Understand Permission Requirements
- 25 Sep 2024
- 6 Minutes to read
- PDF
Understand Permission Requirements
- Updated on 25 Sep 2024
- 6 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Red Canary’s integration with Microsoft 365 Defender Extended Detection and Response (XDR) platform uses several permissions within Azure and the Microsoft 365 Defender Console. This article leads you through what kind of permissions Red Canary has access to once you grant us permission to your Microsoft security products.
Data Export
Red Canary’s low-level integration ingests alerts and raw telemetry generated by the Defender for Endpoint sensor. For this telemetry to be processed and analyzed by our Red Canary platform and our Cyber Incident Response Team (CIRT), your telemetry must be sent to Red Canary’s Azure Event Hub. As part of your onboarding, you will be asked to accept an Azure invite into Red Canary’s Microsoft tenant. Once you accept the invitation, Red Canary’s backend automation will provision the appropriate (Azure Data Sender) permissions to enable the telemetry from your Microsoft 365 Defender tenant to flow into Red Canary’s Azure Event Hub.
Grant Red Canary permission to Defender For Endpoint API
Red Canary interacts with Defender for Endpoint programmatically using Microsoft’s API’s.
The following tables detail the API permissions that Red Canary’s Automate feature uses to read alert data and take Defender for Endpoint remediation actions. In the table, “the app” refers to the application that is interfacing with the Microsoft APIs in your tenant.
Azure Active Directory Graph
API / Permissions Name | Description |
|---|---|
Application.ReadWrite.OwnedBy | Allows the app to create other applications and fully manage those applications (read, update, update application secrets and delete) without a signed-in user. Can update only apps of which it is an owner. |
WindowsDefenderATP
API / Permissions Name | Description |
|---|---|
AdvancedQuery.Read.All | Allows the app to run advanced queries |
Alert.Read.All | Allows the app to read any alert |
Alert.ReadWrite.All | Allows the app to create or update any alert |
Event.Write | Allows the app to create events in the machine timeline |
File.Read.All | Allows the app to read all file profiles |
Ip.Read.All | Allows the app to read all IP address profiles |
Machine.CollectForensics | Allows the app to collect forensics from a machine |
Machine.Isolate | Allows the app to isolate any device that runs the Defender for Endpoint sensor |
Machine.Offboard | Allows the app to offboard a machine from the service |
Machine.Read.All | Allows the app to read all machine profiles, including the commands that were sent to each machine |
Machine.ReadWrite.All | Allows the app to create machine records and to read or update any machine record |
Machine.RestrictExecution | Allows the app to restrict code execution on a machine according to policy |
Machine.Scan | Allows the app to scan a machine |
Machine.StopAndQuarantine | Allows the app to stop a file running on a machine and to quarantine that file |
Score.Read.All | Allows the app to read any Threat and Vulnerability Management score |
SecurityConfiguration.Read.All | Allows the app to read all security configurations |
SecurityRecommendation.Read.All | Allows the app to read any Threat and Vulnerability Management security recommendation |
Software.Read.All | Allows the app to read any Threat and Vulnerability Management software information |
Ti.Read.All | Allows the app to read all IOCs |
Ti.ReadWrite | Allows the app to create IOCs and to read or update IOCs it created |
Ti.ReadWrite.All | Allows the app to manage all IOCs of the tenant |
Url.Read.All | Allows the app to read all URL profiles |
User.Read.All | Allows the app to read all user profiles |
Vulnerability.Read.All | Allows the app to read any Threat and Vulnerability Management vulnerability information |
Grant Red Canary permission to your Graph API
Microsoft provides additional APIs that enable Red Canary to programmatically ingest alert data for other products within Microsoft 365 Defender along with Azure Active Directory (AD) Identity Protection. Red Canary uses Read and Write permissions in the Graph API to send our analyst’s comments into alerts in your Microsoft Defender Console.
The following table details the permissions used with the Graph API. In the table, “the app” refers to the application that is interfacing with the Microsoft APIs in your tenant.
