Grant Red Canary Access to Your Microsoft Defender Console for Active Remediation
- 18 Jul 2024
- 4 Minutes to read
- PDF
Grant Red Canary Access to Your Microsoft Defender Console for Active Remediation
- Updated on 18 Jul 2024
- 4 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This article guides you through the process of connecting Red Canary to your Microsoft Defender for Endpoint instance as part of the Active Remediation service.
The Active Remediation service requires an additional access package be created using Microsoft Identity Governance. This access package contains an elevated permissions role within a Microsoft Defender For Endpoint role which facilitates Active Remediation service capabilities.
Prerequisites
Before you configure Active Remediation, be sure you’ve connected Red Canary to Defender for Endpoint. For more information, see Integrate Microsoft Defender for Endpoint with Red Canary.
Azure: Create the Active Remediation security group
From your Azure portal, log in with your global administrator account.
Expand the navigation pane, and then click Entra Active Directory.
Click Groups, and then click New Group.
Fill in the group parameters with the following values:
Group Type: Security
Group Name: Red Canary Active Remediation
Group Description: Red Canary Access Group for Active Remediation
Microsoft Entra AD roles can be assigned to the group: Yes
Roles: Security Reader
Membership Type: Assigned
Owners: No owners selected
Members: No members selected
Click Create.
Click Yes at the confirmation prompt.
Azure: Add Red Canary as a connected organization
Note: This step is only applicable if you have not already added Red Canary as a connected organization.
Navigate to the Azure Active Directory, and then click Identity Governance.
Under Entitlement Management, click Connected organizations, and then click Add connected organization.
Fill out the form with the following values:
Name: Red Canary
Description: Red Canary Access Group
State: Configured
Click Add directory + domain.
Type redcanary.com into the tenant ID search bar.
Highlight the entry, and then click Select.
Under Add Internal Sponsor, click Add/Remove.
Search for the name of your active directory administrator, highlight the account, and click Select.
Review the parameters, and then click Create.
Microsoft Defender XDR: Enable Role-Based Access controls in Microsoft Defender For Endpoint
From your Microsoft Defender XDR portal, log in with your global administrator account.
Click Settings, and then click Endpoints.
Click Roles.
Click Add item.
Fill out the form with the following values:
Role Name: Red Canary Active Remediation
Description: Red Canary Active Remediation Access Role
Click Security operations and Edit.
Click Select custom permissions.
Under Security data, click Select custom permissions. Then select the following options:
Alerts (manage)
Response (manage)
Basic live response (manage)
Advanced live response (manage)
File collection (manage)
Under Raw data (Email and collaboration) click Select custom permissions. Then select the following option:
Email & collaboration metadata (read)
Click Apply.
Click Authorization and settings, then click Next.
Check the following boxes.
Select custom permissions.
Authorization
Select Read-only.
Security Settings
Select custom permissions.
Core security settings (read)
System settings
Read-only (Defender for Office, Defender for Identity)
.png?sv=2022-11-02&spr=https&st=2024-11-23T15%3A15%3A12Z&se=2024-11-23T15%3A25%3A12Z&sr=c&sp=r&sig=Xytk2jIRYeeNfz4YaEvTzandL3LSTNm3eU4B%2Fx1tsPA%3D)
Click Apply.
Click Apply.
Click Next.
Click Create assignment (or +add assignment).
.png?sv=2022-11-02&spr=https&st=2024-11-23T15%3A15%3A12Z&se=2024-11-23T15%3A25%3A12Z&sr=c&sp=r&sig=Xytk2jIRYeeNfz4YaEvTzandL3LSTNm3eU4B%2Fx1tsPA%3D)
Click Next.
Add the Assignment name.
Note: The name should reflect the assignment.
Assign the users and groups.
From Data Sources ensure all the boxes are checked.
