The Azure AD sensor
The Azure AD sensor collects and pre-processes data related to user sign in activity, as well as configuration changes related to users and groups.
Azure AD sensor prerequisites
Before you integrate Azure AD with GravityZone, make sure you complete these steps:
Register your managed application in Microsoft Azure AD, unless you have one already.
In the API Permissions > Microsoft Graph application section, grant the following permissions according to how you want to configure the sensor:
If you want to be able to receive events and also be able to take response actions for Azure AD incidents directly from GravityZone, the following permissions are needed:
AuditLog.Read.All
Directory.Read.all
Mail.ReadWrite
, for deleting emailsUser.ReadWrite.All
,User.EnableDisableAccount.All
. Allows the security analysts to disable user accounts involved in XDR incidents.User.ReadWrite.All
,User.RevokeSessions.All
. Allows the security analysts to force password resets for user accounts involved in XDR incidents.Important
To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.
Additionally, to be able to take response actions on administrator users, you must assign Global administrator role to the Azure app.
In the Azure AD admin center, navigate to Roles and administrators > User administrator role > Add assignments, search for the application name used for the GravityZone Azure AD sensor integration and assign it. Repeat the same process for the Global administrator role.
IdentityRiskyUser.Read.All
, for displaying Azure AD risky user information in the Graph details panel.IdentityRiskyUser.ReadWrite.All
, for marking a user account as compromisedImportant
IdentityRiskyUser.ReadWrite.All
andIdentityRiskyUser.Read.All
require an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.
If you only want to be able to receive events but not take response actions for Azure AD incidents directly from GravityZone incidents, the following permissions are sufficient:
AuditLog.Read.All
Directory.ReadAll
Grant Admin consent.
Generate Client secret, unless you have one already
Setting up the Azure AD sensor
To configure the Azure AD sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the Azure AD sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary Azure AD details.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.