The Red Canary Threat Hunting Team requires specific Groups configured in Microsoft Defender for Endpoint (MDE) that specify all of the Endpoints that require Active Remediation access.
This configuration provides your Threat Hunting Team a marker or Tag on your endpoints so they know exactly which endpoints you want them to access in order to perform Active Remediation actions.
This article covers how to configure specific Groups, as required by the Red Canary Threat Hunting Team. You can do this in MDE or in Red Canary.
- Login to your MDE console.
- Go to Settings > Endpoints > Device Groups
- Add a new Device Group that includes all of your Active Remediation Endpoints; Or, rename any current Device Group(s) that contains your Active Remediation Endpoints.
Give the Device Group a name that starts with "Remediate." For example, Remediate Accounting Machines.
- This is the easiest way to classify/group all of the endpoints you want Red Canary to have access to for Active Remediation.
Note: If you want Red Canary to perform Active Remediation actions on ALL of your endpoints, you would create a Device Group for all of your endpoints using the AR naming convention.
In Red Canary, via endpoint tags
- Login to your Red Canary, and go to the Endpoints page.
- Select all of the Endpoints for Active Remediation, and create a Tag.
- Select the endpoint.
- Select the "Reporting Tags" drop-down.
- Select "Set tag and value":
- Add "AR_Group" for the Tag name and "Remediate" for the Tag Value:
Once this is done, the Reporting Tags will be listed in Red Canary next to your AR endpoints, like this:
Note: Please keep in mind that Red Canary Endpoint Tags are static. The downside of this is that there is no way to automatically have these tags added to new endpoints that are onboarded into your environment from the Red Canary side. To have tags automatically added to new endpoints in Red Canary, you would have create a script using the Red Canary API.
Note: If your endpoints are already receiving the tag "Remediate" from your MDE Sensor Groups, then you do NOT need to also tag your endpoints with the "AR_Group/Remediate" tag on the Red Canary side. Ultimately, the endpoints need to be tagged with "Remediate" at least once.