The Office 365 sensors

Register your managed application in Microsoft Azure AD.

Set up permissions in Microsoft Graph API > Application permissions according to how you want to configure the sensor:

1. If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone, the following permissions are needed:

   • AuditLog.Read.All. Allows the XDR sensor to read and query your audit log activities.

   • Sites.Read.All. Allows the XDR sensor to read documents and list items in all site collections. This is used for retrieving user ownership of content and allows better detection and correlation of suspicious activity in incidents.

   • Mail.ReadWrite. Allows the security analysts to take response actions on email resources involved in XDR incidents.

   • User.ReadWrite.All. Allows the security analysts to take response actions on user accounts involved in XDR incidents.

     Important

     To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

     In the Azure AD admin center, navigate to Roles and administrators > User administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.

   • IdentityRiskyUser.ReadWrite.All, for marking a user account as compromised

     Important

     IdentityRiskyUser.ReadWrite.All requires an Azure AD Premium P2 license. The other permissions do not require Azure AD Premium licensing.

2. If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, the following permissions are sufficient: AuditLog.Read.All, Mail.Read and User.Read.All.

Grant Admin consent.

Generate Client secret value.

Register your managed application in Microsoft Azure AD.

Set up permissions according to how you want to configure the sensor:

1. If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone:

   1. In the Microsoft Graph API > Application permissions section, add the following permissions: User.ReadWrite.All and IdentityRiskyUser.ReadWrite.All.

   2. In the Office 365 Management APIs > Application permissions section, add the following permissions: ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read.

   Important

   To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

   In the Azure AD admin center, navigate to Roles and administrators > User administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.

   Important

   IdentityRiskyUser.ReadWrite.All requires an Azure AD Premium P2 license. The other permissions do not require Azure AD Premium licensing.

2. If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, set the following permissions in Office 365 Management APIs > Application permissions: ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read.

Grant Admin consent.

Generate the Client secret value.

Navigate to Microsoft Compliance > Audit and start recording user and admin activity.

Enable the Audit.AzureActiveDirectory, Audit.Exchange, Audit.General, Audit.SharePoint, and DLP.All subscriptions by running the PowerShell script bellow. Make sure you replace the values in the first four lines of code:

$ClientID = "client_id"           // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182
$ClientSecretValue = "client_secret_value"   // @todo replace with your client secret value, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ
$tenantdomain = "tenant_domain"   // @todo replace with your tenant domain, e.g: [email protected]
$TenantGUID = "tenant_guid"		  // @todo replace with your tenant guid,  e.g: ac593d47-7293-47ed-a8fc-c5824d38673a


$body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecretValue}
$oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}

$p = @{
    "webhook"= $null
}

Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing

In the Configuration > Sensors Management page, click Add new to integrate a new sensor platform.

Select the Office 365 sensor platform and click Integrate.

On the Check requirements page, confirm that the prerequisite steps have been completed.

Name your sensor integration.

Fill out your Office 365 credentials: Application ID, Tenant ID, and Client Secret value.

Click Test connectivity to make sure the link between the Office 365 platform and GravityZone is working properly.

Click APPLY to save the sensor integration setup.