PARTNERS

Configuration

For XDR to correlate events and generate organization-level incidents, you need to turn on the Incidents Sensor. To enrich the pool of events correlated by XDR with network data, you need to install and configure the Network Sensor.

The Incidents Sensor continuously monitors endpoint activity such as running processes, network connections, registry changes, and user behavior. This metadata is being collected, reported and processed by machine learning algorithms and prevention technologies that detect suspicious activity on the system, and generate Incidents.

The Network Sensor continuously listens to network traffic, collecting events from all endpoints in your environment, pre-processing and pre-filtering them, and sending the metadata to GravityZone's Security Analytics engine, thus enriching the context of extended incidents generated by GravityZone.

Important

The Network Sensor, as well as the productivity, identity and cloud sensors available for integration in the Sensors Management area require a separate license key for activation.

Go to Policies > Add > Incidents sensor and select the check box to activate the Incidents sensor.

IncidentsActivateSensor.png

The Network sensor collects and pre-processes network-related events in order to enrich the context of your incidents.

To add the Network sensor, follow these steps:

  1. Deploy the Network sensor kit in your environment by using either vSphere or Hyper-V.

  2. Configure the Network sensor virtual appliance

Install Network Sensor using vSphere client

Follow the steps below to deploy the Network sensor probes in your environment. For hardware requirements see Network sensor requirements.

  1. Open the vSphere client, and click File > Add OVF template to create an OVF template for the Network Sensor Virtual Appliance (NSVA) that will be used to configure and activate the Network Sensor in your environment.

    NSVA-Deploy_OVF_Template.png

    You can select a template from:

    After selecting the OVF template click Next.

  2. Name the network sensor virtual appliance and select the deployment location.

    Click Next.

  3. Select the target endpoints in your environment where to deploy the Network Sensor probes and then click Next.

    NSVA-select_resources.png
  4. Verify the details of your NSVA template and click Next.

    NSVA-Review_template_details.png
  5. On the Select storage page, define where and how to store the files for the deployed NSVA template.

    1. Select the disk format for the virtual machine virtual disks.

      Choose from the available options:

      • Thick Provision Lazy Zeroed

      • Thick Provision Eager Zeroed

      • Thin Provision

      NSVA-Select_storage.png
    2. Select a storage policy.

      Note

      This option is available only if storage policies are enabled on the target endpoints.

    3. Select a datastore to store the deployed NSVA template.

      The configuration file and virtual disk files are stored on the datastore. Select a datastore large enough to accommodate the virtual appliance and all associated virtual disk files.

  6. On the Select networks page:

    1. Select the network interface that establishes communication between the Network Sensor appliance and GravityZone .

    2. Select the SPAN network that will be monitored by the Network Sensor probes.

      By default, this interface is configured via DHCP so make sure a DHCP server is present in that network.

      Important

      If no DHCP server exists, you have to manually assign a network IP and Mask by running the sva_setup.sh script. For more information on how to set up the SPAN network see Configure the SPAN Network manually.

  7. NSVA-Select_networks.png

    Click Next.

  8. Optionally, customize the NSVA deployment properties and click Next.

    NSVA-Customize_template.png
  9. On the Ready to complete page, review the details and click Finish.

    NSVA-Complete_setup.png

    After the creation task is completed, open your Network Sensor virtual appliance and start the configuration process.

Install Network Sensor using Hyper-V Manager

Follow the steps below to deploy the Network sensor probes in your environment. For hardware requirements see Network sensor requirements.

  1. Download the Network Sensor virtual machine kit in .vhd format available at https://download.bitdefender.com/business/betas/NetworkSensor/Bitdefender_SVE-SVA-NSVA.vhd.

  2. Open Hyper-V Manager and from the Action pane click New > Virtual Machine... to create a virtual machine that will be used to configure and activate the Network Sensor in your environment.

    NSVA-Create-new-virtual-machine.png
  3. In the Before you Begin window, click Next to create a virtual machine with a custom configuration.

  4. Name the virtual machine and select the deployment location.

    NSVA-Specify-name-and-location.png

    Click Next.

  5. In the Specify Generation window choose Generation 1 and click Next.

    NSVA-Specify-generation.png
  6. Select the amount of memory to allocate to the virtual machine (min. 2 GB) and click Next.

    NSVA-Assing-memory-space.png
  7. In the Configure Networking window select network interface that establishes communication between the Network Sensor virtual machine and GravityZone.

    NSVA-GZ-network.png

    Click Next.

