How Red Canary Works with Microsoft Defender for Endpoint

Note: Minimum requirements for Defender for Endpoint can be found here.

Connect your Defender for Endpoint deployment to Red Canary by following these simple steps:

1. Set up data export from your Defender for Endpoint instance to Red Canary’s Azure event hub. This configuration instructs the Defender platform to send your telemetry to Red Canary for processing.

2. Grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts and endpoint metadata and orchestrate actions on endpoints.

3. Grant your Red Canary threat hunter read-only access to your Microsoft Defender console. This enables your threat hunter to perform ad-hoc hunting and investigation of potential threats in your environment. 

Learn more about how to set up Defender for Endpoint with Red Canary. This process generally takes 4-6 hours to configure and confirm data is flowing properly.

How does MDE Data get into the Azure Event Hub?

1. MDE Endpoint Detection and Response (EDR) streams telemetry data in near real-time to the Microsoft Security Center with which it is configured to communicate.

   Note: This step is part of the standard Microsoft offering; Red Canary is not involved yet.

2. Security Center then sends individual telemetry messages to an Azure Event Hub, which Red Canary provisions and maintains for your organization within Red Canary’s Azure environment. Azure bundles those messages and temporarily saves them in a dedicated Azure Storage blob.

How does the Data in the Event Hub get into Red Canary?

1. Once the data is saved successfully, an Azure function triggers the Red Canary application within AWS to request and collect that data from Azure via an API request.

2. Data is not stored long-term in Azure. Once collected by the Red Canary app, the telemetry messages age out of the Azure platform after a few days.

What kind of Microsoft data does Red Canary process?

We receive all of the data collected by your Defender for Endpoint sensors and a number of system events generated by the Microsoft platform. As Microsoft continues developing APIs in its XDR suite, Red Canary will receive additional telemetry and alert types from other Microsoft security platforms.

What happens to my Microsoft alerts when I activate Red Canary?

Red Canary processes every alert generated by Defender for Endpoint detection rules to determine if the alert is a true or false positive. Red Canary’s investigation of these alerts adds additional context to confirmed alerts to accelerate your response. 
You can enable alert synchronization to automatically update and close the alerts in the MDE platform once Red Canary has completed our review to keep your console tidy.

Can I also export the data collected by Microsoft?

Absolutely. You can either set up another export directly out of MDE or use Canary Exporter to export Microsoft telemetry from Red Canary that has been ingested and standardized into your SIEM, long-term storage, or another processing pipeline. Learn more about Export data from Red Canary.