Login
      Contents x
      Integrate Microsoft Entra ID with Red Canary
      • 09 Oct 2024
      • 10 Minutes to read
      • PDF
      Contents

      Integrate Microsoft Entra ID with Red Canary

      • Updated on 09 Oct 2024
      • 10 Minutes to read
      • PDF
      Article summary

      To integrate Microsoft Entra ID with Red Canary, follow the procedure below from beginning to end. Once all steps are completed successfully, the data should be ingested into Red Canary within 20 minutes or less.

      Prerequisites

      Note: Since these logs are available in their native form only through a Log Analytics Workspace, users should expect costs to increase on their Azure bill for storing the data briefly in the workspace itself, and egressing it to Red Canary. We've been selective about the tables we ask customers to export to keep these costs as low as possible.

      Step 1: Configure an Azure Log Analytics workspace to collect Entra ID logs

      For Red Canary to start receiving your telemetry, you must send your data from your environment to an Azure Log Analytics workspace.

      Set up your Log Analytics workspace

      1. From your Red Canary homepage, click Integrations.

      2. From the Integrations section, locate and then click Microsoft Entra ID.

      3. Enter a name for your new Microsoft Entra ID integration.

      4. Select I need to set up a Log Analytics workspace.

      Note: If you already have a Log Analytics workspace ingesting logs, including ADFSSignInLogs, AuditLogs, ManagedIdentitySignInLogs, ServicePrincipalRiskEvents, ServicePrincipalSignInLogs, SignInLogs, and UserRiskEvents, select I already have a Log Analytics workspace set up and continue to Step 1.22.

      Microsoft Azure

      1. From your Microsoft Azure homepage, in the search bar, type and then select Resource groups.

      Note: Your account must have write permissions to create a Resource Group and Log Analytics workspace in the desired Subscription.

      1. Click +Create.

      2. From the Subscription dropdown, select the Subscription you would like to house your Azure Log Analytics workspace.

      3. Enter a Resource Group name. (Example: Red_Canary_Resources)

      4. From the Region dropdown, select your local region.

      5. Click Next: Tags >.

      6. Click Next: Review + create >.

      7. Click Create.

      8. In the search bar, type and then select Log Analytics workspaces.

      9. Click +Create.

      10. From the Subscription dropdown, select the Subscription associated with the Resource Group created in Step 1.8.

      11. From the Resource group dropdown, select the Resource Group.

      12. Enter a name for the Instance details. (Example: Red_Canary_Log_Analytic_workspace)

      13. From the Region dropdown, select eastus.

      14. Click Next: Tags >.

      15. Click Next: Review + create >.

      16. Click Create.

      Red Canary

      1. Select I’ve completed creating the Log Analytics workspace.

      Set up your Log Analytics workspace to collect Entra ID logs

      1. Select I need to configure my Log Analytics workspace to collect Entra ID logs.

      Note: If you already have a Log Analytics workspace to collect the required Entra ID logs, select I already have my Log Analytics workspace set up to collect Entra ID logs, and then click Next to continue on to Step 1.34.

      Microsoft Entra

      1. Sign-in to the Microsoft Entra Admin Center as a Security Administrator.

      2. Click Identity.

      3. Click the Monitoring & health dropdown.

      4. Click Diagnostic settings.

      5. Click +Add diagnostic setting.

      6. From the Diagnostic setting page, perform the following steps:

        1. From the Category details section, select the following:

          1. ADFSSignInLogs

          2. AuditLogs

          3. ManagedIdentitySignInLogs

          4. ServicePrincipalRiskEvents

          5. ServicePrincipalSignInLogs

          6. SignInLogs

          7. UserRiskEvents

      7. From the Destination details section, select Send to Log Analytics workspace.

      8. From the subscription dropdown, select your Subscription.

      9. From the Log Analytics workspace dropdown, select your Log Analytics workspace.

      10. Click Save.

      Red Canary

      1. Select I’ve completed configuring my Log Analytics workspace to collect Entra ID logs.

      2. Click Next.

      Step 2: Grant Permissions to Red Canary

      You’ll need to download the Azure Lighthouse offer template, which contains the definition of our Azure Lighthouse Managed Service Provider offer. The offer defines a set of RBAC Role Assignments granting permissions to Red Canary in your environment required for this Integration. To utilize the offer, you will log in to your Azure Portal and add the offer to the Azure Lighthouse service to apply the permissions granted in your environment.

      Install the Azure Lighthouse Managed Service Provider Offer

      1. To download the Azure Lighthouse offer template, click Download. You’ll use this in a later step.

      Microsoft Azure

      1. From your Microsoft Azure homepage, in the search bar, type and then select Azure Lighthouse.

      Note: Your account must have Global administrator permissions to deploy the Offer Template in your Subscription.

      1. Click View service provider offers.

      2. From the navigation pane, click Service provider offers.

      3. Click the +Add offer dropdown.

      4. Click Add via template.

      5. Click Browse for files.

      6. To upload the RedCanaryEntraIntegration.json file you downloaded in Step 2.1, click Upload.

      7. Click Review + Create.

      Note: The Subscription you selected must be where the Log Analytics workspace is located.

      1. Click Create.

      Red Canary

      1. Select I’ve installed the offer template.

      Install the Red Canary Enterprise Application

      The Enterprise Application enables Red Canary to understand your MDR Identities license usage by counting the identities of Microsoft Entra ID users and applications. Performing this step requires a user account with Global Administrator permissions and the enablement of the admin consent workflow for your Microsoft Entra ID service.

      1. Click the consent link and then select your Microsoft Account.

      Microsoft Azure

      1. Provide an approval reason and then click Request approval.

        Note: If the Account selected has Global Administrator rights, click Accept.

      2. Navigate to the Admin consent requests area and then click Red Canary + Entra ID Log Ingest.

      3. Click Review permissions and consent.

      4. Select an admin account and then click Accept.

      Red Canary

      1. Select I’ve granted consent to Red Canary.

      2. Click Next.

      Step 3: Configure Red Canary to integrate with your Azure Tenant

      You’ll need to input your Azure Tenant ID (unique identifier for their Azure environment) and a Resource ID (unique identifier of their selected Log Analytics workspace) into Red Canary. We use these identifiers to manage your Log Analytics workspace. You must sign in to your Azure Portal to retrieve this information.

      Record your Azure Tenant ID

      1. Enter your Azure Tenant ID.

      Note: Click Overview to review the details of your Azure Tenant, including the Tenant ID.

      Microsoft Azure

      1. From your Microsoft Azure homepage, in the search bar, type and then select Log Analytics workspaces.

      2. Select the Log Analytics workspace that was created in Step 1.14.

      3. From the navigation menu, select Properties.

      4. Copy and then save the Resource ID of the workspace.

      Record the Resource ID for the Log Analytics workspace collecting Entra ID logs

      Red Canary

      1. Enter the Log Analytics Resource ID from the previous step.

      2. Click Save.

        Note: Once saved, Red Canary will begin provisioning the resources required for the Integration. During this time, the status of the Integration will be shown as Provisioning. It will update to Active when provisioning has been completed.

      Step 4: Utilize Entra ID Response Actions

      Follow the steps in Response Actions for Entra ID to enable automated playbooks, configured in Red Canary, to take action in Entra ID.  to

      FAQ

      How is this integration different from the Microsoft Azure Integration that collects Entra ID Logs?

      The Microsoft Entra integration collects a subset of the logs collected by the Microsoft Azure Integration. Where the Microsoft Entra Integration only collects logs generated by Microsoft Entra ID, the Microsoft Azure integration collects these and additional activity logs created by Azure resources and Azure control plane activities.
      Another difference between the two integrations is the subscriptions they are offered under. Microsoft Azure falls under MDR for Cloud Control, while Microsoft Entra ID falls under MDR, so licensing is accounted for differently. The Microsoft Azure Integration also includes a collection of Defender for Cloud alerts.

      Note: If the customer has an Azure Integration they do not need an Entra Integration. The only thing they would gain is seeing a count of monitored identities (we do not gather this information for an Azure integration).

      Red Canary views these integrations as closely related regarding how we ingest and analyze the logs. For example, suppose a user elects to integrate with both the Microsoft Azure and Microsoft Entra ID Integration. In that case, Red Canary will only receive one data stream of logs from their Azure environment. We allow users to transition between the two integrations or have both enabled simultaneously. Additionally, users with existing Microsoft Entra ID integrations can expand their coverage by adding a Microsoft Azure Integration if their subscriptions allow it.

      Note: If an Entra and Azure integration are both present and the Azure integration is deleted, there can be up to an hour delay before the Entra integration data is ingested again.

      How is this integration different from the Microsoft MS Graph v2 for Microsoft Entra ID Protection?

      The Microsoft Entra ID Identity Protection v2 alert source and the Microsoft Entra ID and Microsoft Azure integrations are loosely related.

      The alert source is focused on ingesting the alerts generated by the Identity Protection service. Red Canary then analyzes the alerts to determine if a threat has occurred.

