Integrate Microsoft Sentinel with Red Canary
- 24 Jul 2024
- 4 Minutes to read
- PDF
Integrate Microsoft Sentinel with Red Canary
- Updated on 24 Jul 2024
- 4 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Integrating Microsoft Sentinel with Red Canary's advanced capabilities builds a robust security ecosystem. This integration allows for seamless data sharing, improved threat detection, and accelerated incident response. This empowers you to better understand your security posture and proactively mitigate risks.
To integrate Microsoft Sentinel with Red Canary, follow the procedure below from beginning to end.
Prerequisites
From your Azure environment, locate the following data points to configure your Red Canary source platform:
Azure Tenant ID
Azure Subscription ID
Sentinel Resource Group Name
Sentinel Workspace Name
Log Analytics Workspace ID
You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration and add the required role assignments in Azure.
Step 1: Microsoft Azure–Locate your Microsoft Azure IDs
Start the integration process by locating your Microsoft Azure IDs.
Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
In the search bar, type and then select Tenant properties.
Copy and save your Tenant ID. You’ll use this in a later step.
In the search bar, type and then select Subscriptions.
Copy and save your Subscription ID. You’ll use this in a later step.
Click on your subscription name.
Select your log analytics workspace ID, copy and save your workspace ID. You’ll use this in a later step.
In the search bar, type and then select Resource Groups.
Copy and save the Resource Group Name you are setting up a subscription for. You’ll use this in a later step.
In the search bar, type and then select Workspaces.
Copy and save the Workspace Name you're setting up a subscription for. You’ll use this in a later step.
Step 2: Red Canary–Input your Microsoft Azure information
Enter your Microsoft Azure information into Red Canary to start sending your alerts.
From your Red Canary homepage, click Integrations.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A29%3A19Z&se=2024-09-20T12%3A39%3A19Z&sr=c&sp=r&sig=R3ugYg16c0u14kHYlyqNwpS3HQAfvMPWOqq9xbWxRfo%3D)
Select Microsoft Azure.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A29%3A19Z&se=2024-09-20T12%3A39%3A19Z&sr=c&sp=r&sig=R3ugYg16c0u14kHYlyqNwpS3HQAfvMPWOqq9xbWxRfo%3D)
Click Configure.
Enter a Name for your external alert source.
Select a Display Category.
Under the Ingest Format/Method dropdown, select Microsoft Azure Sentinel via API Poll.
Enter your Microsoft Azure Tenant ID from Step 1.3.
Enter your Microsoft Azure Subscription ID from Step 1.5.
Enter your Microsoft Sentinel Resource Group Name from Step 1.9.
Enter your Microsoft Sentinel Workspace Name from Step 1.11.
Enter your Microsoft Log Analytics Workspace ID from Step 1.7.
Click Save Configuration.
Click Edit Configuration.
Under the Permissions section, click the Azure consent link.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A29%3A19Z&se=2024-09-20T12%3A39%3A19Z&sr=c&sp=r&sig=R3ugYg16c0u14kHYlyqNwpS3HQAfvMPWOqq9xbWxRfo%3D)
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A29%3A19Z&se=2024-09-20T12%3A39%3A19Z&sr=c&sp=r&sig=R3ugYg16c0u14kHYlyqNwpS3HQAfvMPWOqq9xbWxRfo%3D)
Step 3: Microsoft Azure–Confirm that Red Canary has been configured in Azure
Confirm that the Red Canary enterprise application has been configured in your Azure Active Directory.
Login to the Microsoft Azure account you want to integrate with Red Canary.
Click Accept.
Login into your Microsoft Azure account again.
Step 4: Microsoft Azure–Add a Security Reader role assignment to Red Canary
Grant Red Canary permission to read your Microsoft Azure Alerts to start sending security data for ingestion.
In the search bar, type and then select Subscriptions.
Click on your Azure Sentinel subscription name.
Click Access Control (IAM).
Click +Add, and then click Add role assignment.
In the search bar, type and then select Security Reader.
Click Next.
From the Assign access to section, select User, group, or service principal.
Click Select Members.
In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
Click Select.
To review your role assignment, click Next.
Click Review + assign.
Step 5: Microsoft Azure–Add a Log Analytics Contributor role assignment to Red Canary
Grant Red Canary permission to read and analyze your Microsoft Azure telemetry to start sending security data for ingestion.
In the search bar, type and then select Subscriptions.
Click on your Azure Sentinel subscription name.
Click Access Control (IAM).
Click +Add, and then click Add role assignment.
In the search bar, type and then select Log Analytics Contributor.
Click Next.
From the Assign access to section, select User, group, or service principal.
Click Select Members.
In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
Click Select.
To review your role assignment, click Next.
Click Review + assign.
Step 6: Microsoft Azure–Add a Sentinel Responder role assignment to Red Canary
Grant Red Canary permission to edit data, incidents, and manage incidents in Microsoft Azure.
In the search bar, type and then select Subscriptions.
Click on your Azure Sentinel subscription name.
Click Access Control (IAM).
Click +Add, and then click Add role assignment.
In the search bar, type and then select Sentinel Responder.
Click Next.
From the Assign access to section, select User, group, or service principal.
Click Select Members.
In the search bar, type and then select Red Canary + Azure Sentinel API Poller.
Click Select.
To review your role assignment, click Next.
Click Review + assign.
Step 7: Red Canary–Activate your Microsoft Azure Sentinel alert source
Enable your new Microsoft Azure Sentinel alert source in Red Canary.
From your Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
Click Edit Configuration.
With all of the required permission settings completed, select Confirm Microsoft Sentinel API Access Granted.
Click Save Configuration.
Click Edit Configuration.
Click Activate.
Step 8: Microsoft Azure–Deploy an ARM template
Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.
Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
In the search bar, type and then select Service providers.
Click Service Provider Offers.
Click +Add offer, and then click Add via template.
Upload the Red Canary provided ARM Template, and then click Upload.
From the Subscription dropdown, select the subscription that your Sentinel instance resides in.
From the region dropdown, select the region your Sentinel instance is deployed in.
Click Next: Review + create >.
Click Create.
Was this article helpful?
