Login
      Contents x
      Integrate Microsoft Entra ID Protection with Red Canary
      • 28 Aug 2024
      • 7 Minutes to read
      • PDF
      Contents

      Integrate Microsoft Entra ID Protection with Red Canary

      • Updated on 28 Aug 2024
      • 7 Minutes to read
      • PDF
      Article summary

      With the Microsoft Entra ID integration, Red Canary will have access to identity data in near real time. Additionally, Red Canary will ingest a broad selection of Entra ID events, including:

      Note: Since these logs are available in their native form only through a Log Analytics Workspace, users should expect costs to increase on their Azure bill for storing the data briefly in the workspace itself, and egressing it to Red Canary. We've been selective about the tables we ask customers to export to keep these costs as low as possible.

      To integrate Microsoft Entra ID with Red Canary, follow the procedure below from beginning to end.

      Prerequisites

      Step 1: Configure an Azure Log Analytics workspace to collect Entra ID logs

      For Red Canary to start receiving your telemetry, you must send your data from your environment to an Azure Log Analytics workspace.

      Set up your Log Analytics workspace

      1. From your Red Canary homepage, click Integrations.

      2. From the Integrations section, locate and then click Microsoft Entra ID.

      3. Enter a name for your new Microsoft Entra ID integration.

      4. Select I need to set up a Log Analytics workspace.

      Note: If you already have a Log Analytics workspace ingesting logs, including ADFSSignInLogs, AuditLogs, ManagedIdentitySignInLogs, ServicePrincipalRiskEvents, ServicePrincipalSignInLogs, SignInLogs, and UserRiskEvents, select I already have a Log Analytics workspace set up and continue to Step 1.22.

      Microsoft Azure

      1. From your Microsoft Azure homepage, in the search bar, type and then select Resource groups.

      Note: Your account must have write permissions to create a Resource Group and Log Analytics workspace in the desired Subscription.

      1. Click +Create.

      2. From the Subscription dropdown, select the Subscription you would like to house your Azure Log Analytics workspace.

      3. Enter a Resource Group name. (Example: Red_Canary_Resources)

      4. From the Region dropdown, select your local region.

      5. Click Next: Tags >.

      6. Click Next: Review + create >.

      7. Click Create.

      8. In the search bar, type and then select Log Analytics workspaces.

      9. Click +Create.

      10. From the Subscription dropdown, select the Subscription associated with the Resource Group created in Step 1.8.

      11. From the Resource group dropdown, select the Resource Group.

      12. Enter a name for the Instance details. (Example: Red_Canary_Log_Analytic_workspace)

      13. From the Region dropdown, select eastus.

      14. Click Next: Tags >.

      15. Click Next: Review + create >.

      16. Click Create.

      Red Canary

      1. Select I’ve completed creating the Log Analytics workspace.

      Set up your Log Analytics workspace to collect Entra ID logs

      1. Select I need to configure my Log Analytics workspace to collect Entra ID logs.

      Note: If you already have a Log Analytics workspace to collect the required Entra ID logs, select I already have my Log Analytics workspace set up to collect Entra ID logs, and then click Next to continue on to Step 1.34.

      Microsoft Entra

      1. Sign-in to the Microsoft Entra Admin Center as a Security Administrator.

      2. Click Identity.

      3. Click the Monitoring & health dropdown.

      4. Click Diagnostic settings.

      5. Click +Add diagnostic setting.

      6. From the Diagnostic setting page, perform the following steps:

        1. From the Category details section, select the following:

          1. ADFSSignInLogs

          2. AuditLogs

          3. ManagedIdentitySignInLogs

          4. ServicePrincipalRiskEvents

          5. ServicePrincipalSignInLogs

          6. SignInLogs

          7. UserRiskEvents

      7. From the Destination details section, select Send to Log Analytics workspace.

      8. From the subscription dropdown, select your Subscription.

      9. From the Log Analytics workspace dropdown, select your Log Analytics workspace.

      10. Click Save.

      Red Canary

      1. Select I’ve completed configuring my Log Analytics workspace to collect Entra ID logs.

      2. Click Next.

      Step 2: Grant Permissions to Red Canary

      You’ll need to download the Azure Lighthouse offer template, which contains the definition of our Azure Lighthouse Managed Service Provider offer. The offer defines a set of RBAC Role Assignments granting permissions to Red Canary in your environment required for this Integration. To utilize the offer, you will log in to your Azure Portal and add the offer to the Azure Lighthouse service to apply the permissions granted in your environment.

      Install the Azure Lighthouse Managed Service Provider Offer

      1. To download the Azure Lighthouse offer template, click Download. You’ll use this in a later step.

      Microsoft Azure

      1. From your Microsoft Azure homepage, in the search bar, type and then select Azure Lighthouse.

      Note: Your account must have Global administrator permissions to deploy the Offer Template in your Subscription.

      1. Click View service provider offers.

      2. From the navigation pane, click Service provider offers.

      3. Click the +Add offer dropdown.

      4. Click Add via template.

      5. Click Browse for files.

      6. To upload the RedCanaryEntraIntegration.json file you downloaded in Step 2.1, click Upload.

      7. Click Review + Create.

      Note: The Subscription you selected must be where the Log Analytics workspace is located.

      1. Click Create.

      Red Canary

      1. Select I’ve installed the offer template.

      Install the Red Canary Enterprise Application

      The Enterprise Application enables Red Canary to understand your MDR Identities license usage by counting the identities of Microsoft Entra ID users and applications. Performing this step requires a user account with Global Administrator permissions and the enablement of the admin consent workflow for your Microsoft Entra ID service.

      1. Click the consent link and then select your Microsoft Account.

      Microsoft Azure

      1. Provide an approval reason and then click Request approval.

        Note: If the Account selected has Global Administrator rights, click Accept.

      2. Navigate to the Admin consent requests area and then click Red Canary + Entra ID Log Ingest.

      3. Click Review permissions and consent.

      4. Select an admin account and then click Accept.

      Red Canary

      1. Select I’ve granted consent to Red Canary.

      2. Click Next.

      Step 3: Configure Red Canary to integrate with your Azure Tenant

      You’ll need to input your Azure Tenant ID (unique identifier for their Azure environment) and a Resource ID (unique identifier of their selected Log Analytics workspace) into Red Canary. We use these identifiers to manage your Log Analytics workspace. You must sign in to your Azure Portal to retrieve this information.

      Record your Azure Tenant ID

      1. Enter your Azure Tenant ID.

      Note: Click Overview to review the details of your Azure Tenant, including the Tenant ID.

      Microsoft Azure

      1. From your Microsoft Azure homepage, in the search bar, type and then select Log Analytics workspaces.

      2. Select the Log Analytics workspace that was created in Step 1.14.

      3. From the navigation menu, select Properties.

      4. Copy and then save the Resource ID of the workspace.

      Record the Resource ID for the Log Analytics workspace collecting Entra ID logs

      Red Canary

      1. Enter the Log Analytics Resource ID from the previous step.

      2. Click Save.

        Note: Once saved, Red Canary will begin provisioning the resources required for the Integration. During this time, the status of the Integration will be shown as Provisioning. It will update to Active when provisioning has been completed.

      Step 4: Utilize Entra ID Response Actions

      Follow the steps in Response Actions for Entra ID to enable automated playbooks, configured in Red Canary, to take action in Entra ID.  to

      FAQ

      How is this integration different from the Microsoft Azure Integration that collects Entra ID Logs?

      • The Microsoft Entra integration collects a subset of the logs collected by the Microsoft Azure Integration. Where the Microsoft Entra Integration only collects logs generated by Microsoft Entra ID, the Microsoft Azure integration collects these and additional activity logs created by Azure resources and Azure control plane activities.

        Another difference between the two integrations is the subscriptions they are offered under. Microsoft Azure falls under MDR for Cloud Control, while Microsoft Entra ID falls under MDR, so licensing is accounted for differently. The Microsoft Azure Integration also includes a collection of Defender for Cloud alerts.

        Note: If the customer has an Azure Integration they do not need an Entra Integration. The only thing they would gain is seeing a count of monitored identities (we do not gather this information for an Azure integration).

      Red Canary views these integrations as closely related regarding how we ingest and analyze the logs. For example, suppose a user elects to integrate with both the Microsoft Azure and Microsoft Entra ID Integration. In that case, Red Canary will only receive one data stream of logs from their Azure environment. We allow users to transition between the two integrations or have both enabled simultaneously. Additionally, users with existing Microsoft Entra ID integrations can expand their coverage by adding a Microsoft Azure Integration if their subscriptions allow it.

      Note: If an Entra and Azure integration are both present and the Azure integration is deleted, there can be up to an hour delay before the Entra integration data is ingested again.

      How is this integration different from the Microsoft MS Graph v2 for Microsoft Entra ID Protection?

      • The Microsoft Entra ID Identity Protection v2 alert source and the Microsoft Entra ID and Microsoft Azure integrations are loosely related.

      The alert source is focused on ingesting the alerts generated by the Identity Protection service. Red Canary then analyzes the alerts to determine if a threat has occurred.

      The Entra and Azure integrations ingest logs and telemetry, which flows through the Red Canary detection engine and generates threats when merited.

      The Microsoft Entra ID Identity Protection v2 Alert Source and the Microsoft Entra ID and Microsoft Azure integrations work together. Suppose Red Canary receives a Microsoft Entra ID log and publishes a threat for it, and we also receive an MS Graph v2 Identity Protection alert, or vice versa. In that case, we can correlate the alert and the threat and offer extended coverage.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout