Integrate Microsoft Defender for Cloud with Red Canary
- 21 Aug 2024
- 3 Minutes to read
- PDF
Integrate Microsoft Defender for Cloud with Red Canary
- Updated on 21 Aug 2024
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Integrating Microsoft Defender for Cloud with Red Canary enhances cloud security posture by combining advanced threat detection with expert threat hunting. We leverage Defender for Cloud’s comprehensive cloud security capabilities to identify vulnerabilities and suspicious activities, with our ability to prioritize and investigate critical threats, providing a robust defense against cloud-based attacks. To integrate Microsoft Defender for Cloud with Red Canary, follow the procedure below from beginning to end.
Prerequisites
You must have Azure Global Admin rights to upload and accept the Azure Resource Management (ARM) Template configuration, and add the required role assignments in Azure.
Step 1: Microsoft Azure–Locate your Microsoft Azure IDs
Start the integration process by locating your Microsoft Azure IDs.
Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
In the search bar, type and then select Subscriptions.
Copy and save your Subscription ID. You’ll use this in a later step.
In the search bar, type and then select Tenant properties.
Copy and save your Tenant ID. You’ll use this in a later step.
Step 2: Red Canary–Input your Microsoft Azure ID information
Enter your Microsoft Azure ID information into Red Canary to connect your Microsoft security product to Red Canary.
From your Red Canary homepage, click Integrations.
From the Integrations section, click Microsoft Azure.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A35%3A55Z&se=2024-09-20T12%3A45%3A55Z&sr=c&sp=r&sig=ssMo63s615P3QfB3lNeP8Pw07QpUyEIp7BxouT%2BS%2F80%3D)
Enter a Name for your external alert source.
Select a Display Category.
Under the Ingest Format/Method dropdown, select Microsoft Defender for Cloud via API Poll.
Enter your Microsoft Subscription ID from Step 1.3.
Enter your Microsoft Tenant ID from Step 1.5.
Click Save Configuration.
Click Edit Configuration.
Under the Permissions section, click the Microsoft consent link.
.png?sv=2022-11-02&spr=https&st=2024-09-20T12%3A35%3A55Z&se=2024-09-20T12%3A45%3A55Z&sr=c&sp=r&sig=ssMo63s615P3QfB3lNeP8Pw07QpUyEIp7BxouT%2BS%2F80%3D)
Step 3: Microsoft Azure–Add a Security Reader role assignment to Red Canary
To start sending security data for ingestion, grant Red Canary permission to read your Microsoft Azure telemetry.
Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
In the search bar, type and then select Subscriptions.
Click on your Microsoft Defender for Cloud subscription name.
Click Access Control (IAM).
Click +Add, and then click Add role assignment.
In the search bar, type and then select Security Reader.
Click Next.
From the Assign access to section, select User, group, or service principal.
Click Select Members.
In the search bar, type and then select Red Canary + Defender for Cloud.
Click Select.
To review your role assignment, click Next.
Click Review + assign.
Step 4: Microsoft Azure–Add a Security Admin role assignment to Red Canary
Grant Red Canary permission to read your Microsoft Defender for Cloud alerts and recommendations, and then update the alerts within Defender for Cloud.
In the search bar, type and then select Subscriptions.
Click on your Microsoft Defender for Cloud subscription name.
Click Access Control (IAM).
Click +Add, and then click Add role assignment.
In the search bar, type and then select Security Admin.
Click Next.
From the Assign access to section, select User, group, or service principal.
Click Select Members.
In the search bar, type and then select Red Canary + Defender for Cloud. (This enterprise application is created when you approve the consent link mentioned in Step 2.12).
Click Select.
To review your role assignment, click Next.
Click Review + assign.
Step 5: Microsoft Azure–Add a Managed Services Registration assignment Delete Role to Red Canary
Grant Red Canary permission to read your Microsoft Defender for Cloud alerts and recommendations, and then update the alerts within Defender for Cloud.
In the search bar, type and then select Subscriptions.
Click on your Microsoft Defender for Cloud subscription name.
Click Access Control (IAM).
Click +Add, and then click Add role assignment.
In the search bar, type and then select Managed Services Registration assignment Delete Role.
Click Next.
From the Assign access to section, select User, group, or service principal.
Click Select Members.
In the search bar, type and then select Red Canary + Defender for Cloud. (The enterprise application is created when you approve the consent link mentioned in Step 2.12).
Click Select.
To review your role assignment, click Next.
Click Review + assign.
Step 6: Red Canary–Activate your Microsoft Defender for Cloud alert source
Enable your new Microsoft Defender for Cloud source in Red Canary.
From your Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
Click Edit Configuration.
With all of the required permission settings completed, select Confirm Microsoft Microsoft Defender for Cloud API Access Granted.
Click Save Configuration.
Click Edit Configuration.
Click Activate.
Step 7: Microsoft Azure–Deploy an ARM template
Deploy the Red Canary provided ARM template in Azure to enable Red Canary to have the right permissions in your Azure tenant.
Login using a Global Admin account for the tenant that you want to integrate with Red Canary.
In the search bar, type and then select Service providers.
Click Service Provider Offers.
Click +Add offer, and then click Add via template.
Upload the Red Canary-provided ARM template, and then click Upload.
From the Subscription dropdown, select the subscription that your Defender for Cloud instance resides in.
From the Region dropdown, select the region in which your Defender for Cloud instance is deployed.
Click Next: Review + create >.
Click Create.
Test
Was this article helpful?