Microsoft.Graph.v2
API / Permissions Name | Description |
|---|---|
SecurityAlert.Read.All SecurityAlert.ReadWrite.All | Enables the app to read your organization’s security events without a signed-in user. Also allows the app to update editable properties in security events. Red Canary uses the write abilities to update the status of these events in Alerts v2. |
SecurityIncident.Read.All SecurityIncident.ReadWrite.All | Required for List Incidents and Get Incidents. Write required to update incidents. |
ThreatHunting.Read.All | Required for retrieving additional context from Threat Hunting queries |
Grant Red Canary permission to your Office 365 Management Activity API
As part of the Threat Hunting offering, Red Canary can ingest Office 365 Exchange Online related events. These events are stored in the Unified Audit log found in Microsoft Purview. Red Canary uses the Office 365 Management Activity API to programmatically read these Exchange Online events from the Unified Audit Log.
The following table details the permissions used with the Office 365 Management API. In the table, “the app” refers to the application that is interfacing with the Microsoft APIs in your tenant.
Office 365 Management APIs
API / Permissions Name | Description |
|---|---|
ActivityFeed.Read | Allows the app to read activity data for your organization |
ActivityFeed.ReadDlp | Allows the application to read Data Loss Prevention (DLP) policy events, including detected sensitive data, for your organization |
Grant the Red Canary CIRT access to your Microsoft 365 Defender console
Microsoft's APIs provide Red Canary with Endpoint & Alert telemetry. However, there are times when Red Canary’s CIRT (Computer Incident Response Team) which comprises of our Detection Engineers and Threat Hunters need additional context for a presumed threat. In these cases, Red Canary needs access to the Microsoft 365 Defender Console.
The Microsoft 365 Defender portal is the central access point for the Microsoft 365 Defender products. The Security Reader Entra ID Role enables Red Canary to read alert data for all of the Microsoft 365 Defender products (except Defender for Endpoint) in the Microsoft 365 Defender console. Defender for Endpoint uses its own Role-Based Access Control (RBAC) instance to provide granular access to various functions in the console.
The following table details the required permissions that Red Canary MDR services need to use Defender for Endpoint:
Red Canary MDR for Defender for Endpoint | ||
|---|---|---|
Permission | Description | Justification |
Entra ID / Security Reader | Can read security information in Entra ID and Microsoft 365 Defender. Learn more about the Security Reader | Permissions required to view Microsoft 365 Defender data (non-Defender for Endpoint, e.g., MDI, MDO) in the Microsoft 365 Defender Console |
Defender for Endpoint / View Data: Security Operation | View Alerts, Incidents, Automated Investigation, Advanced Hunting, Device Pages | Required access for the Red Canary CIRT to view alert data or perform advanced hunting queries in Defender for Endpoint |
Defender for Endpoint / View Data: Threat and Vulnerability Management | View Defender for Endpoint Vulnerability management data in the Microsoft 365 Defender Portal | Permissions required to view Threat and vulnerability management status in Defender for Endpoint. This allows Detection Engineers & Threat Hunters to better assess risk presented by threats in customer environments. |
The below table details the required permissions needed by Red Canary's CIRT for Active Remediation.
Red Canary MDR + Active Remediation for Defender for Endpoint | ||
|---|---|---|
Permission | Description | Justification |
Entra ID / Security Administrator | Can read security information and manage security configuration in Entra ID and Microsoft 365. Learn more about the Security Admin. | Required access for Red Canary CIRT to take remediation actions in Defender For Identity and Defender for Office 365 |
Defender for Endpoint / View Data: Security Operation | View Alerts, Incidents, Automated Investigation, Advanced Hunting, Device Pages | Required access for the Red Canary CIRT to view alert data or perform advanced hunting queries in Defender for Endpoint |
Defender for Endpoint / View Data: Threat and Vulnerability Management | View Defender for Endpoint Vulnerability management data in the Microsoft 365 Defender Portal | Permissions required to view Threat and vulnerability management status in Defender for Endpoint. This allows Detection Engineers & Threat Hunters to better assess risk presented by threats in customer environments. |
Defender for Endpoint / Active Remediation actions: Security Operations | Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators | |
Defender for Endpoint: Alerts Investigation | Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files | Allows our CIRT to analyze alerts within Defender for Endpoint |
Defender for Endpoint: Live response capabilities: Advanced |
| Allows our CIRT to use the Live Response functionality in Defender for Endpoint to perform remediation actions |
Was this article helpful?
