Defender for Endpoint Record Shows Hostname "Unknown" in Red Canary

Issue

After integrating Defender for Endpoint with Red Canary, hostname records are displayed on the Endpoints page as <Unknown> (Sensor ID <value>).

Environment

Red Canary Portal
Microsoft Defender for Endpoint integration

Resolution

1. Log into your Azure portal for the Tenant ID named in the associated Defender for Endpoint integration and navigate to Enterprise Apps
2. Verify the Red Canary + ATP enterprise app is listed in this tenant
3. Click into the app and navigate to Security > Permissions
4. Ensure the following permission is granted to the app
   • Machine.ReadWrite.All
   • 
5. If the app, or any of its permissions are missing, have a user with active global administrator permissions click this consent link to re-provision the Red Canary + ATP app in your Azure tenant

Cause

The Red Canary + ATP enterprise app is either not found or missing permissions in the affected Tenant ID.  The app and its permissions are required for Red Canary to make the necessary Defender for Endpoint API call to retrieve device details, including hostnames.  After provisioning the app, hostnames will gradually be applied for endpoints that have recently checked into the Defender XDR console.