  8. In the Connect Virtual Hard Disk window select the Use an existing virtual hard disk option and browse for the location of the downloaded Network Sensor VHD kit.

    NSVA-Connect-VHD-kit.png

    Click Next.

  9. In the Summary page, review the details and click Finish.

    NSVA-Complete-vm.png
  10. In Hyper-V Manager right-click the newly created virtual machine, and go Settings.

    1. Go to Add Hardware and select Network Adapter to add the SPAN network that will be monitored by the Network Sensor probes.

      NSVA-Network-adapter.png

      By default, this interface is configured via DHCP so make sure a DHCP server is present in that network.

      Important

      If no DHCP server exists, you have to manually assign a network IP and Mask by running the sva_setup.sh script. For more information on how to set up the SPAN network see Configure the SPAN Network manually.

    2. Select the desired SPAN network and click Apply.

      NSVA-SPAN-network.png
    3. Open Advanced Features of the SPAN network adapter and set port mirroring mode to Destination, then click Apply.

      NSVA-Advanced-SPAN-config.png
  11. Start the Network Sensor virtual machine and begin the configuration process.

Configure the Network sensor virtual appliance

After installing the Network sensor, follow these steps to configure the virtual appliance:

  1. Start the Network sensor virtual machine (using either vSphere client or Hyper-V Manager).

  2. Log in via SSH using root / sve as username and password.

  3. To configure the Network sensor, run the following command:

    /opt/bitdefender/bin/sva_setup.sh
  4. Start the configuration process.

    xEDR-NS-config.jpg

    Choose an option from:

    1. Network configuration - allows setting the eth0 and eth1 modes.

    2. Internet proxy configuration - allows setting a proxy configuration that will be used the first time the Network sensor communicates with GravityZone .

    3. Communication server configuration - the GravityZone address where the Network sensor sends the collected and pre-processed metadata:

      • For GravityZone Europe: Cloud EU

      • For GravityZone US: Cloud US

    4. Configure the Company ID - the GravityZone company ID where the Network sensor sends the data (Login to GravityZone > My Company > My Company ID).

  5. If the connection is successful, the Network sensor will be displayed in the GravityZone platform, in Network > Computers and Groups ( in approximately 30 seconds).

    xEDR-NS-in-network-page.png
  6. To view details about the Network sensor status and triggered detections, access the main log file using the following command:

    / bitdefender var /log/bdxdrd.log
    xEDR-main-log-file.jpg
Configure the SPAN Network manually

To configure the SPAN network manually follow these steps:

  1. Start the Network sensor virtual machine (using either vSphere client or Hyper-V Manager).

  2. Log in via SSH using root / sve as username and password.

  3. To configure the Network sensor, run the following command:

    /opt/bitdefender/bin/sva_setup.sh
  4. Go to Network configuration.

    xEDR-NS-config.jpg
  5. Select eth1, the default SPAN network.

    SPAN-select_eth1.png
  6. Set Promiscuous Mode to On (default).

    SPAN-promiscuous_mode_on.png
  7. Choose between DHCP (default) and Static configurations:

    1. For DHCP you only need to select it and press Enter.

      SPAN-DHCP-Enter.png
    2. For Static configure the fields shown in the image below:

      SPAN-Configure_Static_fields.png
    3. Press Enter to confirm the settings.

      SPAN-Confirm_Static_fields.png

The Microsoft Office 365 platform includes the Mail and Audit sensors, which enhance the XDR detections with data about email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.

  • The Mail sensor accesses events such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online.

  • The Audit sensor accesses user and admin operations performed in Microsoft 365 services and solutions. These operations are captured, recorded, and retained in your organization's unified audit log.

O365 Prerequisites

Before you integrate the Office 365 sensor platform with GravityZone, you must configure the Mail and Audit sensors.

Mail sensor setup
  1. Register your managed application in Microsoft Azure AD.

  2. Set up permissions in Microsoft Graph API > Application permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone, the following permissions are needed: AuditLog.Read.All, Mail.ReadWrite and User.ReadWrite.All.

      Important

      To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

      In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.

    2. If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, the following permissions are sufficient: AuditLog.Read.All, Mail.Read and User.Read.All.

  3. Grant Admin consent.

  4. Generate Client secret value.

Note

Learn more about Mail sensor requirements here.

Audit sensor setup
  1. Register your managed application in Microsoft Azure AD.

