Integrating Defender for Identity and Azure AD Identity Protection Alerts – Red Canary help

The Red Canary security operations platform can integrate with Microsoft Defender for Identity and Azure AD Identity Protection giving visibility into the identity dimension of a Red Canary Confirmed Threat, enabling a faster and more complete response to the threat. Red Canary uses a single integration with the Microsoft Graph API to collect alerts from both workloads

How are these capabilities activated in Microsoft?

Defender for Identity
- Defender for Identity is a standalone sensor which is deployed on your self-managed Active Directory Domain Controllers. See Microsoft’s Prerequisites and Installation instructions to get started.
Azure AD Identity Protection
- If you have the appropriate license, get started by configuring risk policies in your Azure portal.

How do I configure Red Canary to collect Defender for Identity and Azure AD Identity Protection Alerts?

1) Navigate to Alert Sources

2) In the search bar, search for Microsoft Graph and hit return

3) Click on the Microsoft Graph source that's created below on Alert Sources page

4) Click the blue "Configure" button

5) Under Ingest Format / Method, choose Microsoft Graph via API Poll (this is the only option)

6) (Optional) You may ignore any Microsoft workload that you do NOT want Red Canary to ingest. Leaving these check boxes blank means that Red Canary will ingest all available alerts from Microsoft 365 Defender that belong to one of the four listed workloads

7) Enter your Azure Tenant ID. Follow these instructions if you do not know your tenant ID.

8) Click "This Consent Link" to give Red Canary permission within Azure to collect alerts.

9 ) Confirm that you've given consent in Azure by clicking the "Confirm Microsoft Graph API Access Granted" checkbox.

10) Click Save

11) Finally, click the blue link that says "Activate it to begin processing alerts"

Related articles