As part of the Active Remediation setup, you must grant Red Canary access to the specific endpoints intended for Active Remediation tasks. This involves creating a device group with the specified endpoints and assigning access to the Red Canary Active Remediation team. Follow the steps below in your Microsoft Defender portal.
Log in to your Microsoft Defender portal.
Go to Settings > Endpoints > Permissions > Device groups.
Add a new device group that includes all of your Active Remediation endpoints, or rename any current device group(s) that contains your Active Remediation endpoints.
Name the device group starting with “Remediate…”. For example, “Remediate Accounting Machines”. This is the easiest way to classify/group all of the endpoints you want Red Canary to have access to for Active Remediation.
Note
If you want Red Canary to perform Active Remediation actions on all of your endpoints, you would create a device group for all of your endpoints using the AR naming convention.
Assign the Red Canary Active Remediation user group you created in Grant Red Canary Access to Your Microsoft Defender Console for Active Remediation.
Click Close. The configuration changes are applied.