How Microsoft Azure Works with Red Canary
- 18 Nov 2024
- 9 Minutes to read
- PDF
How Microsoft Azure Works with Red Canary
- Updated on 18 Nov 2024
- 9 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Red Canary integrates with Microsoft Azure to analyze telemetry from various sources, including Defender for Cloud alerts. Telemetry from Azure is seamlessly streamed from a user’s tenant into an Azure Event Hub within Red Canary’s tenant. Additionally, Azure’s diagnostic settings allow near real-time analysis by streaming control plane data from storage accounts, key vaults, and other sources. Azure data exports from Log Analytics Workspaces and continuous exports from Defender for Cloud ensure smooth data streaming to the Event Hub.
Understand the Red Canary Bicep File
The Bicep file is a template that automates the deployment of Azure resources and configurations needed to integrate Microsoft Azure with Red Canary. It specifically sets up policies and configurations to enable the ingestion of telemetry and logs from Azure into the Red Canary platform.
Resource Group and Policy Deployment
The file deploys two custom policies across all subscriptions within a specified management group:
Resource Group Creation Policy: Ensures that a resource group named
RCAutomationexists in each subscription. If it's missing in a subscription, the policy triggers a remediation action to create it.Lighthouse Registration Policy: Ensures that Azure Lighthouse is properly registered between the subscriptions and Red Canary’s tenant. If a Managed Service registration between the subscription and Red Canary’s tenant does not exist, the policy will trigger a remediation action to establish the connection.
Role Assignments
The Bicep file assigns specific roles to Red Canary’s Azure Log Ingest Group (identified by the RCAzureLogIngestPrincipal) through the Managed Service registration, granting a principal in Red Canary’s tenant the following roles within each subscription:
Log Analytics Contributor:
Allows Red Canary to read and edit monitoring settings, manage VM extensions, and access storage account keys.
Enables Red Canary to create Diagnostic Settings on Storage Accounts and Key Vaults for event streaming and configure Data Export on Log Analytics Workspaces, including control plane logs and sign-in logs.
Reader Role:
Provides view-only access to all resources.
Through an Azure Lighthouse connection, this role allows Red Canary to enumerate resources within the tenant, including Storage Accounts, subscriptions, and Key Vaults.
Managed Services Registration Assignment Delete Role:
Allows the deletion of the registration assignment in the event of offboarding.
Enables Red Canary to remove the Service Provider Offer that grants access to the user’s environment.
Security Admin:
Provides permissions to view and update Microsoft Defender for Cloud, including configuring automated export of alerts and supporting the synchronization of alert states.
Within Microsoft Azure, these are
Microsoft.Security/automationresource types. Security Admin was the least privileged built-in role that can create these resource types, which Red Canary uses to stream Defender for Cloud alerts to a Red Canary Event Hub.
Enables the Bicep file to create continuous export settings for Defender for Cloud.
These roles are managed through Lighthouse and will be visible for each subscription in the Service Providers section within your Azure environment (which is where connections created via Lighthouse are listed).
Policy and Service Account Requirements
The policy can remediate subscriptions, create a Managed Service registration, and establish a Lighthouse connection, all of which necessitate a linked service account with Owner privileges.
However, the policy itself does not grant Owner-level permissions to any principal that Red Canary has access to or any external principal. Instead, the Owner role is assigned to a service-managed identity specific to the policy. This identity appears in the Azure portal as an enterprise application named after the policy assignment (
RCLogConfigurationAccess) and is listed as "RC Azure Log Ingest" in the policy assignments.
Lighthouse and Managed Services Registration
The Bicep file creates and enforces a custom policy that checks for the existence of Lighthouse registrations and, if not present, deploys them automatically.
What the Bicep File Is Doing:
Automates the deployment and management of necessary Azure resources for integration with Red Canary.
Enforces the creation of a specific resource group in each subscription to support log ingestion and alert exports.
Grants specific roles and permissions to Red Canary's Azure Log Ingest Group to manage logs, monitoring, and security configurations.
What the Bicep File Isn’t Doing:
It does not grant unrestricted access to all Azure resources or allow Red Canary to perform actions outside the scope of log management, monitoring, and security.
It does not modify existing resources beyond what's necessary for creating the required resource group and ensuring Lighthouse registration.
Integration Architecture Diagram:
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D)
For detailed information around details of the design and architecture of the Azure integration, see Engineering a MDR solution for Microsoft Azure.
FAQ
Is Red Canary able to assign IAM permissions to anything within our Management Groups/Subscriptions/Resources? Are read/write permissions required?
Red Canary cannot assign IAM permissions to anything inside the Management Groups/Subscriptions/Resources of your Azure environment. Red Canary does require write permissions to configure log streaming on individual Azure resources inside the subscriptions. As a specific example, Red Canary configures every Key Vault to stream access logs to our Event Hub. Without write permissions, Red Canary cannot complete the setup required to ingest Azure logs or maintain coverage as you add new cloud infrastructure to your environment.
Can Service Principals with less permission than “Owner” be specified?
Owner is the least privileged Managed Identity Role that Red Canary has found that can run the required policy remediation actions. Red Canary does not use the service principals, all deployments running as the policy service principal are started from within Azure.
What Azure policies are deployed aside from the initial policies in the bicep file?
No new policies are deployed, only the policies in the bicep file and these policies are not modified, viewed, edited or accessed by Red Canary. After onboarding, we do list resources and create exports into Red Canary’s Event Hubs; however, this is done via custom automation within our systems, and not via Azure policies.
How are new policies defined, deployed, and applied within our Azure environment?
Red Canary does not define, create, deploy, or apply new policies inside your Azure environment. The two policies provided in the bicep file will mark any new subscriptions as Out Of Compliance and remediate them to create a Resource Group and Lighthouse connection to enable monitoring. Red Canary has the ability to create new policies with the permissions above, but cannot attach service principals for remediation. If new or updated policies are required, Red Canary will contact customers to deploy any new changes.
Does it matter which Azure region we configure and execute the Bicep file in?
The location is only used to execute the Bicep file, which grants access to Red Canary. The actual data export will operate in the same regions as your infrastructure.
What do the AZ account list commands do?
During onboarding, the bicep file creates two policies: one that grants Red Canary access to each subscription and one that creates a resource group in each subscription for placing Defender for Cloud streaming configurations. The AZ account list commands create a policy evaluation and remediation task for each account (subscription) and policy so that the process to grant access starts as soon as possible.
Can the westus2 region talk to the eastus region, and do we need security configuration to do so?
A security configuration is not required for onboarding. As mentioned earlier, the region specified is only used to set up global access. Actual communication and data exports stay inside the region.
Should we use another WestUS region to stay geographically close to avoid higher latency and packet loss?
No, you do not need to change regions.
How do I enable Management groups in my Azure directory?
From your Microsoft Azure homepage, in the search bar, type and then select Management groups.
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D "image(219).png")
If there are no management groups listed, click Start using Management Groups to enable management groups in your Azure directory.
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D "image(220).png")
Refresh the page and verify the listing includes the default Tenant Root Group Management Group created for your directory.
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D "image(221).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D "image(219).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D "image(220).png")
.png?sv=2022-11-02&spr=https&st=2024-11-21T12%3A27%3A39Z&se=2024-11-21T12%3A37%3A39Z&sr=c&sp=r&sig=pnI5heYyVU8HCyykaQ3Q9SOWYf8pRHy0JOibPxlMoEc%3D "image(221).png")
Can I limit Red Canary’s access to Azure subscriptions and resources?
Yes. Follow the steps below to limit Red Canary’s access to your Azure subscriptions and resources.
Scoping diagnostic settings to select Azure subscriptions
By default, Red Canary requests access permissions to be granted on the Tenant Root Group management group. This enables Red Canary to monitor control plane activity for all resources within all subscriptions.
Red Canary users can limit the scope of Red Canary’s monitoring by utilizing management groups that contain only the subscriptions they wish to have monitored.
If your organization still needs to enable Management groups, you must do so. For more information on this process, see how do I enable Management groups in my Azure directory. If you can navigate to management groups in the Azure portal and see a root management group, they are already enabled.
Step 1.4 requires you to build a command that will be executed in the Azure Cloud Shell. Within this command, we ask you to paste your “<Tenant ID>” into the Red Canary provided code. This command should be replaced with the ID of the management group containing the subscriptions to be monitored.
Example:
az deployment mg create --name 'RCLogIngestPolicy' \
--location eastus \
--template-file RedCanary.bicep \
--management-group-id <TenantId>
becomes
az deployment mg create --name 'RCLogIngestPolicy' \
--location eastus \
--template-file RedCanary.bicep \
--management-group-id <Management Group ID>
You then run the two commands from Step 1.12. These commands will apply the bicep file from earlier to all of the subscriptions utilizing an Azure Policy. For more information, see Microsoft’s Azure Policy overview.
During the remediation of the Azure Policy, multiple errors will occur where the policy cannot apply to subscriptions not in the management group. These errors are expected behavior when only onboarding a portion of subscriptions. The errors warn that the bicep file did not apply to all the tenant subscriptions. To check for successful onboarding, look at the Azure policy’s compliance page to ensure that the subscriptions in the management group meet the policy.
Log Analytics Workspace & Entra ID Logs (Tenant Level Logs)
Entra ID creates logs at the Tenant Level. These logs focus on Audit and Login actions. Red Canary ingests these logs to provide identity-based protection. For more information, see the Azure Audit Logs overview and the Entra Sign-in Logs overview.
Step 2 asks you to configure an Azure Log Analytics workspace to collect Entra ID logs.
To ingest these logs, Red Canary must have access to the Log Analytics Workspace subscription. Therefore, the Log Analytics Workspace must be in one of the subscriptions belonging to the management group to which Red Canary has been granted access.
If your organization already pushes Microsoft Entra ID Logs to a Log Analytics workspace in a subscription not contained in the Management Group, create a second Log Analytics workspace to which Red Canary does have access. This second Log Analytics workspace may incur additional costs. For more information, see Azure Monitor Pricing.
Is the delivery location for telemetry (e.g., Event Hub) unique to our company or shared with other companies?
Each customer’s Azure Tenant is mapped to its own Event Hub within a shared namespace in Red Canary’s Azure tenant. While multiple customers may share an Event Hub namespace, each integration has its own Event Hub, and data is not accessible between customers. Red Canary’s authorization rules ensure that customers have no read or management access to other tenants’ data.
Was this article helpful?
