Skip to main content

CLOUD SOLUTIONS

Configuration

For XDR to correlate events and generate organization-level incidents, you need to turn on the Incidents Sensor. To enrich the pool of events correlated by XDR with network data, you need to install and configure the Network Sensor.

To unlock the full potential of this feature you also need to integrate and set up sensors from all the cloud and local service platforms your company uses, such as Microsoft Office 365, Amazon AWS, Active Directory, Azure Active Directory.

Note

For EDR to work properly, in advance, deploy the BEST agent with EDR module on your endpoints and ensure the Incidents Sensor is enabled from Policies.

The Incidents Sensor continuously monitors endpoint activity such as running processes, network connections, registry changes, and user behavior. This metadata is being collected, reported and processed by machine learning algorithms and prevention technologies that detect suspicious activity on the system, and generate Incidents.

The Network Sensor continuously listens to network traffic, collecting events from all endpoints in your environment, pre-processing and pre-filtering them, and sending the metadata to GravityZone's Security Analytics engine, thus enriching the context of extended incidents generated by GravityZone.

In the Sensors Management tab of the Configuration menu you can set up and manage additional sensors that process data from any major cloud or local service platform your company uses. XDR interprets this data and correlates it with events from the Incidents and Network sensors to enhance the level of details in extended incidents and deliver more accurate detections.

Important

The Network Sensor, as well as the productivity, identity and cloud sensors available for integration in the Sensors Management area require a separate license key for activation.

The Incidents Sensor

Through Bitdefender Endpoint Security Tools , you can deploy the Incidents Sensor on all your managed endpoints, to gather hardware and operating system data. Following a client-server framework, the metadata is collected and processed on both sides, and the Security Analytics component correlates the events into rich format incidents, ready for investigation in the Incidents page.

Incidents sensor

To enable it, follow these steps:

  1. In the left-side menu, click Policies.

  2. Select the desired policy and click Incidents Sensor.

    Note

    If you don't want to modify an existing policy, you can click Add, to create a new one.

  3. Select the Incidents Sensor checkbox.

The Network sensor

The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.

It is configured in TAP mode and gets a copy of the network traffic via a SPAN port. It can detect any type of device that communicates via IPv4 or IPv6 network protocols, regardless of whether the device is managed by Bitdefender or not. If there are any IoT devices on the network that communicate using those same protocols, the Network sensor will inspect that traffic as well.

For optimal results, it is recommended you implement one network sensor appliance per network subnet.

Note

The Network sensor does not support SCADA or any particular OT protocols.

After configuration, the Network sensor continuously listens to network traffic, collects events from all endpoints in your environment, pre-processes and pre-filters them, and sends both metadata and detections to GravityZone Security Analytics engine.

View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster. These detections are used to enrich the context of Extended Incidents generated by GravityZone.

To add the Network sensor, follow these steps:

  1. Deploy the Network sensor kit in your environment by using either vSphere or Hyper-V.

  2. Configure the Network Sensor virtual appliance

Install Network Sensor using vSphere client

Follow the steps below to deploy the Network Sensor probes in your environment. For hardware requirements see Network sensor requirements.

  1. Open the vSphere client, and click File > Add OVF template to create an OVF template for the Network Sensor Virtual Appliance (NSVA) that will be used to configure and activate the Network Sensor in your environment.

    NSVA-Deploy_OVF_Template.png

    You can select a template from:

    After selecting the OVF template click Next.

  2. Name the network sensor virtual appliance and select the deployment location.

    Click Next.

  3. Select the target endpoints in your environment where to deploy the Network Sensor probes and then click Next.

    NSVA-select_resources.png

  4. Verify the details of your NSVA template and click Next.

    NSVA-Review_template_details.png

  5. On the Select storage page, define where and how to store the files for the deployed NSVA template.

    1. Select the disk format for the virtual machine virtual disks.

      Choose from the available options:

      • Thick Provision Lazy Zeroed

      • Thick Provision Eager Zeroed

      • Thin Provision

      NSVA-Select_storage.png

    2. Select a storage policy.

      Note

      This option is available only if storage policies are enabled on the target endpoints.

    3. Select a datastore to store the deployed NSVA template.

      The configuration file and virtual disk files are stored on the datastore. Select a datastore large enough to accommodate the virtual appliance and all associated virtual disk files.

  6. On the Select networks page:

    1. Select the network interface that establishes communication between the Network Sensor appliance and GravityZone .

    2. Select the SPAN network that will be monitored by the Network Sensor probes.

      Important

      After deployment, the monitored network's subnet must be set in the network sensor by running the sva_setup.sh script. For more information, refer to Configure the Network Sensor virtual appliance.

  7. NSVA-Select_networks.png

    Click Next.

  8. Optionally, customize the NSVA deployment properties and click Next.

    NSVA-Customize_template.png

  9. On the Ready to complete page, review the details and click Finish.

    NSVA-Complete_setup.png

    After the creation task is completed, open your Network Sensor virtual appliance and start the configuration process.

Install Network Sensor using Hyper-V Manager

Follow the steps below to deploy the Network Sensor probes in your environment. For hardware requirements see Network sensor requirements.

  1. Download the Network Sensor virtual machine kit in one of the following formats:

  2. Open Hyper-V Manager and from the Action pane click New > Virtual Machine... to create a virtual machine that will be used to configure and activate the Network Sensor in your environment.

    NSVA-Create-new-virtual-machine.png

  3. In the Before You Begin window, click Next to create a virtual machine with a custom configuration.

  4. In the Specify Name and Location window, add your virtual machine name and the location where the image was downloaded.

    NSVA-Specify-name-and-location.png

  5. In the Specify Generation window you must:

    • Select Generation 1 if you have downloaded the .vhd image type.

    • Select Generation 2 if you have downloaded the .vhdx image type.

      NSVA-Specify-generation.png

  6. In the Assign Memory window, set the Startup memory to 2048 MB.

    NSVA-Assing-memory-space.png

  7. In the Configure Networking window, set the Connection to the desired network interface.

    NSVA-GZ-network.png

  8. In the Connect Virtual Hard Disk window select the Use an existing virtual hard disk option and browse for the location of the downloaded Network Sensor VHD kit.

    NSVA-Connect-VHD-kit.png

  9. In the Summary page, review the details and click Finish.

    NSVA-Complete-vm.png

  10. In Hyper-V Manager right-click the newly created virtual machine, and go Settings.

    1. If the Generation 2 virtual mchine was selected, go to Security and select Microsoft UEFI Certificate Authority from the Template dropdown list.

      gravityzone_cl_pt_nsva_gen2_uefi.png

    2. Go to Add Hardware and select Network Adapter to add the SPAN network that will be monitored by the Network Sensor probes.

      NSVA-Network-adapter.png

      Important

      After deployment, the monitored network's subnet must be set in the network sensor by running the sva_setup.sh script. For more information, refer to Configure the Network Sensor virtual appliance.

    3. Select the desired SPAN network and click Apply .

      NSVA-SPAN-network.png

    4. Open Advanced Features of the SPAN network adapter and set the Port mirroring mode to Destination, then click Apply.

      NSVA-Advanced-SPAN-config.png

  11. Start the Network Sensor virtual machine and begin the configuration process.

Configure the Network Sensor virtual appliance

After installing the Network Sensor, follow these steps to configure the virtual appliance:

  1. Start the Network Sensor virtual machine (using either vSphere client or Hyper-V Manager).

  2. Log in via SSH using root / sve as username and password.

  3. Change the password.

    The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.

    gravityzone_cl_sve_new_password_nsva.png

    Note

    For more information about resetting the root password, refer to Reset root password for Security Server.

  4. To configure the Network Sensor, run the following command:

    /opt/bitdefender/bin/sva_setup.sh

  5. Start the configuration process.

    xEDR-NS_config.png

    Choose an option from:

    1. Network configuration - allows setting the following modes:

      • eth0: this is the primary interface used in the Dynamic Host Configuration Protocol (DHCP) mode to enable communication with GravityZone.

      • eth1: this is the interface in promiscuous mode, used to analyze network traffic.

      The subnet of the monitored network on the promiscous interface must be configured:

      1. Select Network configuration.

      2. Select the promiscuous interface. By default it is eth1.

        eth1.png

      3. Configure the monitored subnet address using the CIDR notation:

        subnet.png

      4. Select the configuration mode for the primary interface:

        configuration_mode.png

        • If no change is needed, select 1. DHCP (current).

        • If the primary interface must have static IP address, select 2. Static and complete the configuration:

          static_ip.png

    2. Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .

    3. Go to Communication server configuration and select one of the following options, based on your browser's URL:

      • For cloudgz.gravityzone.bitdefender.com: GZ Cloud Instance 1

      • For cloud.gravityzone.bitdefender.com: GZ Cloud Instance 2

    4. Configure the Company hash - the GravityZone company hash where the Network sensor sends the data (Login to GravityZone > My Company > My Company hash).

  6. If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups ( in approximately 30 seconds).

    xEDR-NS-in-network-page.png

  7. The Network sensor main log file can be found here:

    /opt/bitdefender/var/log/bdxdrd.log
    xEDR-main-log-file.jpg

View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster.

If you encounter any issues with your Network sensor, you can collect debug logs and contact Bitdefender Enterprise Support for assistance.

View the Network Sensor details

After you complete the configuration steps, the Network Sensor is displayed in Configuration > Sensors Management.

To view its details, select the sensor from the list.

Network-Sensor-details.png
Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Make sure the Network Sensor Virtual Appliance (NSVA) is offline.

  2. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  3. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The Office 365 sensors

The Microsoft Office 365 platform includes the Mail and Audit sensors, which enhance the XDR detections with data about email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.

  • The Mail sensor accesses events such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online.

  • The Audit sensor accesses user and admin operations performed in Microsoft 365 services and solutions. These operations are captured, recorded, and retained in your organization's unified audit log.

O365 Prerequisites

Before you integrate the Office 365 sensor platform with GravityZone, you must configure the Mail and Audit sensors.

Mail sensor setup

  1. Register your managed application in Microsoft Azure AD.

  2. Set up permissions in Microsoft Graph API > Application permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone, the following permissions are needed:

      • AuditLog.Read.All

      • Mail.ReadWrite, for deleting emails

      • User.ReadWrite.All, for enforcing password resets and disabling of accounts

        Important

        To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

        In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.

      • IdentityRiskyUser.ReadWrite.All, for marking a user account as compromised

        Important

        IdentityRiskyUser.ReadWrite.All requires an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.

    2. If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, the following permissions are sufficient: AuditLog.Read.All, Mail.Read and User.Read.All.

  3. Grant Admin consent.

  4. Generate Client secret value.

Note

Learn more about Mail sensor requirements here.

Audit sensor setup

  1. Register your managed application in Microsoft Azure AD.

  2. Set up permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone:

      1. In the Microsoft Graph API > Application permissions section, add the following permissions: User.ReadWrite.All and IdentityRiskyUser.ReadWrite.All.

      2. In the Office 365 Management APIs > Application permissions section, add the following permissions: ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read.

      Important

      To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

      In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.

      Important

      IdentityRiskyUser.ReadWrite.All requires an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.

    2. If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, set the following permissions in Office 365 Management APIs > Application permissions: ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read.

  3. Grant Admin consent.

  4. Generate the Client secret value.

  5. Navigate to Microsoft Compliance > Audit and start recording user and admin activity.

  6. Enable the Audit.AzureActiveDirectory, Audit.Exchange, Audit.General, Audit.SharePoint, and DLP.All subscriptions by running the PowerShell script bellow. Make sure you replace the values in the first four lines of code:

    $ClientID = "client_id"           // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182
$ClientSecretValue = "client_secret_value"   // @todo replace with your client secret value, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ
$tenantdomain = "tenant_domain"   // @todo replace with your tenant domain, e.g: albert@osf.onmicrosoft.com
$TenantGUID = "tenant_guid"		  // @todo replace with your tenant guid,  e.g: ac593d47-7293-47ed-a8fc-c5824d38673a


$body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecretValue}
$oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}

$p = @{
    "webhook"= $null
}

Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing

Note

It might take up to 24 hours for the systems to synchronize and send data.

Learn more about Audit sensor requirements here.

Setting up Office 365 sensors

To configure the Mail and Audit sensors, follow these steps:

  1. In the Configuration > Sensors Management page, click Add new to integrate a new sensor platform.

  2. Select the Office 365 sensor platform and click Integrate.

  3. On the Check requirements page, confirm that the prerequisite steps have been completed.

  4. Name your sensor integration.

  5. Fill out your Office 365 credentials: Application ID, Tenant ID, and Client Secret value.

  6. Click Test connectivity to make sure the link between the Office 365 platform and GravityZone is working properly.

    O365 sensor setup

  7. Click APPLY to save the sensor integration setup.

    The new integration will be available in the Sensors Management grid, with the status: Active.

Troubleshooting

If the integration is not successful, you can use the PowerShell below to enable the following subscriptions:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.General

  • Audit.SharePoint

  • DLP.All

Replace the values in the first four lines of code, and run the script:

$ClientID = "client_id"           // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182
$ClientSecret = "client_secret"   // @todo replace with your client secret, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ
$tenantdomain = "tenant_domain"   // @todo replace with your tenant domain, e.g: albert@osf.onmicrosoft.com
$TenantGUID = "tenant_guid"		  // @todo replace with your tenant guid,  e.g: ac593d47-7293-47ed-a8fc-c5824d38673a


$body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}

$p = @{
    "webhook"= $null
}

Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The Active Directory sensor

The Active Directory (AD) sensor collects and processes user login information from the on-premises Active Directory your company uses.

Active Directory sensor prerequisites

Before setting up the Active Directory sensor, make sure the following requirements are met:

  • BEST with EDR is installed and active on each domain controller of the domains you want to monitor.

  • With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.

Active Directory Sensor policy configuration

  1. Open the Group policy management console.

  2. Navigate the tree structure to your domain > Domain Controllers, and select Default Domain Controllers Policy.

    Active Directory Default Domain Controllers Policy

  3. Right click on Default Domain Controllers Policy and select Edit. The Computer Configuration window will be displayed.

  4. Navigate to Audit Policies: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    Active Directory Audit Policies

  5. Configure all policies withing Audit Policies, except Global Object Access Auditing, as shown below:

    Active Directory policy configuration

  6. Apply the changes.

  7. Open Command Prompt and run the following command: gpupdate /force

    The policy changes you have made will take effect immediately.

Setting up Active Directory sensors

To configure the Active Directory sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Active Directory sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Click on the domain you want to monitor. A list of its domain controllers will be displayed.

    Active Directory sensor setup

    Note

    Status will inform you of any missing prerequisite steps. When all requirements are met, the Status will display Ready to use.

  5. Select Apply.

    The new integration will be available in the Sensors Management grid.

Deleting a domain controller sensor

To delete a domain controller sensor, you must first make sure it is offline or unmanaged.

If you only have one remaining domain controller sensor, you cannot delete it using this option. Instead, you can delete the entire sensor integration. For more information regarding this, refer to Deleting the sensor integration.

To delete a domain controller sensor from your Active Directory integration, follow these steps:

  1. Go to Configuration > Sensors Management.

  2. Click on the Active Directory sensor integration you want to change.

    The details panel displays all the domain controller sensors pertaining to that integration.

  3. In the details panel, click the Delete button directly below the domain controller sensor.

    Active Directory sensor - details panel

  4. Click Delete again to confirm your choice.

    The domain controller sensor is now gone from the details panel.

    Note

    If the domain controller sensor comes back online, it will be automatically added to the details panel and it will continue to process data.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The AWS sensor

The AWS sensor collects and processes information about configuration changes and actions taken by users, roles, or AWS services.