.png?sv=2022-11-02&spr=https&st=2024-11-23T15%3A15%3A12Z&se=2024-11-23T15%3A25%3A12Z&sr=c&sp=r&sig=Xytk2jIRYeeNfz4YaEvTzandL3LSTNm3eU4B%2Fx1tsPA%3D)
Click Add.
Click Next.
Review the content and click Submit.
.png?sv=2022-11-02&spr=https&st=2024-11-23T15%3A15%3A12Z&se=2024-11-23T15%3A25%3A12Z&sr=c&sp=r&sig=Xytk2jIRYeeNfz4YaEvTzandL3LSTNm3eU4B%2Fx1tsPA%3D)
.png?sv=2022-11-02&spr=https&st=2024-11-23T15%3A15%3A12Z&se=2024-11-23T15%3A25%3A12Z&sr=c&sp=r&sig=Xytk2jIRYeeNfz4YaEvTzandL3LSTNm3eU4B%2Fx1tsPA%3D)
.png?sv=2022-11-02&spr=https&st=2024-11-23T15%3A15%3A12Z&se=2024-11-23T15%3A25%3A12Z&sr=c&sp=r&sig=Xytk2jIRYeeNfz4YaEvTzandL3LSTNm3eU4B%2Fx1tsPA%3D)
Microsoft Defender XDR: Grant Red Canary access to device groups
Note: Ensure that the Red Canary Active Remediation security group has been granted access to the Defender For Endpoint device groups.
This step is applicable only if there are device groups listed. By default, a device group is accessible to all users if there are no group assignments associated with the group.
From your Microsoft Defender XDR portal, log in with your global administrator account.
Click Settings, and then click Endpoints.
Click Device Group.
Review the User Access Column in the list of Device Groups.
Ensure that the Red Canary Active Remediation group is listed under User Access for the group.
Azure: Create the Microsoft Azure identity governance catalog
Note: This step is only applicable if you haven't already created an Identity Governance Catalog for Red Canary.
From your Azure portal, log in with your global administrator account.
Expand the navigation pane, select Azure Active Directory, and then select Identity Governance.
Under Entitlement Management, click Catalogs, and then click New Catalog.
Fill out the form with the following values:
Name: Red Canary Access
Description: Red Canary Access Catalog
Enabled: Yes
Enabled for external users: Yes
Azure: Create the Microsoft Azure identity governance access packages for Active Remediation
From your Azure portal, log in with your global administrator account.
Expand the navigation pane, and then click Azure Active Directory.
Click Identity Governance, Entitlement Management, and then click Catalogs.
Select the Red Canary Access catalog.
Under Manage, click Access Packages, and then click New Access Package.
Fill out the forms with the following values:
Name: Red Canary Active Remediation Access Package
Description: Red Canary Active Remediation Access
Select Resource Roles > Groups and Teams > Red Canary Active Remediation and then click Select.
Important: In order to select the Red Canary Group, make sure to select See all Group and Team(s) not in the Red Canary Access catalog. You must have the correct permissions to add them in this access package.
Under Role, click Member from the dropdown.
Select Requests Tab
Select For users not in your directory, Specific connected organizations, and then select Red Canary.
Require Approval: No
Enable new requests: Yes
Select Lifecycle Tab
Access package assignments expire: Never
Users can request specific timeline: Yes
Require access reviews: Yes
Starting on: [today's date]
Review frequency: Bi-annually
Duration in days: 90
Reviewers: Specific reviewers
Click Add reviewers
Select the members of your organization responsible for IAM review procedures
Review the parameters, and then click Create.
From your Azure Portal, click Active Directory, and the click Identity Governance.
Click Access Packages, and then click Red Canary access package.
Under Properties, copy and save the My access portal link.
Provide the link to your Red Canary contact.
Microsoft Defender XDR: Enable Advanced Features in Microsoft Defender For Endpoint
From your Microsoft Defender XDR portal, log in with your global administrator account.
Click Settings, and then click Endpoints.
Under General, click Advanced Features.
Enable Custom network indicators.
Enable Live Response.
Enable Live Response for Servers.
Was this article helpful?
