The Red Canary security operations platform can integrate with Microsoft Defender for Identity and Azure AD Identity Protection. This integration provides visibility into the identity dimension of a confirmed threat and enables you to respond to threats quickly and comprehensively. Red Canary uses a single integration with the Microsoft Graph API to collect alerts from both workloads.

Estimated procedure time: 10 minutes

How are these capabilities activated in Microsoft? 

Defender for Identity

Defender for Identity is a standalone sensor which is deployed on your self-managed Active Directory Domain Controllers. To get started, see Microsoft’s Prerequisites and Installation instructions.

Azure AD Identity Protection

If you have the appropriate license, get started by configuring risk policies in your Azure portal.

Configure Red Canary to collect alerts from Defender for Identity and Azure AD Identity Protection

1. In Red Canary, click Alert Sources.
2. In the search bar, search for "Microsoft Graph," and then hit Return.
3. Select the Microsoft Graph alert source.
4. Click Configure.
5. From the Ingest Format / Method dropdown, select Microsoft Graph via API Poll.
6. (Optional) You may ignore any Microsoft workload that you don't want Red Canary to ingest. Leaving these check boxes blank means that Red Canary will ingest all available alerts from Microsoft 365 Defender that belong to one of the four listed workloads.
7. Enter your Azure Tenant ID. If you don't know your ID, follow the instructions in How to find your Azure Active Directory tenant ID.
8. Go to this URL to give Red Canary permission to collect alerts from Azure.
9. In Red Canary, confirm that you granted the appropriate permissions by clicking the Confirm Microsoft Graph API Access Granted checkbox.
10. Click Save.
    
11. Click Activate it to begin processing alerts.