AWS sensor prerequisites

Before setting up the AWS sensor, make sure the following requirements are met:

  • An AWS user account must be set up with the proper permissions. Learn more.

  • The AWS Config, AWS CloudTrail, Amazon SQS and Amazon SNS services must be enabled and configured. Learn more.

Important

Enabling each of the following services may incur additional costs: AWS CloudTrailAWS ConfigAmazon SQS and Amazon SNS. All these services are required for a successful integration.

Configure AWS permissions

The following procedure requires you to have IAM administrative rights.

To add permissions for your IAM, follow these steps:

  1. Go to Security Credentials > Users > your IAM user > Add inline policy > JSON.

  2. Copy and paste the following new setup policy to gain the necessary rights:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification",
                "s3:ListAllMyBuckets",
                "s3:PutBucketPolicy",
                 
                "sqs:GetQueueAttributes",
                "sqs:CreateQueue",
                "sqs:SetQueueAttributes",
                "sqs:DeleteQueue",
                "sqs:ListQueues",
                 
                "sns:Subscribe",
                "sns:CreateTopic",
                "sns:ListTopics",
                "sns:SetTopicAttributes",
                "sns:DeleteTopic",
                 
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                 
                "cloudtrail:PutEventSelectors",
                "cloudtrail:StopLogging",
                "cloudtrail:StartLogging",
                "cloudtrail:CreateTrail",
                "cloudtrail:DeleteTrail",
                 
                "config:DescribeDeliveryChannels",
                "config:PutConfigurationRecorder",
                "config:StartConfigurationRecorder",
                "config:PutDeliveryChannel",
                "config:DescribeConfigurationRecorders",
                "config:DeleteDeliveryChannel",
                "config:DeleteConfigurationRecorder"
            ],
            "Resource": "*"
        }
    ]
}

  3. Click Review.

  4. Click Save.

  5. Go back to Add inline policy > JSON.

  6. Copy and paste the following sensor policy, updating the value for arn:aws:sqs and arn:aws:iam with your Account ID:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "sqs:DeleteMessage",
                "sqs:PurgeQueue",
                "sqs:ReceiveMessage",
                "iam:ListPolicies",
                "iam:AttachUserPolicy",
                "iam:CreatePolicy",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys"
            ],
            "Resource": [
                "arn:aws:sqs:*:"account-ID":*",
                "arn:aws:iam::"account-ID":*",
                "arn:aws:s3:::*"
            ]
        }
    ]
}

  7. Click Review.

  8. Click Save.

Configure the necessary AWS services

  1. Create an S3 bucket.

    1. In the S3 section, click Create Bucket.

    2. Copy the bucket Amazon Resource Name (ARN) for later use.

  2. Create an SQS queue.

    1. In the SQS section, click Create Queue.

    2. Copy the SQS ARN and Queue URL for later use.

  3. Replace the access policy attached to the queue with the following policy:

    1. In the Amazon SQS console, choose the queue name in the Queues list.

    2. In the Access policy tab, select Edit.

    3. Replace the access policy attached to the queue with the following policy, updating the values for:

      • awsexamplebucket1: replace it with the value you copied in step 1.

      • SQS-queue-ARN: replace it with the value you copied in step 2.

      • bucket-owner-account-id: replace it with your account ID. You can find it by clicking on your name on the top right corner of the screen.

      You can also replace the values for the ID and SID, to further customize the policy.

      {
 "Version": "2012-10-17",
 "Id": "example-ID",
 "Statement": [
  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
    "Service": "s3.amazonaws.com" 
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "SQS-queue-ARN",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "awsexamplebucket1" },
      "StringEquals": { "aws:SourceAccount": "bucket-owner-account-id" }
   }
  }
 ]
}

    4. Click Save.

  4. Enable notifications for the bucket you have created.

    1. Go to the bucket you created.

    2. Click Properties.

    3. In the Event Notifications section, select Create event notification.

    4. In the General configuration section, specify a name for your event notification.

    5. In the Event types section, select one or more event types for which you want to receive notifications.

    6. In the Destination section, choose the SQS queue you have previously created.

    7. Click Save changes.

  5. Create an access key.

    1. In the Security Credentials section, click Access Keys.

    2. Select Create New Access Key to download your new access key.

  6. Create a CloudTrail and link it to the S3.

    1. In the CloudTrail section, click Create Trail.

    2. Select the Use existing S3 bucket option, then select the bucket you previously created.

    3. Click Next.

    4. Select the Management events and Data events check boxes.

    5. In the Data Events section, select S3 as the event type.

    6. Click Next and then Create Trail.

  7. Configure AWS Config.

    1. Go to the Config service.

    2. Click Get Started.

    3. Select the Record all resources supported in this region option.

    4. Select the Include global resources check box.

    5. Depending on the desired configuration, create a new bucket or select an existing one. If a new bucket is created, new rights should be added to the SQS queue. For information on adding rights to an SQS queue, refer to step 3.c.

    6. Select the Stream configuration changes and notifications to an Amazon SNS topic checkbox.

    7. Create a new topic or use an existing one.

    8. Click Next > Next > Confirm.

    9. Go to the SQS queue you have created.

    10. Click Subscribe to Amazon SNS Topic and choose the topic from step 7.g.

    11. Click Save.

  8. Navigate to Security Credentials > Users > your IAM user > Add inline policy > JSON.

  9. Delete the new setup policy you have previously created in Configure AWS permissions.

Setting up the AWS sensor

To configure the AWS sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the AWS sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary AWS details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Important

Deleting the sensor will not deactivate the following paid services: AWS CloudTrailAWS ConfigAmazon SQS and Amazon SNS.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

Important

Disabling the sensor will not deactivate the following paid services: AWS CloudTrailAWS ConfigAmazon SQS and Amazon SNS.

The Azure AD sensor

The Azure AD sensor collects and pre-processes data related to user sign in activity, as well as configuration changes related to users and groups.

Azure AD sensor prerequisites

Before you integrate Azure AD with GravityZone, make sure sure you complete these steps:

  1. Register your managed application in Microsoft Azure AD, unless you have one already.

  2. In the API Permissions > Microsoft Graph application section, grant the following permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for Azure AD incidents directly from GravityZone, the following permissions are needed:

      • AuditLog.Read.All

      • Directory.Read.all

      • Mail.ReadWrite, for deleting emails

      • User.ReadWrite.All, for enforcing password resets and disabling of accounts

        Important

        To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

        In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone Azure AD sensor integration and assign it.

      • IdentityRiskyUser.Read.All, for displaying Azure AD risky user information in the Graph details panel.

      • IdentityRiskyUser.ReadWrite.All, for marking a user account as compromised

        Important

        IdentityRiskyUser.ReadWrite.All and IdentityRiskyUser.Read.All require an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.

    2. If you only want to be able to receive events but not take response actions for Azure AD incidents directly from GravityZone incidents, the following permissions are sufficient:

      • AuditLog.Read.All

      • Directory.ReadAll

  3. Grant Admin consent.

  4. Generate Client secret, unless you have one already

Setting up the Azure AD sensor

To configure the Azure AD sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Azure AD sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary Azure AD details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The Azure Cloud sensor

The Azure Cloud sensor collects and pre-processes cloud activity data.

Azure Cloud sensor prerequisites

Before you integrate Azure Cloud with GravityZone, make sure sure you complete these steps:

  1. Register your managed application in Microsoft Azure AD, unless you have one already.

  2. Create a subscription, if you don't already have one you can use.

  3. Create a role and set the necessary permissions.

    1. In the Azure Portal, search for Subscriptions.

    2. On the Subscriptions page, click on the subscription you have just created.

    3. To add a new role, click on Access control (IAM) > Roles > Add > Add custom role.

    4. Give it a name, a description, select Start from scratch, then click Next.

    5. Click on Add permissions and search for Microsoft.Insights/eventtypes/values/Read.

    6. Select the Read: Read Activity Log checkbox and click the Add button.

      Azure Cloud permissions

    7. Click the Review + create button.

  4. Assign the newly created role to the application you registered at Step 1.

    1. Go to the Subscriptions page and select the subscription you created.

    2. Click on Access control (IAM)Role assignments > Add > Add role assignment.

    3. Select the role you created and click Next.

    4. In the Members tab, for the Assign access to field, select User, group, or service principal.

    5. Click Select members.

      Azure Cloud members

    6. Search for your application and click Next.

    7. Click the Review + assign button.

  5. Generate Client secret, unless you have one already.

Setting up the Azure Cloud sensor

To configure the Azure Cloud sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Azure Cloud sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary Azure Cloud details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The Microsoft Intune sensor

The Microsoft Intune sensor collects and pre-processes device-related data.

Microsoft Intune sensor prerequisites

Before setting up the Microsoft Intune sensor, make sure the following requirements are met:

  1. Register your managed application in Microsoft Azure AD, unless you have one already.

  2. In the API Permissions > Microsoft Graph application section, grant the following permission: DeviceManagementApps.Read.All.

    Important

    DeviceManagementApps.Read.All requires an Azure AD Premium P1 license.

  3. Grant Admin consent.

  4. Generate Client secret, unless you have one already.

Setting up the Microsoft Intune sensor

To configure the Microsoft Intune sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Microsoft Intune sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary Microsoft Intune details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The Google Workspace sensor

The Google Workspace sensor collects and pre-processes activity and usage data related to Google Workspace accounts and services.

Google Workspace sensor prerequisites

Before you integrate Google Workspace with GravityZone, make sure sure you complete these steps:

  1. Create a Google application, unless you already have one you can use for this purpose.

    1. Go to https://console.cloud.google.com/apis/dashboard.

    2. If the dashboard is empty, click Create project, name your project, and click Create.

    3. Click the Enable APIs and services tab.

    4. Look up the following services: Admin SDK API, Gmail API, and Google Drive API.

    5. Click each service and enable it.

  2. Create a service account, unless you already have one.

    1. On the left-side menu, click Credentials.

    2. Under the Service Accounts section, click Create service account.

    3. Fill out the form and click Done. Steps 2 and 3 are optional.

      Google Workspace service account details

  3. Generate credentials for your service account.

    1. On the left-side menu, click Credentials.

    2. Under the Service Accounts section, click the email address listed.

    3. Click the Keys tab.

    4. Click Add key > Create a new key.

    5. Select JSON as the Key type and click Create.

      Google Workspace private key

      Note

      The file downloaded contains your service account details. You will require this file and some of the information in it (Client ID, Client email and Private key) to successfully set up the sensor.

  4. In the Admin Console, add the necessary permissions.

    1. Using an Administrator account, go to admin.google.com.

    2. On the left-side menu, click Security > Access and data control > API controls.

    3. Click Manage domain-wide delegation.

    4. Click Add new.

    5. Provide the Client ID listed in the downloaded file from step 3.

    6. In the OAuth scopes field, add the following scopes:

      1. https://www.googleapis.com/auth/admin.directory.user.readonly

      2. https://www.googleapis.com/auth/admin.reports.audit.readonly

      3. https://www.googleapis.com/auth/gmail.readonly

      4. https://www.googleapis.com/auth/drive.readonly

    7. Click Authorise.

Setting up the Google Workspace sensor

To configure the Google Workspace sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the Google Workspace sensor and click Integrate.

  3. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary Microsoft Intune details.

    1. In the Administrator account details section, add the email address you used to log into admin.google.com, at step 4 of the Prerequisites procedure. Provide the domain you want to monitor.

    2. In the Service account details section, provide the required information from the document you downloaded at step 3 of the Prerequisites procedure.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If you disable the sensor integration, the sensor will no longer process data.

To disable a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

Suggest a new sensor

You can request a new sensor type in GravityZone Control Center by accessing Configuration > Sensors Management > Add new > Need a different sensor?

Suggest a new sensor
In this section: