Red Canary’s integration with the Microsoft Defender for Endpoint (MDE) platform begins with our deep integration with the Microsoft Defender for Endpoint product and a standard data exchange initially created in partnership between our engineering teams.
While most Defender for Endpoint integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the Defender for Endpoint sensor. This telemetry is processed and analyzed first by the Red Canary platform then by our Cyber Incident Response Team (CIRT) to confirm and investigate threats while eliminating false positives.
This combination of Defender for Endpoint alerts, telemetry, and Red Canary’s detection and response delivers the best security outcomes for Microsoft Defender for Endpoint users.
How it works
Red Canary and Microsoft Defender for Endpoint use several integration points to implement exceptional security operations:
How does MDE Data get into the Azure Event Hub?
- MDE EDR streams telemetry data in near real time to the Microsoft Security Center with which it is configured to communicate. (NOTE: This step is part of the standard Microsoft offering, Red Canary is not involved yet)
- Security Center then sends individual telemetry messages to an Azure Event Hub which Red Canary provisions and maintains for your organization within Red Canary’s Azure environment. Azure bundles those messages together and saves them temporarily in a dedicated Azure Storage blob.
How does the Data in the Event Hub get into Red Canary?
- Once the data is saved successfully, an Azure function triggers the Red Canary application within AWS to request and collect that data from Azure via an API request.
- Data is not stored long-term in Azure. Once collected by the Red Canary app, the telemetry messages age out of the Azure platform after a few days.
Note: Minimum requirements for Defender for Endpoint can be found here.
Connect your Defender for Endpoint deployment to Red Canary by following these simple steps:
- Set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender platform to begin sending your telemetry to Red Canary for processing.
- Grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, endpoint metadata, and orchestrate actions on endpoints.
- Grant your Red Canary incident handlers read-only access to your Microsoft Defender console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment.
Learn more about how to set up Defender for Endpoint with Red Canary. This process generally takes 4-6 hours to configure and confirm data is flowing properly.
What kind of Microsoft data does Red Canary process?
We receive all of the data collected by your Defender for Endpoint sensors, as well as a number of system events generated by the Microsoft platform. As Microsoft continues developing APIs in their XDR suite, Red Canary will receive additional telemetry and alert types from other Microsoft security platforms.
What happens to my Microsoft alerts when I activate Red Canary?
Every alert generated by Defender for Endpoint detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.
You can enable “alert synchronization” to automatically update and close the alerts in the MDE platform once Red Canary has completed our review to keep your console tidy.
Can I also export the data collected by Microsoft?
Absolutely. You can either set up another export directly out of MDE or use Canary Exporter to export Microsoft telemetry from Red Canary that has been ingested and standardized into your SIEM, long-term storage, or other processing pipeline. Learn more about exporting telemetry from Red Canary.