Newly Setup of XDR, how to?
I have my Gravityzone and assigned license to 1 client with XDR - productivity apps (office 365).
I can only manage to connect the Email Sensor and not Audit Sensor.
Questions:
- Their license is MS Biz Standard only, do they need E5 license to activate the Audit subscriptions required for Audit sensor ?
- My Email sensor is connected, will I see already its Graph view or only once detected an incident? So there is no way for me to monitor real-time, just when suspicious activity happens - it will be recorded to incident page of GravityZone and examine from there?
Answers
-
Hello @johnDexplorer ,
- We do not do validation based on Microsoft licensing, the integration checks if API endpoints and resources are accessible from the Microsoft side. In your case the 365 MS Biz Standard should be ok, except for the Risky Users APIs, which require an Entra ID P2 subscription.
For this issue you will need to ensure that Audit Recording is enabled for your company as per https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?tabs=microsoft-purview-portal
Note: After enabling audit recording, it can take a few hours or more (up to 24h in our tests) before activity events feeds can be successfully subscribed to.
Also, if the above documentation does not help to resolve the issue we would need more information so we can troubleshoot it with our Enterprise Support team.
Such as:
- Do you have access to Audit recording?
- Do you encounter issues with enabling the subscription to the audit feeds? What is the error?
2. You will only see information in the Incidents section from the GravityZone, and as you mentioned it will highlight incidents when they occur. There is no graph for real-time traffic scanning to monitor.
You can always reach out to our support team through this web form:
Kind Regards,
Andrei
1 - We do not do validation based on Microsoft licensing, the integration checks if API endpoints and resources are accessible from the Microsoft side. In your case the 365 MS Biz Standard should be ok, except for the Risky Users APIs, which require an Entra ID P2 subscription.
