- 16 Oct 2024
- 7 Minutes to read
- PDF
Integrate Microsoft Defender for Endpoint with Red Canary
- Updated on 16 Oct 2024
- 7 Minutes to read
- PDF
By combining Microsoft Defender for Endpoint with Red Canary’s advanced threat hunting and incident response capabilities, organizations can significantly enhance their endpoint security posture. This integration provides comprehensive endpoint protection, accelerated threat detection, and efficient incident response. To connect Red Canary to your Microsoft Defender for Endpoint instance, follow the procedure below from beginning to end.
Prerequisites
Please review the following article before connecting Red Canary to your Microsoft Defender for Endpoint instance:
Set up a Red Canary onboarding account
Before beginning the onboarding process, you must provide Red Canary with the name and email address for an account with global administrator privileges within your Entra organization. You’ll use this account throughout the onboarding process.
If you already have a global administrator account, follow these steps:
Provide the name and email address of the account to your Red Canary contact.
Check your email for an invitation to accept access permissions. If your account doesn’t have an associated email inbox, notify your Red Canary contact, who will provide you with an invitation link.
Note: When logging in to this site, you should be prompted to accept certain permissions. If you do not see this permissions page on your first login, try accessing this link via an incognito or private window. MFA is required by Microsoft to login as to a Global Admin account.
If you don’t have a global administrator account, follow these steps:
Log in to your Entra tenant at Azure.
Create a new user by following the steps in Add or delete users using Entra Active Directory.
Assign “Global Administrator” or “Security Administrator” to the new user by following the steps in Assign administrator and non-administrator roles to users with Entra Active Directory.
Confirm that permissions are correct by logging into Entra, searching for the new user, and validating that the user belongs to the “Global Administrator” or “Security Administrator” role.
Provide the name and email address of the account to your Red Canary contact.
Check your email for an invitation to accept access permissions. If your account doesn’t have an associated email inbox, you can accept the invitation by logging in to Azure.
Set up data export (Streaming API)
After you configure your onboarding account, you can set up data export from your Defender for Endpoint instance to Red Canary’s Event Hub. This configuration instructs the Defender for Endpoint platform to begin sending your telemetry to Red Canary for processing.
Log in to Microsoft Defender Security Center using your global administrator account.
Navigate to Settings, select Microsoft Defender XDR, and then select Streaming API.
Click + Add.
Please name the export “MXDRPartner-{ Your Company Name}”
Click Forward events to Event Hub.
Fill in the values of Event-Hub Resource ID and Event-Hub name using the credentials Red Canary has provided to you via email.
Select all Event Types.
Click Submit. It will take 30 minutes to four hours after the final step is completed before the data stream is established within Red Canary.
Note: If you get “Failed to created Streaming API Settings Request Body is invalid or missing” dialogue box try the steps below:
The Event Hub Resource ID and Event Hub name are really sensitive. If you have a space in it, it will not allow you to submit it. You can try loading the resource ID and event-hub name into notepad to ensure that no spaces are copied, and attempt to resubmit.
Clear all the event fields, refresh the window, and try again.
Try to do this step from an incognito browser if the above steps do not resolve.
For a walkthrough of these steps, review this video:
Grant Red Canary permissions to your Microsoft Defender for Endpoint API
After you configure your onboarding account, you can grant Red Canary permissions to your Defender for Endpoint API. This enables the Red Canary platform to retrieve alerts, process endpoint metadata, and orchestrate actions on endpoints.
To grant permissions to your Microsoft Defender for Endpoint API:
WAIT 15 MINUTES AFTER CONFIGURING STREAMING API TO PERFORM THESE STEPS.
Log in to your global administrator Microsoft account (MFA is required).
Approve permissions for Red Canary API integration.
Grant Red Canary analysts read-only access to your Microsoft Defender console
After you grant permissions to your Microsoft Defender for Endpoint API, you can give Red Canary read-only access to your Defender for Endpoint console using role-based access control; see Manage portal access using role-based access control in Microsoft Docs for more information. This enables your Red Canary teams, such as your threat hunting and detection engineering teams, to perform ad-hoc hunting and investigation of potential threats in your environment.
Note: This process requires an Entra ID Premium P2 license. If you have an Entra ID Premium P1 license, see Entra ID P1 License - Grant Red Canary Read-Only Access to Microsoft Defender in the Red Canary Help Center.
Step 1: Prepare your Microsoft Entra group for Role-Based Access Control, and link the Red Canary active directory tenant
Navigate to Azure, and log in with your global administrator account.
Expand the navigation pane, and then select Entra ID | Groups | New Group.
