Red Canary’s integration with the Microsoft Threat Protection platform begins with our deep integration with the Microsoft Defender ATP product and a special data exchange created in partnership between our engineering teams.
While most companies’ Microsoft Defender ATP integrations are focused on the alerts generated by the platform, Red Canary’s low-level integration leverages the raw telemetry collected by the Microsoft Defender ATP sensor. This telemetry is processed and analyzed first by the Red Canary platform, then by our Cyber Incident Response Team (CIRT) to confirm threats and eliminate false positives.
This combination of Microsoft Defender ATP alerts, telemetry, and Red Canary’s detection and response delivers the best security outcomes for Microsoft Defender ATP users.
How it works
Red Canary and Microsoft Defender ATP use several integration points to implement exceptional security operations:
Connect your Microsoft Defender ATP deployment to Red Canary by following these simple steps:
- Set up data export from your Microsoft Defender ATP instance to Red Canary’s Azure event hub. This configuration instructs the Microsoft Defender ATP platform to begin sending your telemetry to Red Canary for processing.
- Grant Red Canary permissions to your Microsoft Defender ATP API. This enables the Red Canary platform to retrieve alerts, endpoint metadata, and orchestrate actions on endpoints.
- Grant your Red Canary incident handlers read-only access to your Microsoft Defender ATP console. This enables your incident handler to perform ad-hoc hunting and investigation of potential threats in your environment.
Learn more about how to set up Microsoft Defender ATP with Red Canary. This process generally takes 4-6 hours to configure and confirm data is flowing properly.
What kind of Microsoft data does Red Canary process?
We receive all of the data collected by your Microsoft sensors, as well as a number of system events generated by the Microsoft platform. As Microsoft continues developing APIs in their Microsoft Threat Protection suite, Red Canary will receive additional telemetry and alert types from other Microsoft security platforms.
What happens to my Microsoft alerts when I activate Red Canary?
Every alert generated by Microsoft’s Defender ATP detection rules is processed by Red Canary to determine if the alert was a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response.
You can enable “alert synchronization” to automatically update and close the alerts in the Microsoft platform once Red Canary has completed our review to keep your console tidy.
Can I too export the data collected by Microsoft?
Absolutely. You can use the Canary Exporter to export Microsoft telemetry from Red Canary into your SIEM, long-term storage, or other processing pipeline. Learn more about exporting telemetry from Red Canary.