Login
      Contents x
      Integrate Microsoft Azure with Red Canary
      • 09 Sep 2024
      • 10 Minutes to read
      • PDF
      Contents

      Integrate Microsoft Azure with Red Canary

      • Updated on 09 Sep 2024
      • 10 Minutes to read
      • PDF
      Article summary

      Integrating Microsoft Azure with Red Canary enhances cloud security by providing advanced threat detection and response capabilities. This integration allows organizations to gain deeper visibility into cloud environments, identify and prioritize critical threats, and accelerate incident response times, ultimately reducing the risk of data breaches and downtime. To integrate Microsoft Azure with Red Canary, follow the procedure below from beginning to end.

      Prerequisites

      • Ensure you are subscribed to Red Canary's Cloud Control Planes license.

      • You must have Azure Global Admin rights.

      • Enable “Access management for Azure resources” for your Azure Global Admin account.

      • Users performing integration steps need the Owner role on the management group. To grant this, use the command below (permissions can be revoked after validation):

      az role assignment create --assignee <User ID> --scope "/" --role "Owner"

      Note: You may experience a potential increase in Azure costs depending on the volume of new logs exported to your Log Analytics workspace as part of the MDR for Azure integration.

      • Affected Logs: Log Analytics Workspace, Log Analytics Data Export, Platform Logs (Storage Diagnostic Settings)

      • For more information, see Pricing - Azure Monitor

      Azure Region Support:

      Microsoft Azure’s region uaenorth does not currently support Premium Event Hubs. The impact of this is that Red Canary currently cannot process telemetry or alerts from infrastructure in the uaenorth Azure region. This is expected to continue at least through October 2024.


      Step 1: Setup the Azure infrastructure

      Download the Red Canary Bicep file and upload it to your Azure Cloud Shell.

      1. From your Red Canary homepage, click Microsoft Azure.

      2. Enter a name for your new Microsoft Azure integration.

      3. Click Red Canary Bicep File to download the required file. You’ll use this in a later step.

      4. Copy and then save the command below. You’ll use this in a later step.

        Note: For the <TenantId> below, enter your Azure Tenant ID.

        az deployment mg create --name 'RCLogIngestPolicy' \
  --location eastus \
  --template-file RedCanary.bicep \
  --management-group-id <TenantId>


        Microsoft Azure

      5. From your Microsoft Azure homepage, click Cloud Shell.

      6. From the Cloud Shell dropdown, select Bash.

      7. Click Upload File.

      8. Click Upload.

      9. Select the Red Canary Bicep File you downloaded in Step 1.4.

      10. From the Cloud Shell command, paste and then run the command from Step 1.5.

        Red Canary

      11. Select I’ve deployed the Bicep file.

      12. Copy the entire command below and then save the command. You’ll use this in a later step.

        az account list --query "[].id" \
  --out tsv | xargs -I {} -P 10 az policy remediation \
  create --name RCLogConfigurationAccessDeploy --policy-assignment RCLogConfigurationAccess \
  --resource-discovery-mode ReEvaluateCompliance --subscription "{}"

az account list --query "[].id" \
  --out tsv | xargs -I {} -P 10 az policy remediation \
  create --name RCAutomationRgDeploy --policy-assignment RCAutomationRg \
  --resource-discovery-mode ReEvaluateCompliance --subscription "{}"


        Microsoft Azure

      13. From the Cloud Shell command, paste and then run the entire command from the step above.

        Note: This command runs a remediation to apply the diagnostic setting policies to all existing subscriptions.


        Red Canary

      14. Select I’ve Connected my existing subscriptions.

      15. Click Next

      Step 2: Configure an Azure Log Analytics workspace to collect Entra ID logs

      For Red Canary to start receiving your telemetry, you must send your data from your environment to an Azure log analytics workspace. 

      Note: If you already have an Azure log analytics workspace ingesting logs, including ADFSSignInLogs, AuditLogs, ManagedIdentitySignInLogs, ServicePrincipalRiskEvents, ServicePrincipalSignInLogs, SignInLogs, and UserRiskEvents, select I already have a Log Analytics workspace set up and continue on to Step 2.20

      1. Select I need to set up a Log Analytics workspace.


        Microsoft Azure

      2. Login to Microsoft Azure using a Global Admin account for the tenant that you want to integrate with Red Canary.

      3. In the search bar, type and then select Resource groups.

      4. Click +Create.

      5. From the Subscription dropdown, select the subscription which you would like to house your Azure Log Analytics Workspace.