      The Entra and Azure integrations ingest logs and telemetry, which flows through the Red Canary detection engine and generates threats when merited.

      The Microsoft Entra ID Identity Protection v2 Alert Source and the Microsoft Entra ID and Microsoft Azure integrations work together. Suppose Red Canary receives a Microsoft Entra ID log and publishes a threat for it, and we also receive an MS Graph v2 Identity Protection alert, or vice versa. In that case, we can correlate the alert and the threat and offer extended coverage.

      Why would the Entra ID integration stop receiving data after configuring the Azure integration?

      This is expected behavior when both integrations are exporting data from the same Log Analytics Workspace, to account for duplicated data sets.

      When Entra ID is the only integration configured, a data export is created in Log Analytics Workspace to send data to Red Canary. This data is received under the Entra ID integration.

      If an Azure integration is also configured using the same Log Analytics Workspace, a data export is created for this service and the data export for Entra ID is deleted. The data is then received by Red Canary under the Azure integration, and the telemetry volume reported under Entra ID will drop to zero.

      Because of the overlap in telemetry Red Canary collects from Entra ID and collects from Azure in the same Log Analytics Workspace, a single data export is used to avoid Microsoft egress charges for redundant data.

      Ingest Details

      Integration Architecture

      The Microsoft Entra ID Integration supports connecting Red Canary with a customer’s Microsoft Entra ID environment at the Tenant level.

      The integration specifically focuses on Microsoft Entra ID, which is responsible for generating and managing Identity & Access Management (IAM) logs. These logs are transferred from a customer’s Microsoft Entra ID environment to Red Canary using a combination of Azure services. Below is an outline of the log collection and ingestion process:

      • Diagnostic Settings: Customers configure Diagnostic Settings in Microsoft Entra ID to collect relevant logs in an Azure Log Analytics Workspace.

      • Data Export: Red Canary automates the creation of Data Export settings to send collected logs from the Log Analytics Workspace to an Azure Event Hub.

      • Ingestion: The Event Hub queues and prepares the logs for downstream ingestion and analysis by Red Canary.

      Lighthouse Requirement

      Azure Lighthouse, a service for cross-tenant management, is required for this integration to function correctly. Customers should refer to the integration documentation above for more details on setting up Azure Lighthouse.

      Entra ID Licensing and Associated Azure Costs

      This integration is available to all customers with any level of Entra ID licensing. However, customers should be aware of potential Azure costs associated with storing logs in a Log Analytics Workspace and exporting them to Red Canary. Red Canary has minimized the number of tables exported to control these costs.

      • Log Analytics Data Ingestion: Charges incurred for storing logs in a Log Analytics Workspace.

      • Log Analytics Data Export: Costs associated with transferring logs from the workspace to Red Canary via the Event Hub.

      For more information, refer to:

      Comparison of Entra ID Integrations

      Red Canary offers multiple integrations related to Microsoft Entra ID. Here is a summary of the key differences:

      • Entra ID: The telemetry integration described in this article, which ingests and analyzes raw log data.

      • Entra ID Alerts: An older legacy integration, generally not recommended as it lacks modern parsing and detection capabilities.

      • Entra ID Identity Protection v2: A supported alert source from the Microsoft XDR Defender suite that correlates identity-related alerts with telemetry from other integrations, we recommend configuring this integration if it is included in your Microsoft licensing.

      • Entra ID Response Actions: A response integration configured through the Red Canary Automate interface, enabling automated actions targeting Entra ID identities.

      • Microsoft Office 365: A separate integration that collects Office 365 audit logs. We recommend configuring the Microsoft Office 365 integration in addition to the Entra ID integration, as both collect different and important types of data.

      What Data Are We Collecting?

      Log Analytic Table by Table Name

      Description

      AADManagedIdentitySignInLogs

      Tracks sign-ins by managed identities within Azure.

      AADServicePrincipalSignInLogs

      Captures sign-ins by service principals.

      AADServicePrincipalRiskEvents

      Logs events related to risky behavior by service principals.

      Note: These events are treated as telemetry and will not appear as alerts in Red Canary.

      AADUserRiskEvents

      Tracks risky sign-in attempts by users.

      Note: These events are treated as telemetry and will not appear as alerts in Red Canary.

      ADFSSignInLogs

      Logs sign-ins using Active Directory Federation Services (ADFS).

      AuditLogs

      Records changes to applications, groups, users, and licensing.

      SignInLogs

      Tracks sign-in activity across the Azure Tenant.


      By analyzing this data, Red Canary identifies potential security threats and anomalous behavior, enabling timely response and protection against malicious actors.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout