Configuration
For XDR to correlate events and generate organization-level incidents, you need to turn on the Incidents Sensor. To enrich the pool of events correlated by XDR with network data, you need to install and configure the Network Sensor.
Note
For EDR to work properly, in advance, deploy the BEST agent with EDR module on your endpoints and ensure the Incidents Sensor is enabled from Policies.
The Incidents Sensor continuously monitors endpoint activity such as running processes, network connections, registry changes, and user behavior. This metadata is being collected, reported and processed by machine learning algorithms and prevention technologies that detect suspicious activity on the system, and generate Incidents.
The Network Sensor continuously listens to network traffic, collecting events from all endpoints in your environment, pre-processing and pre-filtering them, and sending the metadata to GravityZone's Security Analytics engine, thus enriching the context of extended incidents generated by GravityZone.
Important
The Network Sensor, as well as the productivity, identity and cloud sensors available for integration in the Sensors Management area require a separate license key for activation.
Through Bitdefender Endpoint Security Tools , you can deploy the Incidents Sensor on the endpoints of all the companies you manage, to gather hardware and operating system data. Following a client-server framework, the metadata is collected and processed on both sides, and the Security Analytics component correlates the events into rich format incidents, ready for investigation in the Incidents page.

To enable it, follow these steps:
In the left-side menu, click Policies.
Select the desired policy and click Incidents Sensor.
Note
If you don't want to modify an existing policy, you can click Add, to create a new one.
Select the Incidents Sensor checkbox.
The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.
It is configured in TAP mode and gets a copy of the network traffic via a SPAN port. It can detect any type of device that communicates via IPv4 or IPv6 network protocols, regardless of whether the device is managed by Bitdefender or not. If there are any IoT devices on the network that communicate using those same protocols, the Network sensor will inspect that traffic as well.
For optimal results, it is recommended you implement one network sensor appliance per network subnet.
Note
The Network sensor does not support SCADA or any particular OT protocols.
After configuration, the Network sensor continuously listens to network traffic, collects events from all endpoints in your environment, pre-processes and pre-filters them, and sends both metadata and detections to GravityZone Security Analytics engine.
View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster
. These detections are used to enrich the context of Extended Incidents generated by GravityZone.
To add the Network sensor, follow these steps:
Install Network Sensor using vSphere client
Follow the steps below to deploy the Network Sensor probes in your environment. For hardware requirements see Network sensor requirements.
Open the vSphere client, and click File > Add OVF template to create an OVF template for the Network Sensor Virtual Appliance (NSVA) that will be used to configure and activate the Network Sensor in your environment.
You can select a template from:
a remote URL - https://download.bitdefender.com/business/NetworkSensor/Bitdefender_SVE-SVA-NSVA.ova
a local file system (hard drive, network share, CD / DVD drive) where the NSVA kit was downloaded.
After selecting the OVF template click Next.
Name the network sensor virtual appliance and select the deployment location.
Click Next.
Select the target endpoints in your environment where to deploy the Network Sensor probes and then click Next.
Verify the details of your NSVA template and click Next.
On the Select storage page, define where and how to store the files for the deployed NSVA template.
Select the disk format for the virtual machine virtual disks.
Choose from the available options:
Thick Provision Lazy Zeroed
Thick Provision Eager Zeroed
Thin Provision
Select a storage policy.
Note
This option is available only if storage policies are enabled on the target endpoints.
Select a datastore to store the deployed NSVA template.
The configuration file and virtual disk files are stored on the datastore. Select a datastore large enough to accommodate the virtual appliance and all associated virtual disk files.
On the Select networks page:
Select the network interface that establishes communication between the Network Sensor appliance and GravityZone .
Select the SPAN network that will be monitored by the Network Sensor probes.
Important
After deployment, the monitored network's subnet must be set in the network sensor by running the
sva_setup.sh
script. For more information, refer to Configure the Network Sensor virtual appliance.
Click Next.
Optionally, customize the NSVA deployment properties and click Next.
On the Ready to complete page, review the details and click Finish.
After the creation task is completed, open your Network Sensor virtual appliance and start the configuration process.
Install Network Sensor using Hyper-V Manager
Follow the steps below to deploy the Network Sensor probes in your environment. For hardware requirements see Network sensor requirements.
