.
  3. Grant Red Canary permissions to your Defender for Endpoint API.
  4. Grant your Red Canary team read-only access to your Defender for Endpoint console.

Set up a Red Canary onboarding account

Before beginning the onboarding process, you must provide Red Canary with the name and email address for an account with global administrator privileges within your Azure organization. You’ll use this account throughout the onboarding process.

If you already have a global administrator account, follow these steps:

  1. Provide the name and email address of the account to your Red Canary contact.
  2. Check your email for an invitation to accept access permissions. If your account doesn’t have an associated email inbox, you can accept the invitation by logging in to https://portal.azure.com/microsoft-production.redcanary.co.
    Note: When logging in to this site, you should be prompted to accept certain permissions. If you do not see this permissions page on your first login, try accessing this link via an incognito or private window.

If you don’t have a global administrator account, follow these steps:

  1. Log in to your Azure tenant at https://portal.azure.com.
  2. Create a new user by following the steps in Add or delete users using Azure Active Directory.
  3. Assign “Global Administrator” or “Security Administrator” to the new user by following the steps in Assign administrator and non-administrator roles to users with Azure Active Directory.
  4. Confirm that permissions are correct by logging into Azure, searching for the new user, and validating that the user belongs to the “Global Administrator” or “Security Administrator” role.
  5. Provide the name and email address of the account to your Red Canary contact.
  6. Check your email for an invitation to accept access permissions. If your account doesn’t have an associated email inbox, you can accept the invitation by logging in to https://portal.azure.com/microsoft-production.redcanary.co.

Set up data export (Streaming API)

After you configure your onboarding account, you can set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender for Endpoint platform to begin sending your telemetry to Red Canary for processing.

To set up data export:

  1. Log in to Microsoft Defender Security Center using your global administrator account.
  2. Navigate to Settings > Microsoft 365 Defender, and select Streaming API.
  3. Click + Add button on top.
  4. Choose a name for the new data export settings, for example, “red-canary-data-export.”
  5. Click Forward events to Azure Event Hub.
  6. Fill in the values of Event-Hub Resource ID and Event-Hub name using the credentials Red Canary has provided to you via email.
  7. Make sure that all Event Types are selected.
  8. Click Save.

For a walkthrough of these steps, review this video:

Grant permissions to your Microsoft Defender for Endpoint API

After you configure your onboarding account, you can grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints.

To grant permissions to your Microsoft Defender for Endpoint API:

  1. Log in to your global administrator Microsoft account.
  2. Approve permissions for Red Canary API integration by clicking this link: https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=69561a74-a59d-43f4-a113-8bc2da00f822&response_type=code&sso_reload=true

Grant Red Canary analysts read-only access to your Microsoft Defender console

After you grant permissions to your Microsoft Defender for Endpoint API, you can give Red Canary read-only access to your Defender for Endpoint console using role-based access control (see Manage portal access using role-based access control for more information). This enables your Red Canary teams, such as your incident handling and detection engineering teams, to perform ad-hoc hunting and investigation of potential threats in your environment.

Note: This process requires a P2-type Azure license. If you have a P1-type Azure license, see P1 Azure License - Granting Red Canary analysts read-only access to Microsoft Defender.

 

For a guided walkthrough of these steps, review this video:

First, prepare your Microsoft Azure group for role-based access control, and link the Red Canary active directory tenant:

  1. Navigate to https://portal.azure.com, and log in with your global administrator account.
  2. Expand the navigation pane on the left side of the page.
  3. Select Azure Active Directory > Groups > New Group.
  4. Fill in the group parameters with the following values:
      • Group Type: Security
      • Group Name: Red Canary
      • Group Description: Red Canary Access Group
      • Azure AD roles can be assigned to the group (Preview): Yes
      • Membership Type: Assigned
      • Owners: No owners selected
      • Members: No members selected
  5. Click Create > Identity Governance.
  6. Under “Entitlement management” on the left of the page, select Connected organizations > Add connected organization.
  7. Fill out the form with the following values:
      • Basics
          • Name: Red Canary
          • Description: Red Canary Access Group
      • Directory + domain
          1. Click Add directory + domain.
          2. Type "redcanary.com" into the tenant ID search bar.
          3. Highlight the entry, and click Select.
      • Sponsors
          1. Under "Add Internal Sponsor," click Add/Remove.
          2. Search for the name of your active directory administrator, highlight the account, and click Select.
  8. Review the parameters, and click Create.

Next, enable role-based access controls in Microsoft defender for Endpoint:

  1. Navigate to https://security.microsoft.com, and log in with your global administrator account. 
  2. Select Settings > Endpoints > Roles>Add item.
  3. Fill out the form with the following values:
      • Role Name: Red Canary
      • Description: Red Canary Access Role
      • Check the following boxes:
          • View Data
              • Security Operations
              • Threat and Vulnerability Management
          • Active Remediation Actions
              • Security Operations
              • Threat and vulnerability management - Exception handling
              • Threat and vulnerability management - Remediation handling
          • Alerts Investigation
          • Live Response Capabilities
              • Basic
  4. Click Assigned user groups > Red Canary > Add Selected Groups.
  5. Click Save.

Finally, configure your Microsoft Azure identity governance access packages:

  1. Navigate to https://portal.azure.com and log in with your global administrator account. 
  2. Expand the navigation pane on the left side of the page.
  3. Select Azure Active Directory > Identity Governance. 
  4. Under “Entitlement Management” on the left side of the page, select Catalogs > New Catalog.
  5. Fill out the form with the following values:
      • Name: Red Canary Access
      • Description: Red Canary MTP Service Access Catalog
      • Enabled: Yes
      • Enabled for external users: Yes
  6. Under “Entitlement Management” on the left side of the page, select Access Packages > New Access Package.
  7. Fill out the forms with the following values:
      • Basics
          • Name: Red Canary Access Package
          • Description: Red Canary Access
          • Catalog: Red Canary Access
      • Resource Roles
          • Select Groups and Teams > Red Canary > Member > Select.
            • NOTE: In order to select the Red Canary Group you will need to check the box where it says: "See all Group and Team(s) not in the Red Canary Access catalog. You must have the correct permissions to add them in this access package."
      • Requests
          • Select For users not in your directory > Specific connected organizations > Red Canary.
          • Require Approval: No
          • Enable new requests and assignments: Yes
      • Lifecycle
          • Access package assignments expire: Never 
          • Require access reviews: Yes
          • Starting on: [today's date]
          • Review frequency: Bi-annually
          • Duration in days: 90
          • Reviewers: Specific reviewers
              1. Click Add reviewers
              2. Select the members of your organization responsible for IAM review procedures.
  8. Review the parameters, and click Create.
  9. Select the newly created access package under Azure Portal > Active Directory > Identity Governance > Access Packages > Red Canary.  
  10. Under “Properties,” copy the “My access portal link.”
  11. Provide the link to your Red Canary contact.

What if my organization uses device groups?

If your organization uses device groups, add permissions by completing the following steps:

  1. Navigate to https://security.microsoft.com and log in with your global administrator account.
  2. Select Settings > Endpoints > Device Groups.
  3. Navigate to ​Assigned User Groups.
  4. Select the Red Canary group previously created in Azure AD. Add that group to Azure AD user groups with this role, and click​ Save.
  5. Go to Settings > Permissions > Machine Groups.
  6. Click on a machine group name.
  7. Go to User Access, and select the checkbox to grant access to the ​Red Canary ​group.
  8. Repeat steps 6 and 7 for all machine groups.

Related articles

Comments

0 comments

Please sign in to leave a comment.