      6. Enter a Resource Group name.

        (Example: Red_Canary_Resources)

      7. From the Region dropdown, select your local region.

      8. Click Next: Tags >.

      9. Click Next: Review + create >.

      10. Click Create

      11. In the search bar, type and then select Log Analytics workspaces.

      12. Click +Create.

      13. From the Subscription dropdown, select the subscription you want associated with this workspace.

      14. From the Resource group dropdown, select the Resource group created in Step 2.6.

      15. Enter a name for the Instance details.

        (Example: Red_Canary_Log_Analytic_workspace)

      16. From the Region dropdown, select your local region.

      17. Click Next: Tags >.

      18. Click Next: Review + create >.

      19. Click Create.

        Red Canary

      20. Select I’ve completed creating the Log Analytics workspace.

        Note: If you already have a Log Analytics workspace to collect Entra ID logs, select I already have a Log Analytics workspace setup to collect Entra ID logs, and then click Next to continue on with Step 3.

      21. Select I need to configure my Log Analytics workspace to collect Entra ID logs.


        Microsoft Entra

      22. Login to Microsoft Entra using a Security Admin account.

      23. In the search bar, type and then select Microsoft Entra ID.

      24. From the Monitoring section, click Diagnostic settings.

      25. Click + Add diagnostic setting.

      26. Enter a name for your diagnostic setting.

      27. From the Categories section, select the following:

        1. ADFSSignInLogs

        2. AuditLogs

        3. ManagedIdentitySignInLogs

        4. ServicePrincipalRiskEvents

        5. ServicePrincipalSignInLogs

        6. SignInLogs

        7. UserRiskEvents

      28. From the Destination details section, select Send to Log Analytics workspace.

      29. From the Subscription dropdown, select the subscription you want associated with this Diagnostic setting.

      30. From the Log Analytics workspace dropdown, select the workspace from Step 2.15.

      31. Click Save.

        Red Canary

      32. Select I’ve completed configuring my Log Analytics workspace to collect Entra ID logs.

      33. Click Next.

      Step 3: Configure Red Canary to integrate with your Azure Tenant

      1. Enter the Azure Tenant ID.


        Microsoft Azure

      2. To find the Tenant ID, log into Microsoft Azure.

      3. In the search bar, type and then select Tenant Properties.

      4. Copy and then paste the Tenant ID into Red Canary.


        Red Canary

      5. Enter the Log analytics Workspace ID.


        Microsoft Azure

      6. To find the Log analytics Workspace ID, log into Microsoft Azure.

      7. In the search bar, type and then select Log Analytics workspace.

      8. Click the workspace that was created in Step 2.15.

      9. Click Properties

      10. Copy and then paste the Resource ID into Red Canary.


        Red Canary

      11. Click Save.

        Note: Red Canary will now begin provisioning your resources. This could take up to 20 minutes. The integration status will show Provisioning during this time. It will update to Active once completed.

      Step 4: Utilize Entra ID Response Actions

      Follow the steps in Response Actions for Entra ID to enable automated playbooks, configured in Red Canary, to take action in Entra ID.

      FAQ

      Does it matter which Azure region we configure and execute the Bicep file in?

      The location is only used to execute the Bicep file, which grants access to Red Canary. The actual data export will operate in the same regions as your infrastructure.

      What do the AZ account list commands do?

      During onboarding, the bicep file creates two policies: one that grants Red Canary access to each subscription and one that creates a resource group in each subscription for placing Defender for Cloud streaming configurations. The AZ account list commands create a policy evaluation and remediation task for each account (subscription) and policy so that the process to grant access starts as soon as possible.

      Can the westus2 region talk to the eastus region, and do we need security configuration to do so?

      A security configuration is not required for onboarding. As mentioned earlier, the region specified is only used to set up global access. Actual communication and data exports stay inside the region.

      Should we use another WestUS region to stay geographically close to avoid higher latency and packet loss?

      No, you do not need to change regions.

      How do I enable Management groups in my Azure directory?

      1. From your Microsoft Azure homepage, in the search bar, type and then select Management groups.

      2. If there are no management groups listed, click Start using Management Groups to enable management groups in your Azure directory.

      3. Refresh the page and verify the listing includes the default Tenant Root Group Management Group created for your directory.

      Can I limit Red Canary’s access to Azure subscriptions and resources?

      Yes. Follow the steps below to limit Red Canary’s access to your Azure subscriptions and resources.

      Scoping diagnostic settings to select Azure subscriptions

      By default, Red Canary requests access permissions to be granted on the Tenant Root Group management group. This enables Red Canary to monitor control plane activity for all resources within all subscriptions.

      Red Canary users can limit the scope of Red Canary’s monitoring by utilizing management groups that contain only the subscriptions they wish to have monitored.

      If your organization still needs to enable Management groups, you must do so. For more information on this process, see how do I enable Management groups in my Azure directory. If you can navigate to management groups in the Azure portal and see a root management group, they are already enabled.

      Step 1.4 requires you to build a command that will be executed in the Azure Cloud Shell. Within this command, we ask you to paste your “<Tenant ID>” into the Red Canary provided code. This command should be replaced with the ID of the management group containing the subscriptions to be monitored.
      Example:

      az deployment mg create --name 'RCLogIngestPolicy' \

      --location eastus \

      --template-file RedCanary.bicep \

      --management-group-id <TenantId>

      becomes

      az deployment mg create --name 'RCLogIngestPolicy' \

      --location eastus \

      --template-file RedCanary.bicep \

      --management-group-id <Management Group ID>

      You then run the two commands from Step 1.12. These commands will apply the bicep file from earlier to all of the subscriptions utilizing an Azure Policy. For more information, see Microsoft’s Azure Policy overview.

      During the remediation of the Azure Policy, multiple errors will occur where the policy cannot apply to subscriptions not in the management group. These errors are expected behavior when only onboarding a portion of subscriptions. The errors warn that the bicep file did not apply to all the tenant subscriptions. To check for successful onboarding, look at the Azure policy’s compliance page to ensure that the subscriptions in the management group meet the policy.

      Log Analytics Workspace & Entra ID Logs (Tenant Level Logs)

      Entra ID creates logs at the Tenant Level. These logs focus on Audit and Login actions. Red Canary ingests these logs to provide identity-based protection. For more information, see the Azure Audit Logs overview and the Entra Sign-in Logs overview.

      Step 2 asks you to configure an Azure Log Analytics workspace to collect Entra ID logs.

      To ingest these logs, Red Canary must have access to the Log Analytics Workspace subscription. Therefore, the Log Analytics Workspace must be in one of the subscriptions belonging to the management group to which Red Canary has been granted access.

      If your organization already pushes Microsoft Entra ID Logs to a Log Analytics workspace in a subscription not contained in the Management Group, create a second Log Analytics workspace to which Red Canary does have access. This second Log Analytics workspace may incur additional costs. For more information, see Azure Monitor Pricing.

      Remove Microsoft Azure from Red Canary


      Step 1: Red Canary–Remove Microsoft Azure from Red Canary’s Integration page


      1. From your Red Canary homepage, click Integrations.

      2. Locate and then click the Microsoft Azure integration you want to remove.

      3. Click the icon.

      4. Click OK.

      Step 2: Microsoft Azure–Run the Red Canary provided script


      1. From your Microsoft Azure homepage, click Cloud Shell.

      2. From the Cloud Shell dropdown, select Bash.

      3. Click Upload File.

      4. Click Upload.

      5. Select and upload the Red Canary provided script located here.

        Note: This automated script will remove the Azure resources created during onboarding. These resources include two Azure Policies: Red Canary's role assignments to access the Subscriptions in your Management Group and a Resource Group created for exporting Microsoft Defender for Cloud alert data.

      6. From the Cloud Shell command, enter the ls command to confirm the script file appears in the output.

      7. Use the following command to grant execution permissions to the script file:

        chmod +x remove-azure-integration.sh

      8. Execute the script file:

        ./remove-azure-integration.sh AZURE_TENANT_ID

      Step 3: Microsoft Azure–Remove the Log Analytics Data Export rule for Microsoft Entra ID

      1. From the Cloud Shell command, enter the code below:

        Note: For the log-analytics-workspace-name, subscription-id, and resource-group-name below, enter your Azure related info.

        az monitor log-analytics workspace data-export delete --name RC-Entra-Data-Export \
  --workspace-name log-analytics-workspace-name --subscription subscription-id \
  --resource-group resource-group-name --yes

        1. log-analytics-workspace-name: The name of the Log Analytics Workspace used for the integration.

        2. subscription-id: The ID of the Subscription containing the Log Analytics Workspace.

        3. resource-group-name: The name of the Resource Group containing the Log Analytics Workspace.


      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout