The Red Canary security operations platform can integrate with Microsoft Defender for Identity and Azure AD Identity Protection giving visibility into the identity dimension of a Red Canary Confirmed Threat, enabling a faster and more complete response to the threat. Red Canary uses a single integration with the Microsoft Graph API to collect alerts from both workloads
How are these capabilities activated in Microsoft?
- Defender for Identity
- Azure AD Identity Protection
How do I configure Red Canary to collect Defender for Identity and Azure AD Identity Protection Alerts?
1) Navigate to Alert Sources
2) In the search bar, search for Microsoft Graph and hit return
3) Click on the Microsoft Graph source that's created below on Alert Sources page
4) Click the blue "Configure" button
5) Under Ingest Format / Method, choose Microsoft Graph via API Poll (this is the only option)
6) (Optional) You may ignore any Microsoft workload that you do NOT want Red Canary to ingest. Leaving these check boxes blank means that Red Canary will ingest all available alerts from Microsoft 365 Defender that belong to one of the four listed workloads
7) Enter your Azure Tenant ID. Follow these instructions if you do not know your tenant ID.
8) Click "This Consent Link" to give Red Canary permission within Azure to collect alerts.
9 ) Confirm that you've given consent in Azure by clicking the "Confirm Microsoft Graph API Access Granted" checkbox.
10) Click Save
11) Finally, click the blue link that says "Activate it to begin processing alerts"