Red Canary’s integration with the Microsoft Defender platform begins with our deep integration with the Microsoft Defender for Endpoint product and a special data exchange created in partnership between our engineering teams.
While most companies’ Defender for Endpoint integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration leverages the raw telemetry collected by the Defender for Endpoint sensor. This telemetry is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.
This combination of Defender for Endpoint alerts, telemetry, and Red Canary’s detection and response delivers the best security outcomes for Microsoft Defender users.
How it works
Red Canary and Microsoft Defender use several integration points to implement exceptional security operations:
How does Defender Data get to Event Hub?
- Defender EDR streams telemetry data in near real time to the Microsoft Security Center with which it is configured to communicate.
- Security Center sends individual telemetry messages to an Azure Event Hub which Red Canary provisions and maintains for your organization within Red Canary’s Azure environment. Azure bundles those messages together and saves them temporarily in a dedicated Azure Storage blob.
How does the Data in Event Hub get into Red Canary?
- Once the data is saved successfully, an Azure function triggers the Red Canary application within AWS to request and collect that data from Azure via an API request.
- Data is not stored long-term in Azure. Once collected by the Red Canary app, the telemetry messages age out of the Azure platform after a few days.
Connect your Defender for Endpoint deployment to Red Canary by following these simple steps:
- Set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender platform to begin sending your telemetry to Red Canary for processing.
- Grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, endpoint metadata, and orchestrate actions on endpoints.
- Grant your Red Canary incident handlers read-only access to your Microsoft Defender console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment.
Learn more about how to set up Defender for Endpoint with Red Canary. This process generally takes 4-6 hours to configure and confirm data is flowing properly.
What kind of Microsoft data does Red Canary process?
We receive all of the data collected by your Defender for Endpoint sensors, as well as a number of system events generated by the Microsoft platform. As Microsoft continues developing APIs in their XDR suite, Red Canary will receive additional telemetry and alert types from other Microsoft security platforms.
What happens to my Microsoft alerts when I activate Red Canary?
Every alert generated by Defender for Endpoint detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.
You can enable “alert synchronization” to automatically update and close the alerts in the Defender platform once Red Canary has completed our review to keep your console tidy.
Can I too export the data collected by Microsoft?
Absolutely. You can use the Canary Exporter to export Microsoft telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. Learn more about exporting telemetry from Red Canary.