Download the Network Sensor virtual machine kit in one of the following formats:
Open Hyper-V Manager and from the Action pane click New > Virtual Machine... to create a virtual machine that will be used to configure and activate the Network Sensor in your environment.
In the Before You Begin window, click Next to create a virtual machine with a custom configuration.
In the Specify Name and Location window, add your virtual machine name and the location where the image was downloaded.
In the Specify Generation window you must:
Select Generation 1 if you have downloaded the
.vhd
image type.Select Generation 2 if you have downloaded the
.vhdx
image type.
In the Assign Memory window, set the Startup memory to 2048 MB.
In the Configure Networking window, set the Connection to the desired network interface.
In the Connect Virtual Hard Disk window select the Use an existing virtual hard disk option and browse for the location of the downloaded Network Sensor VHD kit.
In the Summary page, review the details and click Finish.
In Hyper-V Manager right-click the newly created virtual machine, and go Settings.
If the Generation 2 virtual mchine was selected, go to Security and select Microsoft UEFI Certificate Authority from the Template dropdown list.
Go to Add Hardware and select Network Adapter to add the SPAN network that will be monitored by the Network Sensor probes.
Important
After deployment, the monitored network's subnet must be set in the network sensor by running the
sva_setup.sh
script. For more information, refer to Configure the Network Sensor virtual appliance.Select the desired SPAN network and click Apply .
Open Advanced Features of the SPAN network adapter and set the Port mirroring mode to Destination, then click Apply.
Start the Network Sensor virtual machine and begin the configuration process.
Configure the Network Sensor virtual appliance
After installing the Network Sensor, follow these steps to configure the virtual appliance:
Start the Network Sensor virtual machine (using either vSphere client or Hyper-V Manager).
Log in via SSH using
root / sve
as username and password.Change the password.
The default password does not meet the new security password requirements, so you have to change it. It must contain at least 8 characters, one digit, at least one upper case character, at least one lower case character, one special character and must be changed every 3 months.
Note
For more information about resetting the root password, refer to Reset root password for Security Server.
To configure the Network Sensor, run the following command:
/opt/bitdefender/bin/sva_setup.sh
Start the configuration process.
Choose an option from:
Network configuration - allows setting the following modes:
eth0
: this is the primary interface used in the Dynamic Host Configuration Protocol (DHCP) mode to enable communication with GravityZone.eth1
: this is the interface in promiscuous mode, used to analyze network traffic.
The subnet of the monitored network on the promiscous interface must be configured:
Select Network configuration.
Select the promiscuous interface. By default it is
eth1
.Configure the monitored subnet address using the CIDR notation:
Select the configuration mode for the primary interface:
If no change is needed, select 1. DHCP (current).
If the primary interface must have static IP address, select 2. Static and complete the configuration:
Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .
Go to Communication server configuration and select one of the following options, based on your browser's URL:
For
cloudgz.gravityzone.bitdefender.com
: GZ Cloud Instance 1For
cloud.gravityzone.bitdefender.com
: GZ Cloud Instance 2
Configure the Company hash - the GravityZone company hash where the Network sensor sends the data (Login to GravityZone > My Company > My Company hash).
If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups ( in approximately 30 seconds).
The Network sensor main log file can be found here:
/opt/bitdefender/var/log/bdxdrd.log
View the triggered detections in the Incidents > Search section, by using the following query: alert.type:ghoster
.
If you encounter any issues with your Network sensor, you can collect debug logs and contact Bitdefender Enterprise Support for assistance.
View the Network Sensor details
After you complete the configuration steps, the Network Sensor is displayed in Configuration > Sensors Management.
To view its details, select the sensor from the list.

Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Make sure the Network Sensor Virtual Appliance (NSVA) is offline.
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
The Microsoft Office 365 platform includes the Mail and Audit sensors, which enhance the XDR detections with data about email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.
The Mail sensor accesses events such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online.
The Audit sensor accesses user and admin operations performed in Microsoft 365 services and solutions. These operations are captured, recorded, and retained in your organization's unified audit log.
O365 Prerequisites
Before you integrate the Office 365 sensor platform with GravityZone, you must configure the Mail and Audit sensors.
Register your managed application in Microsoft Azure AD.
Set up permissions in Microsoft Graph API > Application permissions according to how you want to configure the sensor:
If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone, the following permissions are needed:
AuditLog.Read.All
Mail.ReadWrite
, for deleting emailsUser.ReadWrite.All
, for enforcing password resets and disabling of accountsImportant
To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.
In the Azure AD admin center, navigate to Roles and administrators > User administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.
IdentityRiskyUser.ReadWrite.All
, for marking a user account as compromisedImportant
IdentityRiskyUser.ReadWrite.All
requires an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.
If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, the following permissions are sufficient:
AuditLog.Read.All
,Mail.Read
andUser.Read.All
.
Grant Admin consent.
Generate Client secret value.
Note
Learn more about Mail sensor requirements here.
Register your managed application in Microsoft Azure AD.
Set up permissions according to how you want to configure the sensor:
If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone:
In the Microsoft Graph API > Application permissions section, add the following permissions:
User.ReadWrite.All
andIdentityRiskyUser.ReadWrite.All
.In the Office 365 Management APIs > Application permissions section, add the following permissions:
ActivityFeed.Read
,ActivityFeed.ReadDlp
andServiceHealth.Read
.
Important
To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.
In the Azure AD admin center, navigate to Roles and administrators > User administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.
Important
IdentityRiskyUser.ReadWrite.All
requires an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, set the following permissions in Office 365 Management APIs > Application permissions:
ActivityFeed.Read
,ActivityFeed.ReadDlp
andServiceHealth.Read
.
Grant Admin consent.
Generate the Client secret value.
Navigate to Microsoft Compliance > Audit and start recording user and admin activity.
Enable the
Audit.AzureActiveDirectory
,Audit.Exchange
,Audit.General
,Audit.SharePoint
, andDLP.All
subscriptions by running the PowerShell script bellow. Make sure you replace the values in the first four lines of code:$ClientID = "client_id" // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182 $ClientSecretValue = "client_secret_value" // @todo replace with your client secret value, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ $tenantdomain = "tenant_domain" // @todo replace with your tenant domain, e.g: albert@osf.onmicrosoft.com $TenantGUID = "tenant_guid" // @todo replace with your tenant guid, e.g: ac593d47-7293-47ed-a8fc-c5824d38673a $body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecretValue} $oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"} $p = @{ "webhook"= $null } Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Note
It might take up to 24 hours for the systems to synchronize and send data.
Learn more about Audit sensor requirements here.
Setting up Office 365 sensors
To configure the Mail and Audit sensors, follow these steps:
In the Configuration > Sensors Management page, click Add new to integrate a new sensor platform.
Select the company where you want to deploy the sensor.
Select the Office 365 sensor platform and click Integrate.
On the Check requirements page, confirm that the prerequisite steps have been completed.
Name your sensor integration.
Fill out your Office 365 credentials: Application ID, Tenant ID, and Client Secret value.
Click Test connectivity to make sure the link between the Office 365 platform and GravityZone is working properly.
Click APPLY to save the sensor integration setup.
The new integration will be available in the Sensors Management grid, with the status: Active.
Troubleshooting
If the integration is not successful, you can use the PowerShell below to enable the following subscriptions:
Audit.AzureActiveDirectory
Audit.Exchange
Audit.General
Audit.SharePoint
DLP.All
Replace the values in the first four lines of code, and run the script:
$ClientID = "client_id" // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182 $ClientSecret = "client_secret" // @todo replace with your client secret, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ $tenantdomain = "tenant_domain" // @todo replace with your tenant domain, e.g: albert@osf.onmicrosoft.com $TenantGUID = "tenant_guid" // @todo replace with your tenant guid, e.g: ac593d47-7293-47ed-a8fc-c5824d38673a $body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecret} $oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"} $p = @{ "webhook"= $null } Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
The Active Directory (AD) sensor collects and processes user login information from the on-premises Active Directory your company uses.
Active Directory sensor prerequisites
Before setting up the Active Directory sensor, make sure the following requirements are met:
BEST with EDR is installed and active on each domain controller of the domains you want to monitor.
With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.
Active Directory Sensor policy configuration
Open the Group policy management console.
Navigate the tree structure to your domain > Domain Controllers, and select Default Domain Controllers Policy.
Right click on Default Domain Controllers Policy and select Edit. The Computer Configuration window will be displayed.
Navigate to Audit Policies: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
Configure all policies withing Audit Policies, except Global Object Access Auditing, as shown below:
Apply the changes.
Open Command Prompt and run the following command:
gpupdate /force
The policy changes you have made will take effect immediately.
Setting up Active Directory sensors
To configure the Active Directory sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor.
Select the Active Directory sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Click on the domain you want to monitor. A list of its domain controllers will be displayed.
Note
Status will inform you of any missing prerequisite steps. When all requirements are met, the Status will display Ready to use.
Select Apply.
The new integration will be available in the Sensors Management grid.
Deleting a domain controller sensor
To delete a domain controller sensor, you must first make sure it is offline or unmanaged.
If you only have one remaining domain controller sensor, you cannot delete it using this option. Instead, you can delete the entire sensor integration. For more information regarding this, refer to Deleting the sensor integration.
To delete a domain controller sensor from your Active Directory integration, follow these steps:
Go to Configuration > Sensors Management.
Click on the Active Directory sensor integration you want to change.
The details panel displays all the domain controller sensors pertaining to that integration.
In the details panel, click the Delete button directly below the domain controller sensor.
Click Delete again to confirm your choice.
The domain controller sensor is now gone from the details panel.
Note
If the domain controller sensor comes back online, it will be automatically added to the details panel and it will continue to process data.
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
The AWS sensor collects and processes information about configuration changes and actions taken by users, roles, or AWS services.
AWS sensor prerequisites
Before setting up the AWS sensor, make sure the following requirements are met:
An AWS user account must be set up with the proper permissions. Learn more.
The AWS Config, AWS CloudTrail, Amazon SQS and Amazon SNS services must be enabled and configured. Learn more.
Important
Enabling each of the following services may incur additional costs: AWS CloudTrail, AWS Config, Amazon SQS and Amazon SNS. All these services are required for a successful integration.
Configure AWS permissions
The following procedure requires you to have IAM administrative rights.
To add permissions for your IAM, follow these steps:
Go to Security Credentials > Users > your IAM user > Add inline policy > JSON.
Copy and paste the following
new setup
policy to gain the necessary rights:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketNotification", "s3:PutBucketNotification", "s3:ListAllMyBuckets", "s3:PutBucketPolicy", "sqs:GetQueueAttributes", "sqs:CreateQueue", "sqs:SetQueueAttributes", "sqs:DeleteQueue", "sqs:ListQueues", "sns:Subscribe", "sns:CreateTopic", "sns:ListTopics", "sns:SetTopicAttributes", "sns:DeleteTopic", "iam:PassRole", "iam:CreateServiceLinkedRole", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:StartLogging", "cloudtrail:CreateTrail", "cloudtrail:DeleteTrail", "config:DescribeDeliveryChannels", "config:PutConfigurationRecorder", "config:StartConfigurationRecorder", "config:PutDeliveryChannel", "config:DescribeConfigurationRecorders", "config:DeleteDeliveryChannel", "config:DeleteConfigurationRecorder" ], "Resource": "*" } ] }
Click Review.
Click Save.
Go back to Add inline policy > JSON.
Copy and paste the following
sensor
policy, updating the value forarn:aws:sqs
andarn:aws:iam
with your Account ID:{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:GetObject", "sqs:DeleteMessage", "sqs:PurgeQueue", "sqs:ReceiveMessage", "iam:ListPolicies", "iam:AttachUserPolicy", "iam:CreatePolicy", "iam:DeleteAccessKey", "iam:ListAccessKeys" ], "Resource": [ "arn:aws:sqs:*:"account-ID":*", "arn:aws:iam::"account-ID":*", "arn:aws:s3:::*" ] } ] }
Click Review.
Click Save.
Configure the necessary AWS services
Create an S3 bucket.
In the S3 section, click Create Bucket.
Copy the bucket Amazon Resource Name (ARN) for later use.
Create an SQS queue.
In the SQS section, click Create Queue.
Copy the SQS ARN and Queue URL for later use.
Replace the access policy attached to the queue with the following policy:
In the Amazon SQS console, choose the queue name in the Queues list.
In the Access policy tab, select Edit.
Replace the access policy attached to the queue with the following policy, updating the values for:
awsexamplebucket1
: replace it with the value you copied in step 1.SQS-queue-ARN
: replace it with the value you copied in step 2.bucket-owner-account-id
: replace it with your account ID. You can find it by clicking on your name on the top right corner of the screen.
You can also replace the values for the ID and SID, to further customize the policy.
{ "Version": "2012-10-17", "Id": "example-ID", "Statement": [ { "Sid": "example-statement-ID", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "SQS:SendMessage" ], "Resource": "SQS-queue-ARN", "Condition": { "ArnLike": { "aws:SourceArn": "awsexamplebucket1" }, "StringEquals": { "aws:SourceAccount": "bucket-owner-account-id" } } } ] }
Click Save.
Enable notifications for the bucket you have created.
Go to the bucket you created.
Click Properties.
In the Event Notifications section, select Create event notification.
In the General configuration section, specify a name for your event notification.
In the Event types section, select one or more event types for which you want to receive notifications.
In the Destination section, choose the SQS queue you have previously created.
Click Save changes.
Create an access key.
In the Security Credentials section, click Access Keys.
Select Create New Access Key to download your new access key.
Create a CloudTrail and link it to the S3.
In the CloudTrail section, click Create Trail.
Select the Use existing S3 bucket option, then select the bucket you previously created.
Click Next.
Select the Management events and Data events check boxes.
In the Data Events section, select S3 as the event type.
Click Next and then Create Trail.
Configure AWS Config.
Go to the Config service.
Click Get Started.
Select the Record all resources supported in this region option.
Select the Include global resources check box.
Depending on the desired configuration, create a new bucket or select an existing one. If a new bucket is created, new rights should be added to the SQS queue. For information on adding rights to an SQS queue, refer to step 3.c.
Select the Stream configuration changes and notifications to an Amazon SNS topic checkbox.
Create a new topic or use an existing one.
Click Next > Next > Confirm.
Go to the SQS queue you have created.
Click Subscribe to Amazon SNS Topic and choose the topic from step 7.g.
Click Save.
Navigate to Security Credentials > Users > your IAM user > Add inline policy > JSON.
Delete the
new setup
policy you have previously created in Configure AWS permissions.
Setting up the AWS sensor
To configure the AWS sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor and click Next.
Select the AWS sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary AWS details.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Important
Deleting the sensor will not deactivate the following paid services: AWS CloudTrail, AWS Config, Amazon SQS and Amazon SNS.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
Important
Disabling the sensor will not deactivate the following paid services: AWS CloudTrail, AWS Config, Amazon SQS and Amazon SNS.
The Azure AD sensor collects and pre-processes data related to user sign in activity, as well as configuration changes related to users and groups.
Azure AD sensor prerequisites
Before you integrate Azure AD with GravityZone, make sure sure you complete these steps:
Register your managed application in Microsoft Azure AD, unless you have one already.
In the API Permissions > Microsoft Graph application section, grant the following permissions according to how you want to configure the sensor:
If you want to be able to receive events and also be able to take response actions for Azure AD incidents directly from GravityZone, the following permissions are needed:
AuditLog.Read.All
Directory.Read.all
Mail.ReadWrite
, for deleting emailsUser.ReadWrite.All
, for enforcing password resets and disabling of accountsImportant
To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.
In the Azure AD admin center, navigate to Roles and administrators > User administrator role > Add assignments, search for the application name used for the GravityZone Azure AD sensor integration and assign it.
IdentityRiskyUser.Read.All
, for displaying Azure AD risky user information in the Graph details panel.IdentityRiskyUser.ReadWrite.All
, for marking a user account as compromisedImportant
IdentityRiskyUser.ReadWrite.All
andIdentityRiskyUser.Read.All
require an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.
If you only want to be able to receive events but not take response actions for Azure AD incidents directly from GravityZone incidents, the following permissions are sufficient:
AuditLog.Read.All
Directory.ReadAll
Grant Admin consent.
Generate Client secret, unless you have one already
Setting up the Azure AD sensor
To configure the Azure AD sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor.
Select the Azure AD sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary Azure AD details.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
The Azure Cloud sensor collects and pre-processes cloud activity data.
Azure Cloud sensor prerequisites
Before you integrate Azure Cloud with GravityZone, make sure sure you complete these steps:
Register your managed application in Microsoft Azure AD, unless you have one already.
