Red Canary requires certain permissions to integrate with Microsoft security tools. This article leads you through what kind of permissions Red Canary has access to once you grant us permission to your Microsoft services.
Microsoft Defender for Endpoint
Red Canary requires permissions to access Defender for Endpoint data using the Defender for Endpoint API.
Defender for Endpoint API Permissions
Permission | Purpose | Justification |
|---|---|---|
AdvancedQuery.Read.All | Allows Red Canary to run advanced queries. | Red Canary uses this permission to run advanced hunting queries that proactively find threats, investigate activities, and understand complex attacks. |
Alert.Read.All | Allows Red Canary to read any alert. | Red Canary uses this permission to ingest and analyze all security alerts from Defender for Endpoint to identify, validate, and prioritize threats for investigation. |
Alert.ReadWrite.All | Allows Red Canary to create or update any alert. | Red Canary uses this permission to update Defender for Endpoint alert statuses and details during our investigation and response. |
Event.Write | Allows Red Canary to create events in the machine timeline. | Red Canary uses this permission to add contextual events or annotations to machine timelines, such as our own actions or observations during an investigation. |
File.Read.All | Allows Red Canary to read all file profiles. | Red Canary uses this permission to retrieve detailed file information from endpoints to investigate suspicious files and understand their potential impact. |
Ip.Read.All | Allows Red Canary to read all IP address profiles. | Red Canary uses this permission to investigate suspicious network connections and correlate them with our threat intelligence. |
Machine.CollectForensics | Allows Red Canary to collect forensics from a machine. | Red Canary uses this permission to collect in-depth forensic data from machines, to use during incident response or threat investigations. |
Machine.Isolate | Allows Red Canary to isolate any device that runs the Defender for Endpoint sensor. | Red Canary uses this permission to contain active threats on a single machine. |
Machine.Offboard | Allows Red Canary to offboard a machine from the service. | Red Canary uses this permission to manage endpoint lifecycles by offboarding machines, such as during device decommissioning or when a customer transitions to a different solution. |
Machine.Read.All | Allows Red Canary to read all machine profiles, including the commands that were sent to each machine. | Red Canary uses this permission to retrieve machine information such as posture, health, activity, to be used as context for our investigations. |
Machine.ReadWrite.All | Allows Red Canary to create machine records and to read or update any machine record. | Red Canary uses this permission to update machine records in Defender for Endpoint, like applying tags for grouping or classification, to be used as device context for our investigations. |
Machine.RestrictExecution | Allows Red Canary to restrict code execution on a machine according to policy. | Red Canary uses this permission to restrict unapproved or malicious code execution on compromised machines, based on customer policies, as a critical response action to prevent harm. |
Machine.Scan | Allows Red Canary to scan a machine. | Red Canary uses this permission to initiate antivirus scans on machines to detect and identify malware. |
Machine.StopAndQuarantine | Allows Red Canary to stop a file running on a machine and to quarantine that file. | Red Canary uses this permission to stop malicious processes and quarantine associated files on endpoints to neutralize active threats. |
Score.Read.All | Allows Red Canary to read any Threat and Vulnerability Management score. | Red Canary uses this permission to access Threat and Vulnerability Management scores for devices to evaluate their security status and contextualize our alerts and investigations. |
SecurityConfiguration.Read.All | Allows Red Canary to read all security configurations. | Red Canary uses this permission to retrieve endpoint security configuration details to understand their baseline posture, identify misconfigurations, and provide context for our investigations. |
SecurityRecommendation.Read.All | Allows Red Canary to read any Threat and Vulnerability Management security recommendation. | Red Canary uses this permission to access Threat and Vulnerability Management security recommendations to understand weaknesses and provide customers with actionable advice. |
Software.Read.All | Allows Red Canary to read any Threat and Vulnerability Management software information. | Red Canary uses this permission to retrieve endpoint software information (versions, vulnerabilities, etc.) to assess risks, provide context for our alerts, and support vulnerability management discussions. |
Ti.Read.All | Allows Red Canary to read all IOCs. | Red Canary uses this permission to read all existing IOCs in the customer's Defender instance to understand the threat landscape and ensure our actions complement existing configurations. |
Ti.ReadWrite | Allows Red Canary to create IOCs and to read or update IOCs it created. | Red Canary uses this permission to create and manage our own set of IOCs in Defender for Endpoint based on our threat intelligence and investigation findings, for threat blocking and detection. |
Ti.ReadWrite.All | Allows Red Canary to manage all IOCs of the tenant. | Red Canary uses this permission to manage the full lifecycle of all IOCs in the customer's Defender tenant, allowing us to add our threat intelligence and help maintain IOC list hygiene. |
Url.Read.All | Allows Red Canary to read all URL profiles. | Red Canary uses this permission to retrieve URL access information from endpoints to investigate suspicious web activity. |
User.Read.All | Allows Red Canary to read all user profiles. | Red Canary uses this permission to access user data, which can be helpful in knowing what internal organization/department and its corresponding data may be impacted by an incident. |
Vulnerability.Read.All | Allows Red Canary to read any Threat and Vulnerability Management vulnerability information. | Red Canary uses this permission to access detailed endpoint vulnerability information from Threat and Vulnerability Management, to assess their potential impact and provide targeted recommendations or context for our security alerts. |
Microsoft Defender Portal
The required permissions for Defender Portal differ based on which Red Canary service you use: Managed Detection and Response (MDR), or Managed Detection and Response + Active Remediation.
Defender for Endpoint Permissions
Red Canary Product | Permission | Description | Justification |
|---|---|---|---|
Managed Detection and Response | Defender for Endpoint: View Data (Security Operations) | Allows Red Canary to view:
| Red Canary uses this permission to view alert data and perform advanced hunting queries in Defender for Endpoint. |
Defender for Endpoint: View Data (Threat and Vulnerability Management) | Allows Red Canary to view Defender for Endpoint Vulnerability Management data in the Microsoft Defender portal. | Red Canary uses this permission to view Threat and Vulnerability Management status in Defender for Endpoint, to better assess the risk of threats. | |
Managed Detection and Response + Active Remediation | Defender for Endpoint: View Data (Security Operations) | Allows Red Canary to view:
| Red Canary uses this permission to view alert data or perform advanced hunting queries in Defender for Endpoint. |
Defender for Endpoint: View Data (Threat and Vulnerability Management) | Allows Red Canary to view Defender for Endpoint Vulnerability Management data in the Microsoft Defender portal. | Red Canary uses this permission to view the Threat and Vulnerability Management status, to better assess risk of threats. | |
Defender for Endpoint: Active Remediation Actions (Security Operations) | Allows Red Canary to:
| Red Canary uses this permission to actively neutralize threats and protect customer environments by taking direct remediation actions on endpoints, managing automated responses, and controlling security indicators. | |
Defender for Endpoint: Alerts Investigations | Allows Red Canary to:
| Red Canary uses this permission to analyze alerts within Defender for Endpoint. | |
Defender for Endpoint: Live Response (Advanced) | Allows Red Canary to:
| Red Canary uses this permission to use the Live Response functionality in Defender for Endpoint to perform remediation actions. |
Entra ID
The Entra ID Security Role enables Red Canary to read alert data for all of the Microsoft Defender XDR products (except Defender for Endpoint data) in the Defender portal. The permission depends on which Red Canary service you use: Managed Detection and Response (MDR), or Managed Detection and Response + Active Remediation.
Entra ID Security Role Permissions
Red Canary Product | Permission | Description | Justification |
|---|---|---|---|
Managed Detection and Response | Security Reader | Allows Red Canary to read security information in Entra ID and Microsoft Defender XDR. To learn more, see Security Reader. | Red Canary uses this permission to view Microsoft Defender data (non-Defender for Endpoint such as MDI, MDO, etc.) in the Defender Console. |
Managed Detection and Response + Active Remediation | Security Administrator | Allows Red Canary to read security information and manage security configuration in Entra ID and Microsoft Defender XDR. To learn more, see Security Admin. | Red Canary uses this permission to take remediation actions in Defender For Identity and Defender for Office 365. |
Entra ID Protection Permissions
Red Canary requires the following permission for Response Actions for Entra ID Protection.
Permission | Description | Justification |
|---|---|---|
IdentityRiskyUser.ReadWrite.All | Allows Red Canary to view and manage (confirm) the risk state of all users in a Microsoft Entra ID tenant. | Red Canary uses this permission to to run the action to confirm a user as compromised in Identity Protection. |
SecurityIdentitiesActions.ReadWrite.All | Allows Red Canary to view and manage the Security Identity Actions associated with a user across Entra and Active Directory. | Red Canary uses this permission to enable and disable users on both Entra and Active Directory simultaneously, keeping on-prem Active Directory from accidentally re-enabling Entra users who have been disabled. |
SecurityIdentitiesAccount.Read.All | Allows Red Canary to view Security Identity Accounts associated with a user across Entra and Active Directory. | Red Canary uses this permission to find a user's Security Identity Account and associated Security Identity Account ID. |
Microsoft Office 365
Red Canary ingests Exchange Online events from Office 365, which are stored in the Unified Audit Log within Microsoft Purview. Red Canary uses the Office 365 Management Activity API to programmatically read Exchange Online events from the Unified Audit Log.
Office 365 Management Activity API Permissions
Permission | Description | Justification |
|---|---|---|
ActivityFeed.Read | Allows Red Canary to read activity data for your organization. | Red Canary uses this permission to detect suspicious activity and get context on an incident. |
ActivityFeed.ReadDlp | Allows Red Canary to read Data Loss Prevention (DLP) policy events for your organization, including detected sensitive data. | Red Canary uses this permission to monitor for DLP policy violations and investigate incidents, and proactively find anomalies. |
User.Read.All | Allows Red Canary to read the number of users. | Red Canary uses this permission to read the number of users for licensing purposes. |
Microsoft Graph API
Red Canary utilizes the Microsoft Graph API to add comments to alerts from various Microsoft security services.
Microsoft Graph API Permissions
Permission | Description | Justification |
|---|---|---|
SecurityAlert.ReadWrite.All | Allows Red Canary to read security events and update editable properties in those events across your organization without a signed-in user. | Red Canary uses this permission to query and update security alert data in your organization, such as leaving comments and state sync features. |
SecurityIncident.ReadWrite.All | Allows Red Canary to list and retrieve incidents, and update incident details as needed. | Red Canary uses this permission to query and update security incident data in your organization. |
ThreatHunting.Read.All | Allows Red Canary to retrieve additional context from Threat Hunting queries. | Red Canary uses this permission to to perform Advanced Hunting queries for additional context during investigations of alerts. |
User.Read.All | Allows Red Canary to to read user data across the entire tenant. | This permission is implicit and included due to the other required permissions. It allows Red Canary to be granted access via Admin Consent by a Global Administrator. |
Azure Active Directory Graph API Permissions
The Azure AD Graph API is a legacy API and will retire soon. Microsoft recommends migrating your apps to Graph API.
Permission | Purpose | Justification |
|---|---|---|
Application.ReadWrite.OwnedBy | Allows Red Canary to create other applications, and fully manage those applications (read, update, update application secrets, and delete), without a signed-in user. It cannot update any apps that it is not an owner of. | Red Canary uses this permission to manage the lifecycle of Red Canary it creates in your Azure AD tenant. Should you ever move on from Red Canary, this permission allows us to delete Red Canary. |