This article guides you through the process of connecting Red Canary to your Microsoft Defender for Endpoint instance as part of the Active Remediation service.
The Active Remediation service requires an additional access package be created using Microsoft Identity Governance. This access package contains an elevated permissions role within a Microsoft Defender For Endpoint role which facilitates Active Remediation service capabilities.
Prerequisites
Before you configure Active Remediation, be sure you’ve connected Red Canary to Defender for Endpoint. For more information, see Connecting Red Canary to Microsoft Defender for Endpoint.
Azure: Create the Active Remediation security group
- From your Azure portal, log in with your global administrator account.
- Expand the navigation pane, and then click Azure Active Directory.
- Click Groups, and then click New Group.
- Fill in the group parameters with the following values:
- Group Type: Security
- Group Name: Red Canary Active Remediation
- Group Description: Red Canary Access Group for Active Remediation
- Microsoft Entra roles can be assigned to the group: Yes
- Membership Type: Assigned
- Owners: No owners selected
- Members: No members selected
- Click Create.
- Click Yes at the confirmation prompt.
Azure: Add Red Canary as a connected organization
Note: This step is only applicable if you have not already added Red Canary as a connected organization.
- Navigate to the Azure Active Directory, and then click Identity Governance.
- Under Entitlement Management, click Connected organizations, and then click Add connected organization.
- Fill out the form with the following values:
- Name: Red Canary
- Description: Red Canary Access Group
- State: Configured
- Click Add directory + domain.
- Type redcanary.com into the tenant ID search bar.
- Highlight the entry, and then click Select.
- Under Add Internal Sponsor, click Add/Remove.
- Search for the name of your active directory administrator, highlight the account, and click Select.
- Review the parameters, and then click Create.
Microsoft 365 Defender: Enable Role-Based Access controls in Microsoft Defender For Endpoint
- From your Microsoft 365 Defender portal, log in with your global administrator account.
- Click Settings, and then click Endpoints.
- Click Roles.
- Click Add item.
- Fill out the form with the following values:
- Role Name: Red Canary Active Remediation
- Description: Red Canary Active Remediation Access Role
- Select the following checkboxes:
- View Data
-
- Security Operations
- Threat and Vulnerability Management
-
- Active Remediation Actions
-
- Security Operations
- Threat and vulnerability management - Exception handling
- Threat and vulnerability management - Remediation handling
-
- Alerts Investigation
- Live Response Capabilities
- Advanced
- View Data
- Click Assigned user groups, and then click Red Canary Active Remediation.
- Click Add Selected Groups.
- Click Save.
Microsoft 365 Defender: Grant Red Canary access to device groups
Note: Ensure that the Red Canary Active Remediation security group has been granted access to the Defender For Endpoint device groups.
This step is applicable only if there are device groups listed. By default, a device group is accessible to all users if there are no group assignments associated with the group.
- From your Microsoft 365 Defender portal, log in with your global administrator account.
- Click Settings, and then click Endpoints.
- Click Device Group.
- Review the User Access Column in the list of Device Groups.
- Ensure that the Red Canary Active Remediation group is listed under User Access for the group.
Azure: Create the Microsoft Azure identity governance catalog
Note: This step is only applicable if you haven't already created an Identity Governance Catalog for Red Canary.
- From your Azure portal, log in with your global administrator account.
- Expand the navigation pane, select Azure Active Directory, and then select Identity Governance.
- Under Entitlement Management, click Catalogs, and then click New Catalog.
- Fill out the form with the following values:
- Name: Red Canary Access
- Description: Red Canary Access Catalog
- Enabled: Yes
- Enabled for external users: Yes
Azure: Create the Microsoft Azure identity governance access packages for Active Remediation
- From your Azure portal, log in with your global administrator account.
- Expand the navigation pane, and then click Azure Active Directory.
- Click Identity Governance, Entitlement Management, and then click Catalogs.
- Select the Red Canary Access catalog.
- Under Manage, click Access Packages, and then click New Access Package.
- Fill out the forms with the following values:
- Name: Red Canary Active Remediation Access Package
- Description: Red Canary Active Remediation Access
- Select Resource Roles > Groups and Teams > Red Canary Active Remediation and then click Select.
- Important: In order to select the Red Canary Group, make sure to select See all Group and Team(s) not in the Red Canary Access catalog. You must have the correct permissions to add them in this access package.
- Under Role, click Member from the dropdown.
- Select Requests Tab
- Select For users not in your directory, Specific connected organizations, and then select Red Canary.
- Require Approval: No
- Enable new requests: Yes
- Select Lifecycle Tab
- Access package assignments expire: Never
- Users can request specific timeline: Yes
- Require access reviews: Yes
- Starting on: [today's date]
- Review frequency: Bi-annually
- Duration in days: 90
- Reviewers: Specific reviewers
- Click Add reviewers
- Select the members of your organization responsible for IAM review procedures
- Review the parameters, and then click Create.
- From your Azure Portal, click Active Directory, and the click Identity Governance.
- Click Access Packages, and then click Red Canary access package.
- Under Properties, copy and save the My access portal link.
- Provide the link to your Red Canary contact.
Azure: Add the security reader role to the Red Canary groups
- From your Azure portal, log in with your Microsoft Global or Security Administrator account.
- Expand the navigation pane, and then click Azure Active Directory.
- Click Groups, and then click Red Canary Active Remediation Group.
- Click Assigned Roles, and then click Add Assignments.
- Click the Security Reader role, and then click Add.
Comments
0 comments
Please sign in to leave a comment.