Integrate Microsoft Defender for Cloud with Red Canary

The Defender for Cloud integration enables Red Canary to ingest and analyze Azure Cloud alerts, helping you identify and respond to a wide range of suspicious cloud activity.

This integration guide is intended to connect Red Canary with a single Azure subscription that’s using Microsoft Defender for Cloud. If you have multiple Azure subscriptions associated with Defender for Cloud, you’ll need to set up a separate integration in Red Canary for each subscription.

Prerequisites

Before you start the Defender for Cloud integration, please make sure the following requirements are met:

• You’re an Azure Global Admin user

• You consent to granting Red Canary the required permissions to ingest Microsoft data

• You have one of the supported Microsoft licenses

1 Red Canary | Add the Integration

1. From your Red Canary homepage, go to the Integrations page, then click Add Integration.
   

2. On the Add integration dialog, search for “Defender for Cloud” and click Configure.
   

3. On the Red Canary configuration page, enter a name for the integration.
   

2 Red Canary | Choose How Red Canary Will Receive This Data

1. On the Red Canary configuration page, set Ingest Format / Method to Microsoft Defender for Cloud via API Poll.

2. Click Next.

3 Azure/Red Canary | Configure Red Canary to Retrieve Data from This Integration

1. Sign in to the Azure portal using a Global Admin account for the tenant you plan to integrate with Red Canary.

2. In the search bar, type and select Subscriptions.

3. Identify a subscription connected to Defender for Cloud and copy the Subscription ID.

   Note

   If you have multiple Azure subscriptions connected to Defender for Cloud, you’ll need to create an integration for each subscription, even if they all share the same Tenant ID.

   

4. Return to Red Canary and paste it into Microsoft Defender for Cloud Subscription ID.
   

5. In the Azure search bar, type and select Tenant properties.

6. Copy the Tenant ID.

7. Return to Red Canary and paste it into Microsoft Defender for Cloud Tenant ID.
   

8. Click this consent link to grant Red Canary access to your Microsoft tenant.

   Note

   You must be a Global Admin Azure user to successfully grant permissions to Red Canary.

   To learn more about which permissions we require, see Permission Requirements for Microsoft.

   

9. Check the Confirm Microsoft Defender For Cloud API Access Granted box.
   

10. Copy the Red Canary ARM template and save it in a local file.
    

11. In Azure, search for and select Service providers.

12. Click Service Provider Offers, then Add offer > Add via template.
    

13. Upload the ARM template and click Upload.

14. On the Custom deployment page:

    • From the Subscription dropdown, select the subscription with which Defender for Cloud is associated.

      Note

      If you have multiple Azure subscriptions connected to Defender for Cloud, you’ll need to create an integration for each subscription, even if they all share the same Tenant ID.

    • From the Region dropdown, select the region in which your Defender for Cloud instance is deployed.
      

15. Click Review + create.

    Note

    If you receive an error, it may be because you do not have Global Admin user permissions.

4 Red Canary | Customize How Data From This Integration is Handled

1. [OPTIONAL] Check the Enable process correlation for user-defined alerts box to enable Process Correlation, which allows Red Canary to correlate user-defined alerts from Defender for Cloud with our rule metadata when displaying them in the timeline.
   

2. [OPTIONAL] In the Actions in the Source Platform section, you can disable or enable alert actions to control how Red Canary engages with alerts. These settings manage how Red Canary engages with alerts. The table below describes the outcome of each setting when enabled.

   Setting	Default State	Outcome
   As Red Canary validates the alert	As Red Canary validates the alert Enabled	When enabled, Red Canary adds comments to the alert in notifying users of the current investigation status as the alert is investigated and resolved.
   When Red Canary validates the alert as non-threatening	Enabled	When enabled, Red Canary resolves the alert as Informational if the state is Not a Threat.
   When Red Canary validates the alert as suspicious	Disabled	When enabled, Red Canary resolves the alert as True Positive if the state is Suspicious, Highly Suspicious, or Threat but no threat has been published.
   When Red Canary publishes a threat involving the alert	Enabled	When enabled, Red Canary resolves the alert as True Positive if the state is Threat and a threat has been published.

   

3. Click Next.

5 Red Canary | Customize How This Data Is Retained

[OPTIONAL] If you’re subscribed to the Red Canary Security Data Lake, you can choose to copy the telemetry generated by the integration to long-term storage for later query or retrieval:

1. Check the Store in the Security Data Lake box.

2. Enter your desired data retention period in days. The maximum is 1095 days (three years).
   

6 Red Canary | Activate the Integration

After you’ve completed the configuration, click Save to activate the integration.

The Defender for Cloud integration is now live!

Data will appear in Red Canary on the Integrations page.

7 Red Canary | Modify the Integration

After the Defender for Cloud integration is active, you can make the following modifications to the configuration:

• Update the API configuration used by the integration

• Adjust the Security Data Lake retention period

• Decommission the integration

To modify the configuration:

1. From your Red Canary homepage, go to the Integrations page, then click on the name of the integration you want to modify.

2. After you’ve finished editing the configuration, click Save to apply your changes.

Deleting the Integration

To delete the integration from Red Canary, click the button, then click OK to confirm.

Important

Deleting the integration will prevent any new alerts from being sent to Red Canary. While existing threat data will remain, all processed alerts will be permanently deleted, and this action cannot be undone.

For this reason, we recommend deactivating the integration instead, which will retain all previously processed alerts but stop further ingestion. You can reactivate the integration at any time.