  2. Set up permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for O365 incidents directly from GravityZone:

      1. In the Microsoft Graph API > Application permissions section, add the following permission: User.ReadWrite.All

      2. In the Office 365 Management APIs > Application permissions section, add the following permissions: ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read.

      Important

      To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

      In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone O365 Mail sensor integration and assign it.

    2. If you only want to be able to receive events but not take response actions for O365 incidents directly from GravityZone incidents, set the following permissions in Office 365 Management APIs > Application permissions: ActivityFeed.Read, ActivityFeed.ReadDlp and ServiceHealth.Read.

  3. Grant Admin consent.

  4. Generate the Client secret value.

  5. Navigate to Microsoft Compliance > Audit and start recording user and admin activity.

  6. Enable the Audit.AzureActiveDirectory, Audit.Exchange, Audit.General, Audit.SharePoint, and DLP.All subscriptions by running the PowerShell script bellow. Make sure you replace the values in the first four lines of code:

    $ClientID = "client_id"           // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182
    $ClientSecretValue = "client_secret_value"   // @todo replace with your client secret value, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ
    $tenantdomain = "tenant_domain"   // @todo replace with your tenant domain, e.g: albert@osf.onmicrosoft.com
    $TenantGUID = "tenant_guid"		  // @todo replace with your tenant guid,  e.g: ac593d47-7293-47ed-a8fc-c5824d38673a
    
    
    $body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecret}
    $oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
    $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
    
    $p = @{
        "webhook"= $null
    }
    
    Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
    Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
    Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
    Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
    Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing

Note

It might take up to 24 hours for the systems to synchronize and send data.

Learn more about Audit sensor requirements here.

Setting up Office 365 sensors

To configure the Mail and Audit sensors, follow these steps:

  1. In the Sensors Management tab, click Add new to integrate a new sensor platform.

    AddSensors.png
  2. Select the Microsoft Office 365 sensor platform and click Integrate.

  3. Start configuring the Mail and Audit sensors.

    SensorsManReqs.png
    1. Check and Confirm that all operational requirements are met.

    2. Name your sensor integration setup.

    3. Add in your Office 365 credentials:

      • Application ID

      • Tenant ID

      • Client Secret value

    4. Click Test connectivity to make sure the link between the Office 365 platform and GravityZone is working properly.

  4. Click APPLY to save the sensor integration setup.

    The new integration will be available in the Sensors Management grid, with the status: Active.

Troubleshooting

If the integration is not successful, you can use the PowerShell below to enable the following subscriptions:

  • Audit.AzureActiveDirectory

  • Audit.Exchange

  • Audit.General

  • Audit.SharePoint

  • DLP.All

Replace the values in the first four lines of code, and run the script:

$ClientID = "client_id"           // @todo replace with your client id, e.g: f5b17a13-6e4e-4c3e-81f4-51fb9a377182
$ClientSecret = "client_secret"   // @todo replace with your client secret, e.g: UOJ7Q~YN5hkilURseLkfRN6~kTQp80Fndn9eJ
$tenantdomain = "tenant_domain"   // @todo replace with your tenant domain, e.g: albert@osf.onmicrosoft.com
$TenantGUID = "tenant_guid"		  // @todo replace with your tenant guid,  e.g: ac593d47-7293-47ed-a8fc-c5824d38673a


$body = @{grant_type="client_credentials";resource="https://manage.office.com";client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantGUID/oauth2/token?api-version=1.0" -Body $body
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}

$p = @{
    "webhook"= $null
}

Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.Exchange" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.SharePoint" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=Audit.General" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Invoke-WebRequest "https://manage.office.com/api/v1.0/$TenantGUID/activity/feed/subscriptions/start?contentType=DLP.All" -Headers $headerParams -Method POST -Body $p -UseBasicParsing
Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If the you disable the sensor integration, the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The Active Directory (AD) sensor collects and processes user login information from the on-premises Active Directory your company uses.

Active Directory sensor prerequisites

Before setting up the Active Directory sensor, make sure the following requirements are met:

  • BEST with EDR is installed and active on each domain controller of the domains you want to monitor.

  • Account Logon and Logon/Logoff policies in Group Policy must be set to audit all login events.

Active Directory Sensor policy configuration
  1. Open the Group policy management console.

  2. Navigate the tree structure to your domain and select Domain Controllers.

    151817_3.png
  3. Right click on Default Domain Controllers Policy and select Edit. The Computer Configuration window will be displayed.

  4. Navigate to Audit Policies: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    AD-policy-groups.PNG
  5. Configure all policies within the Account Logon and Logon/Logoff groups as shown below:

    151817_2.png
  6. Apply the changes.

Setting up Active Directory sensors

To configure the Active Directory sensor, follow these steps:

  1. In the Sensors Management tab, select Add new to integrate a new sensor.

    AddSensors.png
  2. Select the Active Directory sensor and click Integrate.

  3. Go to Check Requirements and confirm that the prerequisite steps have been completed.

  4. Click on the domain you want to monitor. A list of its domain controllers will be displayed.

    152556_1.png

    Note

    Status will inform you of any missing prerequisite steps. When all requirements are met, the Status will display Ready to use.

  5. Select Apply.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If the you disable the sensor integration, the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

The AWS sensor collects and processes information about configuration changes and actions taken by users, roles, or AWS services.

AWS sensor prerequisites

Before setting up the AWS sensor, make sure the following requirements are met:

  • An AWS user account must be set up with the proper permissions. Learn more.

  • The AWS Config, AWS CloudTrail, Amazon SQS and Amazon SNS services must be enabled and configured. Learn more.

Important

Enabling each of the following services may incur additional costs: AWS CloudTrailAWS ConfigAmazon SQS and Amazon SNS. All these services are required for a successful integration.

Configure AWS permissions

The following procedure requires you to have IAM administrative rights.

To add permissions for your IAM, follow these steps:

  1. Go to Security Credentials > Users > your IAM user > Add inline policy > JSON.

  2. Copy and paste the following new setup policy to gain the necessary rights:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:CreateBucket",
                    "s3:GetBucketNotification",
                    "s3:PutBucketNotification",
                    "s3:ListAllMyBuckets",
                    "s3:PutBucketPolicy",
                     
                    "sqs:GetQueueAttributes",
                    "sqs:CreateQueue",
                    "sqs:SetQueueAttributes",
                    "sqs:DeleteQueue",
                    "sqs:ListQueues",
                     
                    "sns:Subscribe",
                    "sns:CreateTopic",
                    "sns:ListTopics",
                    "sns:SetTopicAttributes",
                    "sns:DeleteTopic",
                     
                    "iam:PassRole",
                    "iam:CreateServiceLinkedRole",
                     
                    "cloudtrail:PutEventSelectors",
                    "cloudtrail:StopLogging",
                    "cloudtrail:StartLogging",
                    "cloudtrail:CreateTrail",
                    "cloudtrail:DeleteTrail",
                     
                    "config:DescribeDeliveryChannels",
                    "config:PutConfigurationRecorder",
                    "config:StartConfigurationRecorder",
                    "config:PutDeliveryChannel",
                    "config:DescribeConfigurationRecorders",
                    "config:DeleteDeliveryChannel",
                    "config:DeleteConfigurationRecorder"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Click Review.

  4. Click Save.

  5. Go back to Add inline policy > JSON.

  6. Copy and paste the following sensor policy, updating the value for arn:aws:sqs with your Account ID:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "sqs:DeleteMessage",
                    "sqs:PurgeQueue",
                    "sqs:ReceiveMessage"
                ],
                "Resource": [
                    "arn:aws:sqs:*:"account-ID":*",
                    "arn:aws:s3:::*"
                ]
            }
        ]
    }
  7. Click Review.

  8. Click Save.

Configure the necessary AWS services
  1. Create an S3 bucket.

    1. In the S3 section, click Create Bucket.

    2. Copy the bucket Amazon Resource Name (ARN) for later use.

  2. Create an SQS queue.

    1. In the SQS section, click Create Queue.

    2. Copy the SQS ARN and Queue URL for later use.

  3. Replace the access policy attached to the queue with the following policy:

    1. In the Amazon SQS console, choose the queue name in the Queues list.

    2. In the Access policy tab, select Edit.

    3. Replace the access policy attached to the queue with the following policy, updating the values for:

      • awsexamplebucket1: replace it with the value you copied in step 1.

      • SQS-queue-ARN: replace it with the value you copied in step 2.

      • bucket-owner-account-id: replace it with your account ID. You can find it by clicking on your name on the top right corner of the screen.

      You can also replace the values for the ID and SID, to further customize the policy.

       "Version": "2012-10-17",
       "Id": "example-ID",
       "Statement": [
        {
         "Sid": "example-statement-ID",
         "Effect": "Allow",
         "Principal": {
          "Service": "s3.amazonaws.com" 
         },
         "Action": [
          "SQS:SendMessage"
         ],
         "Resource": "SQS-queue-ARN",
         "Condition": {
            "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:awsexamplebucket1" },
            "StringEquals": { "aws:SourceAccount": "bucket-owner-account-id" }
         }
        }
       ]
      }
    4. Click Save.

  4. Enable notifications for the bucket you have created.

    1. Go to the bucket you created.

    2. Click Properties.

    3. In the Event Notifications section, select Create event notification.

    4. In the General configuration section, specify a name for your event notification.

    5. In the Event types section, select one or more event types for which you want to receive notifications.

    6. In the Destination section, choose the SQS queue you have previously created.

    7. Click Save changes.

  5. Create an access key.

    1. In the Security Credentials section, click Access Keys.

    2. Select Create New Access Key to download your new access key.

  6. Create a CloudTrail and link it to the S3.

    1. In the CloudTrail section, click Create Trail.

    2. Select the Use existing S3 bucket option, then select the bucket you previously created.

    3. Click Next.

    4. Select the Management events and Data events check boxes.

    5. In the Data Events section, select S3 as the event type.

    6. Click Next and then Create Trail.

  7. Configure AWS Config.

    1. Go to the Config service.

    2. Click Get Started.

    3. Select the Record specific resource types option.

    4. Select AWS Resources.

    5. Depending on the desired configuration, create a new bucket or select an existing one. If a new bucket is created, new rights should be added to the SQS queue. For information on adding rights to an SQS queue, refer to step 3.c.

    6. Select the Stream configuration changes and notifications to an Amazon SNS topic checkbox.

    7. Create a new topic or use an existing one.

    8. Click Next > Next > Confirm.

    9. Go to the SQS queue you have created.

    10. Click Subscribe to Amazon SNS Topic and choose the topic from step 7.g.

    11. Click Save.

  8. Navigate to Security Credentials > Users > your IAM user > Add inline policy > JSON.

  9. Delete the new setup policy you have previously created in Configure AWS permissions.

Setting up the AWS sensor

To configure the AWS sensor, follow these steps:

  1. In the Sensors Management tab, select Add new to integrate a new sensor.

    AddSensors.png
  2. Select the AWS sensor and click Integrate.

  3. Select Check Requirements and confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary AWS details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Important

Deleting the sensor will not deactivate the following paid services: AWS CloudTrailAWS ConfigAmazon SQS and Amazon SNS.

Disabling the sensor integration

If the you disable the sensor integration, the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

Important

Disabling the sensor will not deactivate the following paid services: AWS CloudTrailAWS ConfigAmazon SQS and Amazon SNS.

The Azure AD sensor collects and pre-processes data related to user sign in activity, as well as configuration changes related to users and groups.

Azure AD sensor prerequisites

Before you integrate Azure AD with GravityZone, make sure sure you complete these steps:

  1. Register your managed application in Microsoft Azure AD, unless you have one already.

  2. In the API Permissions > Microsoft Graph section, grant the following permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for Azure AD incidents directly from GravityZone, the following permissions are needed:

      • User.ReadWrite.All

      • AuditLog.Read.All

      • Directory.Read.all

      Important

      In order for the configuration to be successful, an Azure AD Premium P1 or Premium P2 license is required.

      Important

      To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

      In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone Azure AD sensor integration and assign it.

    2. If you only want to be able to receive events but not take response actions for Azure AD incidents directly from GravityZone incidents, the following permissions are sufficient:

      • AuditLog.Read.All

      • Directory.ReadAll

  3. Grant Admin consent.

  4. Generate Client secret, unless you have one already

Setting up the Azure AD sensor

To configure the Azure AD sensor, follow these steps:

  1. In the Sensors Management tab, select Add new to integrate a new sensor.

    AddSensors.png
  2. Select the Azure AD sensor and click Integrate.

  3. Select Check Requirements and confirm that the prerequisite steps have been completed.

  4. Name the integration and provide the necessary Azure AD details.

  5. Select Test connectivity.

  6. Select Add sensor.

    The new integration will be available in the Sensors Management grid.

Deleting the sensor integration

If you delete the sensor integration, it will be removed from the Sensor Management list and the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Delete and confirm the action.

Disabling the sensor integration

If the you disable the sensor integration, the sensor will no longer process data.

To delete a sensor integration, follow these steps:

  1. Select the integration from the Sensors Management grid.

    The Details panel is displayed.

  2. Select Disable and confirm the action.

Suggest a new sensor

You can request a new sensor type in GravityZone Control Center by accessing Configuration > Sensors Management > Add new > Need a different sensor?

suggest-sensor.png