Login
      Contents x
      Integrate Microsoft Sentinel with Red Canary
      • 07 Nov 2024
      • 6 Minutes to read
      • PDF
      Contents

      Integrate Microsoft Sentinel with Red Canary

      • Updated on 07 Nov 2024
      • 6 Minutes to read
      • PDF
      Article summary

      Integrating Microsoft Sentinel with Red Canary's advanced capabilities builds a robust security ecosystem. This integration allows for seamless data sharing, improved threat detection, and accelerated incident response. This empowers you to better understand your security posture and proactively mitigate risks.

      To integrate Microsoft Sentinel with Red Canary, follow the procedure below from beginning to end.

      Prerequisites

      • From your Azure environment, locate the following data points to configure your Red Canary source platform:

        • Azure Tenant ID

        • Azure Subscription ID

        • Sentinel Resource Group Name

        • Sentinel Workspace Name

        • Log Analytics Workspace ID

      • You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration and add the required role assignments in Azure.

      Step 1: Microsoft Azure–Locate your Microsoft Azure IDs

      Start the integration process by locating your Microsoft Azure IDs.

      1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.

      2. In the search bar, type and then select Tenant properties.

      3. Copy and save your Tenant ID. You’ll use this in a later step.

        1.png

      4. In the search bar, type and then select Subscriptions.

      5. Copy and save your Subscription ID. You’ll use this in a later step.

        2.png

      6. Click on your subscription name.

      7. Select your log analytics workspace ID, copy and save your workspace ID. You’ll use this in a later step.

      8. In the search bar, type and then select Resource Groups.

      9. Copy and save the Resource Group Name you are setting up a subscription for. You’ll use this in a later step.

      10. In the search bar, type and then select Workspaces.

      11. Copy and save the Workspace Name you're setting up a subscription for. You’ll use this in a later step.

      Step 2: Red Canary–Input your Microsoft Azure information

      Enter your Microsoft Azure information into Red Canary to start sending your alerts.

      1. From your Red Canary homepage, go to the Integrations page then click Add Integration.

      2. Add Microsoft Sentinal Integration

        On the Add integration dialog, search for the Microsoft Azure Sentinel integration then click Configure.
        Select Microsoft Sentinel Integration

      3. On the Add Integration page:

        • Enter a Name for the integration

        • Select Microsoft Azure Sentinel via API Poll in the Ingest Format / Method dropdown

        • Enter your Microsoft Azure Tenant ID from Step 1.3

        • Enter your Microsoft Azure Subscription ID from Step 1.5

        • Enter a Microsoft Sentinel Resource Group Name from Step 1.9

        • Enter a Microsoft Sentinel Workspace Name from Step 1.11

        • Enter your Microsoft Log Analytics Workspace ID from Step 1.7

        Add Microsoft Sentinel Integration - details

      4. Click Save.

      5. Locate your newly-added integration in the list at the bottom of the Integrations page, then click on the name to view the configuration.
        Select Microsoft Sentinel Integration

      6. Click Edit Configuration.
        Show Microsoft Sentinel Integration

      7. Under the Permissions section on the Edit Integration page, click the Azure consent link.
        Edit Microsoft Sentinel Integration

      Step 3: Microsoft Azure–Confirm that Red Canary has been configured in Azure

      Confirm that the Red Canary enterprise application has been configured in your Azure Active Directory.

      1. Login to the Microsoft Azure account you want to integrate with Red Canary.

      2. Click Accept.

        5.png

      3. Login into your Microsoft Azure account again.

      Step 4: Microsoft Azure–Add a Security Reader role assignment to Red Canary

      Grant Red Canary permission to read your Microsoft Azure Alerts to start sending security data for ingestion.

      1. In the search bar, type and then select Subscriptions.

      2. Click on your Azure Sentinel subscription name.

      3. Click Access Control (IAM).

      4. Click +Add, and then click Add role assignment.

      5. In the search bar, type and then select Security Reader.

      6. Click Next.

      7. From the Assign access to section, select User, group, or service principal.

      8. Click Select Members.

      9. In the search bar, type and then select Red Canary + Azure Sentinel API Poller.

        Reader.png

      10. Click Select.

      11. To review your role assignment, click Next.

      12. Click Review + assign.

      Step 5: Microsoft Azure–Add a Log Analytics Contributor role assignment to Red Canary

      Grant Red Canary permission to read and analyze your Microsoft Azure telemetry to start sending security data for ingestion.