Create a subscription, if you don't already have one you can use.
Create a role and set the necessary permissions.
In the Azure Portal, search for
Subscriptions
.On the Subscriptions page, click on the subscription you have just created.
To add a new role, click on Access control (IAM) > Roles > Add > Add custom role.
Give it a name, a description, select Start from scratch, then click Next.
Click on Add permissions and search for
Microsoft.Insights/eventtypes/values/Read
.Select the Read: Read Activity Log checkbox and click the Add button.
Click the Review + create button.
Assign the newly created role to the application you registered at Step 1.
Go to the Subscriptions page and select the subscription you created.
Click on Access control (IAM) > Role assignments > Add > Add role assignment.
Select the role you created and click Next.
In the Members tab, for the Assign access to field, select User, group, or service principal.
Click Select members.
Search for your application and click Next.
Click the Review + assign button.
Generate Client secret, unless you have one already.
Setting up the Azure Cloud sensor
To configure the Azure Cloud sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor.
Select the Azure Cloud sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary Azure Cloud details.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
The Microsoft Intune sensor collects and pre-processes device-related data.
Microsoft Intune sensor prerequisites
Before setting up the Microsoft Intune sensor, make sure the following requirements are met:
Register your managed application in Microsoft Azure AD, unless you have one already.
In the API Permissions > Microsoft Graph application section, grant the following permission:
DeviceManagementApps.Read.All
.Important
DeviceManagementApps.Read.All
requires an Azure AD Premium P1 license.Grant Admin consent.
Generate Client secret, unless you have one already.
Setting up the Microsoft Intune sensor
To configure the Microsoft Intune sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor.
Select the Microsoft Intune sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary Microsoft Intune details.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
The Google Workspace sensor collects and pre-processes activity and usage data related to Google Workspace accounts and services.
Google Workspace sensor prerequisites
Before you integrate Google Workspace with GravityZone, make sure sure you complete these steps:
Create a Google application, unless you already have one you can use for this purpose.
If the dashboard is empty, click Create project, name your project, and click Create.
Click the Enable APIs and services tab.
Look up the following services:
Admin SDK API
,Gmail API
, andGoogle Drive API
.Click each service and enable it.
Create a service account, unless you already have one.
On the left-side menu, click Credentials.
Under the Service Accounts section, click Create service account.
Fill out the form and click Done. Steps 2 and 3 are optional.
Generate credentials for your service account.
On the left-side menu, click Credentials.
Under the Service Accounts section, click the email address listed.
Click the Keys tab.
Click Add key > Create a new key.
Select JSON as the Key type and click Create.
Note
The file downloaded contains your service account details. You will require this file and some of the information in it (Client ID, Client email and Private key) to successfully set up the sensor.
In the Admin Console, add the necessary permissions.
Using an Administrator account, go to admin.google.com.
On the left-side menu, click Security > Access and data control > API controls.
Click Manage domain-wide delegation.
Click Add new.
Provide the Client ID listed in the downloaded file from step 3.
In the OAuth scopes field, add the following scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/drive.readonly
Click Authorise.
Setting up the Google Workspace sensor
To configure the Google Workspace sensor, follow these steps:
In the Configuration > Sensors Management page, select Add new to integrate a new sensor.
Select the company where you want to deploy the sensor.
Select the Google Workspace sensor and click Integrate.
On the Check Requirements page, confirm that the prerequisite steps have been completed.
Name the integration and provide the necessary Microsoft Intune details.
In the Administrator account details section, add the email address you used to log into admin.google.com, at step 4 of the Prerequisites procedure. Provide the domain you want to monitor.
In the Service account details section, provide the required information from the document you downloaded at step 3 of the Prerequisites procedure.
Select Test connectivity.
Select Add sensor.
The new integration will be available in the Sensors Management grid.
Deleting the sensor integration
If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.
To delete a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Delete and confirm the action.
Disabling the sensor integration
If you disable the sensor integration, the sensor will no longer process data.
To disable a sensor integration, follow these steps:
Select the integration from the Sensors Management grid.
The Details panel is displayed.
Select Disable and confirm the action.
Suggest a new sensor
You can request a new sensor type in GravityZone Control Center by accessing Configuration > Sensors Management > Add new > Need a different sensor?
