Red Canary’s integration with Microsoft 365 Defender XDR platform utilizes several permissions within both Azure and the M365 Defender Console.
Data Export
Red Canary’s low-level integration ingests both the alerts and raw telemetry generated by the Defender for Endpoint sensor. In order for this telemetry to be processed and analyzed by our Red Canary platform and our Cyber Incident Response Team (CIRT) we require the telemetry to be sent to our Azure Event Hub’s. As part of onboarding you will be asked to accept an Azure invite into our tenant. Once accepted, our automation will provision the appropriate permissions (Azure Data Sender) to allow telemetry from your M365 Defender tenant to flow into our Azure Event Hub.
Grant Red Canary permissions to Defender For Endpoint (MDE) API
The Red Canary Platform interacts with Defender for Endpoint (MDE) programmatically via Microsoft provided API’s. Below is a listing of the API permissions we use to read alert data and take MDE remediation actions via our Automate feature.
API / Permissions Name |
Description |
Azure Active Directory Graph |
|
Application.ReadWrite.OwnedBy |
Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of. |
WindowsDefenderATP |
|
AdvancedQuery.Read.All |
Allows the app to run advanced queries |
Alert.Read.All |
Allows the app to read any alert |
Alert.ReadWrite.All |
Allows the app to create or update any alert |
Event.Write |
Allows the app to create events in the machine timeline |
File.Read.All |
Allows the app to read all file profiles |
Ip.Read.All |
Allows the app to read all IP address profiles |
Machine.CollectForensics |
Allows the app to collect forensics from a machine |
Machine.Isolate |
Allows the app to isolate a machine |
Machine.Offboard |
Allows the app to offboard a machine from the service |
Machine.Read.All |
Allows the app to read all machine profiles, including the commands that were sent to each machine |
Machine.ReadWrite.All |
Allows the app to create machine records and to read or update any machine record |
Machine.RestrictExecution |
Allows the app to restrict code execution on a machine according to policy |
Machine.Scan |
Allows the app to scan a machine |
Machine.StopAndQuarintine |
Allows the app to stop a file running on a machine and to quarantine that file |
Score.Read.All |
Allows the app to read any Threat and Vulnerability Management score |
SecurityConfiguration.Read.All |
Allows the app to read all security configurations |
SecurityRecommendation.Read.All |
Allows the app to read any Threat and Vulnerability Management security recommendation |
Software.Read.All |
Allows the app to read any Threat and Vulnerability Management software information |
Ti.Read.All |
Allows the app to read all IOCs |
Ti.ReadWrite |
Allows the app to create IOCs and to read or update IOCs it created |
Ti.ReadWrite.All |
Allows the app to manage all IOCs of the tenant |
Url.Read.All |
Allows the app to read all URL profiles |
User.Read.All |
Allows the app to read all user profiles |
Vulnerability.Read.All |
Allows the app to read any Threat and Vulnerability Management vulnerability information |
Grant Red Canary permissions to your Graph API
Microsoft provides additional API’s that allow us the ability to programmatically ingest alert data for other products within the M365 Defender along with Azure AD Identity Protection. Utilizing both Read and Write permissions allows us to write back our analyst’s comments into alerts within your M365 Defender Console.
Microsoft.Graph |
|
Security.Events.ReadWrite.All |
Allows the app to read your organization’s security events without a signed-in user. Also allows the app to update editable properties in security events. |
Grant Red Canary permission to your O365 Management Activity API
As part of our Threat Investigation offering, we also have the ability to ingest O365 Exchange Online related events. These events are stored in the Unified Audit log found in Microsoft Purview. We utilize the O365 Management Activity API to programmatically read these Exchange Online events from the Unified Audit Log.
Office 365 Management APIs |
|
ActivityFeed.Read |
Allows the application to read activity data for your organization. |
ActivityFeed.ReadDlp |
Allows the application to read DLP policy events, including detected sensitive data, for your organization. |
Grant the Red Canary CIRT access to your Microsoft 365 Defender console
Fortunately the telemetry that we receive via the API’s that Microsoft provides gives us great information. However, there are times when our CIRT (Detection Engineers & Incident Handlers) require additional context of a presumed threat. In these cases, we require access to the M365 Defender Console.
The M365 Defender console is the “single pane of glass” for the M365 Defender products (MDE, MDI, MDO, Etc..). The Security Reader Azure AD Role provides the ability to read alert data for all of the M365 Defender products (except MDE) in the M365 Defender console. Defender for Endpoint utilizes its own RBAC instance to provide granular access to view alert data, take remediation actions, etc..
The table below lists out the permissions required for Red Canary MDR services using MDE. It also includes a column listing out the additional access required for Active Remediation.
Permission |
Description |
Justification |
Red Canary MDR for MDE |
Red Canary MDR + Active Remediation for MDE |
Azure AD / Security Reader |
Can read security information in Azure AD and M365 Defender https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-reader |
Permissions required to view M365 Defender data (non-MDE..ex MDI, MDO..) in the M365 Defender Console |
||
Azure AD / Security Administrator |
Can read security information, and manage security configuration in Azure AD and M365. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#security-admin |
Required access for Red Canary CIRT to take remediation actions in Defender For Identity and Defender for Office 365 |
||
MDE / View Data: Security Operation |
View Alerts, Incidents, Automated Investigation, Advanced Hunting, Device Pages |
Required access for the Red Canary CIRT to view alert data or perform advanced hunting queries in MDE |
||
MDE / View Data: Threat and Vulnerability Management |
View MDE Vulnerability management data in the M365 Defender Portal |
Permissions required to view Threat and vulnerability management status in MDE. This allows DE & Threat Hunter to better assess risk presented by threats in customer environments. |
||
MDE / Active Remediation actions: Security Operations |
Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators |
|||
MDE: Alerts Investigation |
Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files |
Allows our CIRT to analyze alerts within Defender for Endpoint |
||
MDE: Live response capabilities : Advanced |
|
Allows our CIRT to use the Live Response functionality in MDE to perform remediation actions |
|
Comments
0 comments
Please sign in to leave a comment.