Skip to main content

The Azure AD sensor

Azure AD is an XDR sensor that collects and preprocesses data on users and groups from Microsoft Entra ID, formerly known as Azure AD. The data refers to their sign-in activity and configuration changes.

The integration of Entra ID with GravityZone XDR is performed through Microsoft Graph API, with Azure Event Hubs as an optional addition.

Warning

Using Azure Event Hubs is recommended. Using only Microsoft Graph API may result in delays in retrieving security events from Microsoft Entra ID.

This section guides you through the process of adding an Azure AD sensor in GravityZone Control Center.

Prerequisites

Before you proceed with setting up the Azure AD sensor to integrate Microsoft Entra ID with it, ensure you perform the following actions:

  • Assign the required permissions to the Microsoft Entra ID application

  • Recommended: configure an Azure event hub

Setting up the Microsoft Entra ID application

  1. In the Microsoft Entra admin center, register an application unless you have one already. For more information, refer to Register an application with the Microsoft identity platform.

    Note the Application (client) ID and the Directory (tenant) ID.

  2. Add your application the following Application permissions to access Microsoft Graph according to how you want to configure the sensor. Refer to Application permissions to Microsoft Graph.

    1. To receive events and take response actions for incidents from Microsoft Entra ID directly in GravityZone, the following permissions are required:

      • AuditLog.Read.All

      • Directory.Read.all

      • Mail.ReadWrite: for deleting emails

      • User.ReadWrite.All, User.EnableDisableAccount.All: allow the security analysts to disable user accounts involved in XDR incidents.

      • User.ReadWrite.All, User.RevokeSessions.All: allow the security analysts to force password resets for user accounts involved in XDR incidents.

      • IdentityRiskyUser.Read.All: for displaying Microsoft Entra ID risky user information in the XDR incident graph details panel

      • IdentityRiskyUser.ReadWrite.All: for marking a user account as compromised

    2. If you only need to receive events from Microsoft Entra ID, the following permissions are sufficient:

      • AuditLog.Read.All

      • Directory.ReadAll

      • IdentityRiskyUser.Read.All

    Important

    • IdentityRiskyUser.ReadWrite.All and IdentityRiskyUser.Read.All require a Microsoft Entra ID P2 license. The other permissions require a Microsoft Entra ID P1 license.

    • You will need to grant Admin consent for the assigned Application permissions.

  3. If you want to enforce password resets on Microsoft 365 accounts directly from GravityZone XDR incidents, you must assign the User Administrator role to the previously created app. Follow these steps:

    1. In the Microsoft Entra admin center, navigate to Identity > Roles & admins > Roles & admins in the left-side menu.

    2. Search for the User Administrator role and select it.

    3. Select Add assignments.

    4. Click No member selected to open the Select a member pop-up window.

    5. Search for your app and select it.

    6. Click Select, then Next.

    7. Provide an assignment justification.

    8. Click Assign.

  4. To be able to take response actions on administrator users, assign the Global Administrator role to the application. For this purpose, repeat the process from step three for the Global Administrator role.

  5. Generate a client secret for your application, unless you have one already. For more details, refer to the Add a client secret procedure in the Add credentials article.

    Note the Value of the added client secret.

Configuring an Azure event hub

If you want to optimize the event delivery speed using Azure Event Hubs, you must also complete these steps:

  1. In the Azure portal, create a resource group unless you have one already. For more information, refer to Create a resource group.

  2. Create an Event Hubs namespace in your resource group. For details, refer to Create an Event Hubs namespace.

  3. Create an event hub within the namespace. For more information, go to Create an event hub.

    Note

    In the event hub's Settings section, you can find the event hub name and its associated consumer groups. If you would like the sensor to use a consumer group other than the default, click + Consumer group and create a new one.

  4. Create a SAS policy for the event hub and get the connection string. Refer to Connection string for a specific event hub in a namespace.

    Note

    It is recommended to create the SAS policy for the specific event hub rather than for the entire namespace.

  5. In the Microsoft Entra admin center, follow the first seven steps from the Stream logs to an event hub topic to enable log routing to your previously created event hub.

    At step five, select the following log categories:

    • AuditLogs

    • SignInLogs

    • ProvisioningLogs

    • RiskyUsers

    Important

    At step seven, it is mandatory to select the name of your previously created event hub.

Setting up the Azure AD sensor

To configure the Azure AD sensor in GravityZone Control Center, follow these steps:

  1. Go to the Configuration > Sensors Management page from the left-side menu.

  2. Select Add new to integrate a new sensor.

  3. Select the Azure AD sensor and click Integrate.

  4. On the Check Requirements page, click Confirm to certify that the prerequisite steps have been completed.

  5. Name the integration and provide the Application ID, the Client secret, and the Tenant ID that you have obtained in the prerequisite steps.

  6. If, in the prerequisite steps, you chose to use the Azure Event Hubs, provide the Event hub connection string and the Event hub name that you have obtained.

    Optionally, you can provide a consumer group other than the default.

  7. If, in the prerequisite steps, you chose not to use the Azure Event Hubs, select the Do not use Azure Event Hubs for security events retrieval option.

  8. Click Test connectivity.

  9. Click Add sensor.

  10. Click Done.

    The new integration will be displayed in the Sensors Management grid.

In this section: