How Microsoft Azure Works with Red Canary

Red Canary integrates with Microsoft Azure to analyze telemetry from various sources, including Defender for Cloud alerts. Telemetry from Azure is seamlessly streamed from a user’s tenant into an Azure Event Hub within Red Canary’s tenant. Additionally, Azure’s diagnostic settings allow near real-time analysis by streaming control plane data from storage accounts, key vaults, and other sources. Azure data exports from Log Analytics Workspaces and continuous exports from Defender for Cloud ensure smooth data streaming to the Event Hub.

Understand the Red Canary Bicep File

The Bicep file is a template that automates the deployment of Azure resources and configurations needed to integrate Microsoft Azure with Red Canary. It specifically sets up policies and configurations to enable the ingestion of telemetry and logs from Azure into the Red Canary platform.

Resource Group and Policy Deployment

The file deploys two custom policies across all subscriptions within a specified management group:

• Resource Group Creation Policy: Ensures that a resource group named RCAutomationRg exists in each subscription. If it's missing in a subscription, the policy triggers a remediation action to create it.

• Lighthouse Registration Policy: Ensures that Azure Lighthouse is properly registered between the subscriptions and Red Canary’s tenant. If a Managed Service registration between the subscription and Red Canary’s tenant does not exist, the policy will trigger a remediation action to establish the connection.

Role Assignments

The Bicep file assigns specific roles to Red Canary’s Azure Log Ingest Group (identified by the RCAzureLogIngestPrincipal) through the Managed Service registration, granting a principal in Red Canary’s tenant the following roles within each subscription:

• Log Analytics Contributor:

  • Allows Red Canary to read and edit monitoring settings, manage VM extensions, and access storage account keys.

  • Enables Red Canary to create Diagnostic Settings on Storage Accounts and Key Vaults for event streaming and configure Data Export on Log Analytics Workspaces, including control plane logs and sign-in logs.

• Reader Role:

  • Provides view-only access to all resources.

  • Through an Azure Lighthouse connection, this role allows Red Canary to enumerate resources within the tenant, including Storage Accounts, subscriptions, and Key Vaults.

• Managed Services Registration Assignment Delete Role:

  • Allows the deletion of the registration assignment in the event of offboarding.

  • Enables Red Canary to remove the Service Provider Offer that grants access to the user’s environment.

• Security Admin:

  • Provides permissions to view and update Microsoft Defender for Cloud, including configuring automated export of alerts and supporting the synchronization of alert states.

    • Within Microsoft Azure, these are Microsoft.Security/automation resource types. Security Admin was the least privileged built-in role that can create these resource types, which Red Canary uses to stream Defender for Cloud alerts to a Red Canary Event Hub.

  • Enables the Bicep file to create continuous export settings for Defender for Cloud.

These roles are managed through Lighthouse and will be visible for each subscription in the Service Providers section within your Azure environment (which is where connections created via Lighthouse are listed).

Policy and Service Account Requirements

• The policy can remediate subscriptions, create a Managed Service registration, and establish a Lighthouse connection, all of which necessitate a linked service account with Owner privileges.

• However, the policy itself does not grant Owner-level permissions to any principal that Red Canary has access to or any external principal. Instead, the Owner role is assigned to a service-managed identity specific to the policy. This identity appears in the Azure portal as an enterprise application named after the policy assignment (RCLogConfigurationAccess) and is listed as "RC Azure Log Ingest" in the policy assignments.

Lighthouse and Managed Services Registration

• The Bicep file creates and enforces a custom policy that checks for the existence of Lighthouse registrations and, if not present, deploys them automatically.

What the Bicep File Is Doing:

• Automates the deployment and management of necessary Azure resources for integration with Red Canary.

• Enforces the creation of a specific resource group in each subscription to support log ingestion and alert exports.

• Grants specific roles and permissions to Red Canary's Azure Log Ingest Group to manage logs, monitoring, and security configurations.

What the Bicep File Isn’t Doing:

• It does not grant unrestricted access to all Azure resources or allow Red Canary to perform actions outside the scope of log management, monitoring, and security.

• It does not modify existing resources beyond what's necessary for creating the required resource group and ensuring Lighthouse registration.

Integration Architecture Diagram:

For detailed information around details of the design and architecture of the Azure integration, see Engineering a MDR solution for Microsoft Azure.

FAQ: