Red Canary’s integration with the Microsoft Defender platform begins with our deep integration with the Microsoft Defender for Endpoint product and a special data exchange created in partnership between our engineering teams.
While most companies’ Defender for Endpoint integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration leverages the raw telemetry collected by the Defender for Endpoint sensor. This telemetry is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.
This combination of Defender for Endpoint alerts, telemetry, and Red Canary’s detection and response delivers the best security outcomes for Microsoft Defender users.
How it works
Red Canary and Microsoft Defender use several integration points to implement exceptional security operations:
Connect your Defender for Endpoint deployment to Red Canary by following these simple steps:
- Set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender platform to begin sending your telemetry to Red Canary for processing.
- Grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, endpoint metadata, and orchestrate actions on endpoints.
- Grant your Red Canary incident handlers read-only access to your Microsoft Defender console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment.
Learn more about how to set up Defender for Endpoint with Red Canary. This process generally takes 4-6 hours to configure and confirm data is flowing properly.
What kind of Microsoft data does Red Canary process?
We receive all of the data collected by your Defender for Endpoint sensors, as well as a number of system events generated by the Microsoft platform. As Microsoft continues developing APIs in their XDR suite, Red Canary will receive additional telemetry and alert types from other Microsoft security platforms.
What happens to my Microsoft alerts when I activate Red Canary?
Every alert generated by Defender for Endpoint detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.
You can enable “alert synchronization” to automatically update and close the alerts in the Defender platform once Red Canary has completed our review to keep your console tidy.
Can I too export the data collected by Microsoft?
Absolutely. You can use the Canary Exporter to export Microsoft telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. Learn more about exporting telemetry from Red Canary.