Fill in the group parameters with the following values:
Group Type: Security
Group Name: Red Canary
Group Description: Red Canary Access Group
Entra ID roles can be assigned to the group (Preview): Yes
Roles: Security Reader
Membership Type: Assigned
Owners: No owners selected
Members: No members selected
Click Create, and then click Identity Governance. (You may need to enter this in the search bar)
Under Entitlement Management, select Connected organizations, and then Add connected organization.
Fill out the form with the following values:
Basics
Name: Red Canary
Description: Red Canary Access Group
State: Configured
Directory + domain
Click Add directory + domain.
Type
redcanary.com
into the tenant ID search bar.Highlight the entry, and click Select.
Sponsors
Under Add Internal Sponsor, click Add/Remove.
Search for the name of your active directory administrator, highlight the account, and click Select.
Review the parameters, and then click Create.
Step 2: Enable Microsoft Defender XDR Unified Role-based Access (RBAC) in Microsoft Defender for Endpoint
Create a RBAC role within Defender for your endpoint, and then assign the Red Canary Entra ID security group to the role.
Navigate to Microsoft, and log in with your global administrator account.
Follow the steps here to activate your Endpoints & Vulnerability Management workloads directly in Microsoft Defender XDR settings.
From the navigation pane, select Permissions. Under Microsoft Defender XDR > select Roles.
From the Permissions and roles page, click Create Custom Role.
Fill out the form with the following values:
Role Name: Red Canary
Description: Red Canary Access Role
Click Next.
Under Permissions, select Security Operations.
Check the following boxes:
Select custom permissions
Security data
Select custom permissions
Security data basics (read)
Raw data (Email and collaboration)
Select custom permissions
Email & collaboration metadata (read)
Click Apply.
Click Authorization and settings, then click Next.
Check the following boxes.
Select custom permissions.
Authorization
Select Read-only.
Security Settings
Select custom permissions.
Core security settings (read)
System settings
Read-only (Defender for Office, Defender for Identity)
Click Apply.
Click Next.
Click Create assignment (or +add assignment).
Click Next.
Add the Assignment name.
Note: The name should reflect the assignment.
Assign the users and groups.
From Data Sources ensure all the boxes are checked.
Click Add.
Click Next.
Review the content and click Submit.
Step 3: Configure your Microsoft Entra Identity Governance Access Packages
Navigate to Azure and log in with your global administrator account.
Expand the navigation pane, and then select Entra ID | Identity Governance.
Under Entitlement Management, select Catalogs, and then New Catalog.
Fill out the form with the following values:
Name: Red Canary Access
Description: Red Canary MTP Service Access Catalog
Enabled: Yes
Enabled for external users: Yes
Under Entitlement Management, select Access Package, and then New Access Package.
Fill out the forms with the following values:
Basics
Name: Red Canary Access Package
Description: Red Canary Access
Catalog: Red Canary Access
Resource Roles
Select Groups and Teams | Red Canary | Member | Select.
Important: In order to select the Red Canary Group, make sure to select See all Group and Team(s) not in the Red Canary Access catalog. You must have the correct permissions to add them in this access package.
Requests
Select For users not in your directory, Specific connected organizations, and then Red Canary.
Require Approval: No
Enable new requests and assignments: Yes
Lifecycle
Access package assignments expire: Never
Users can request specific timeline*: No
Require access reviews: Yes
Starting on: [today's date]
Review frequency: Bi-annually
Duration in days: 90
Reviewers: Specific reviewers
Click Add reviewers.
Select the members of your organization responsible for IAM review procedures.
Review the parameters, and then click Create.
Select the newly created access package under Entra Portal | Active Directory | Identity Governance | Access Packages | Red Canary.
Under Properties, copy the “My access portal link.”
Provide the link to your Red Canary contact.
Using device groups
If your organization uses device groups, add permissions by completing the following steps:
Navigate to Microsoft and log in with your global administrator account.
Select Settings > Endpoints > Device Groups.
Navigate to Assigned User Groups.
Select the Red Canary group previously created in Entra ID. Add that group to Entra ID user groups with this role, and click Save.
Go to Settings > Permissions > Machine Groups.
Click on a machine group name.
From User Access, select the checkbox to grant access to the Red Canary group.
Repeat steps 6 and 7 for all machine groups.
IMPORTANT: Once you've added the Red Canary Group to the Device Groups, go back out to Settings | Endpoints | Device Groups and be sure to click Apply Changes otherwise the Device Group settings will not be saved.
Integrate Graph v2 Security Alerts
As a last step to integrating this EDR source, please follow the directions in Integrate Microsoft Graph v2 with Red Canary.