Skip to main content

The Azure AD sensor

The Azure AD sensor collects and pre-processes data related to user sign in activity, as well as configuration changes related to users and groups.

Azure AD sensor prerequisites

Before you integrate Azure AD with GravityZone, make sure you complete these steps:

  1. Register your managed application in Microsoft Azure AD, unless you have one already.

  2. In the API Permissions > Microsoft Graph application section, grant the following permissions according to how you want to configure the sensor:

    1. If you want to be able to receive events and also be able to take response actions for Azure AD incidents directly from GravityZone, the following permissions are needed:

      • AuditLog.Read.All

      • Directory.Read.all

      • Mail.ReadWrite, for deleting emails

      • User.ReadWrite.All, User.EnableDisableAccount.All. Allows the security analysts to disable user accounts involved in XDR incidents.

      • User.ReadWrite.All, User.RevokeSessions.All. Allows the security analysts to force password resets for user accounts involved in XDR incidents.

        Important

        To enforce password resets on O365 accounts directly from GravityZone XDR incidents, you must assign the User administrator role to the Azure app.

        Additionally, to be able to take response actions on administrator users, you must assign Global administrator role to the Azure app.

        In the Azure AD admin center, navigate to Roles and administratorsUser administrator role > Add assignments, search for the application name used for the GravityZone Azure AD sensor integration and assign it. Repeat the same process for the Global administrator role.

      • IdentityRiskyUser.Read.All, for displaying Azure AD risky user information in the Graph details panel.

      • IdentityRiskyUser.ReadWrite.All, for marking a user account as compromised

        Important

        IdentityRiskyUser.ReadWrite.All and IdentityRiskyUser.Read.All require an Azure AD Premium P2 license. The other permissions require an Azure AD Premium P1 license.

    2. If you only want to be able to receive events but not take response actions for Azure AD incidents directly from GravityZone incidents, the following permissions are sufficient:

      • AuditLog.Read.All

      • Directory.ReadAll

  3. Grant Admin consent.

  4. Generate Client secret, unless you have one already

Setting up the Azure AD sensor

To configure the Azure AD sensor, follow these steps:

  1. In the Configuration > Sensors Management page, select Add new to integrate a new sensor.

  2. Select the company where you want to deploy the sensor.

  3. Select the Azure AD sensor and click Integrate.

  4. On the Check Requirements page, confirm that the prerequisite steps have been completed.

  5. Name the integration and provide the necessary Azure AD details.

  6. Select Test connectivity.

  7. Select Add sensor.

    The new integration will be available in the Sensors Management grid.