      1. In the search bar, type and then select Subscriptions.

      2. Click on your Azure Sentinel subscription name.

      3. Click Access Control (IAM).

      4. Click +Add, and then click Add role assignment.

      5. In the search bar, type and then select Log Analytics Contributor.

      6. Click Next.

      7. From the Assign access to section, select User, group, or service principal.

      8. Click Select Members.

      9. In the search bar, type and then select Red Canary + Azure Sentinel API Poller.

        Contributor.png

      10. Click Select.

      11. To review your role assignment, click Next.

      12. Click Review + assign.

      Step 6: Microsoft Azure–Add a Sentinel Responder role assignment to Red Canary

      Grant Red Canary permission to edit data, incidents, and manage incidents in Microsoft Azure.

      1. In the search bar, type and then select Subscriptions.

      2. Click on your Azure Sentinel subscription name.

      3. Click Access Control (IAM).

      4. Click +Add, and then click Add role assignment.

      5. In the search bar, type and then select Sentinel Responder.

      6. Click Next.

      7. From the Assign access to section, select User, group, or service principal.

      8. Click Select Members.

      9. In the search bar, type and then select Red Canary + Azure Sentinel API Poller.

        Responder.png

      10. Click Select.

      11. To review your role assignment, click Next.

      12. Click Review + assign.

      Step 7: Red Canary–Activate the Microsoft Azure Sentinel integration

      Enable your new Microsoft Azure Sentinel alert source in Red Canary.

      1. Return to the Edit Integration page in Red Canary.

      2. Under the Permissions section, check the Confirm Microsoft Sentinel API Access Granted box.
        Confirm Microsoft Sentinel Integration

      3. Click Activate to activate the integration.

      4. Click Save.

      Step 8: Microsoft Azure–Deploy an ARM template

      Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.

      1. Login using a Global Admin account for the tenant that you want to integrate with Red Canary.

      2. In the search bar, type and then select Service providers.

      3. Click Service Provider Offers.

        9.png

      4. Click +Add offer, and then click Add via template.

      5. Upload the Red Canary provided ARM Template, and then click Upload.

        10.png

      6. From the Subscription dropdown, select the subscription that your Sentinel instance resides in.

      7. From the region dropdown, select the region your Sentinel instance is deployed in.

        11.png

      8. Click Next: Review + create >.

      9. Click Create.

      red_canary_azure_sentinel_arm_template.json

      Step 9: Red Canary–Configure Alert State Sync Actions

      Once the integration is active, you can configure the state sync actions to determine whether Red Canary should add comments and/or automatically close the alerts in the source platform.

      1. Open the Edit Integration page in Red Canary.

      2. Under the Actions in the Source Platform section, set the comment and close options as described in the table below.
        Configure Microsoft Graph v2 Integration

        Add comments to alerts in Microsoft Azure Sentinel…

        As Red Canary validates the alert

        If checked, Red Canary adds comments to the alert in Microsoft Sentinel as the alert is investigated and resolved. (Default=checked)

        Close alerts in Microsoft Azure Sentinel…

        When Red Canary validates the alert as non-threatening

        If checked, Red Canary closes the alert in Microsoft Sentinel as Benign Positive if the state is Not a Threat. (Default=checked)

        When Red Canary validates the alert as suspicious

        If checked, Red Canary closes the alert in Microsoft Sentinel as True Positive if the state is Suspicious, Highly Suspicious, or Threat but no threat has been published. (Default=unchecked)

        When Red Canary publishes a threat involving the alert

        If checked, Red Canary closes the alert in Microsoft Sentinel as True Positive if the state is Threat and a threat has been published. (Default=checked)

      3. Click Save when done.

      FAQ

      Why do we require each of the roles above?

      Log Analytics Contributor: This role is needed to create Diagnostic Settings on Storage Accounts and Key Vaults to stream events into Red Canary for monitoring. Additionally, it is necessary for configuring Data Export on Log Analytics Workspaces. These actions allow Red Canary to ingest logs for analysis, including control plane and sign-in logs​.

      Reader Role: This role is used for reading and enumerating resources like Storage Accounts, subscriptions, and Key Vaults within the tenant. This role allows Red Canary to identify the necessary resources without making changes​.

      Sentinel Responder Role: This role is necessary for Red Canary to manage and update incidents in Microsoft Sentinel. Without this permission, automations and incident responses—such as updating incident statuses—would not be possible. This role enables the required actions for managing threat responses within Sentinel​.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout