Microsoft

Gurucul Microsoft Technology Alliance

Microsoft Azure Active Directory

Gurucul offers machine learning behavior analytics and context to facilitate risk-based authentication enforcement. There are several capabilities with Microsoft Azure AD, all focused on detecting risky anomalous behavior before a malicious actor can do harm.

  • Detect access over-provisioning, account compromise, privilege access misuse, and policy violations
  • Link multiple accounts and account aliases to one central identity for identity knowledge and enrichment.
  • Detect unusual download and hoarding behavior, data exfiltration, disgruntled employees, data breaches, and Intellectual Property theft.
  • Dynamic privileged access discovery
  • Identify and remove any dormant accounts and unused or unassigned groups
  • Perform access outlier analysis using peer group analytics
  • Prioritize alerts using a risk-based approach
  • MITRE ATT&CK Mapping
  • Threat intelligence enrichment
Gurucul Microsoft Azure Integration

Microsoft Azure Log Analytics and Azure Monitor

The Gurucul Security Analytics and Operations Platform drives high-efficacy threat detection with machine-learning based behavior analytics. Gurucul integrates with Azure Monitor to protect your Azure environment and resources by identifying, correlating, and prioritizing threats within Azure. Gurucul also integrates with Log Analytics to help ingest and analyze various Azure Monitor resources and your application logs.

  • Enriches data using identity and cross resource correlation from other data sources within Gurucul.
  • Detects potentially malicious or unwanted activity on your Azure resources.
  • Prioritizes alerts with context and visibility for risk-scoring.
  • Consolidates, analyzes, and queries logs from multiple Azure resources and subscriptions using Log Analytics integration.
Gurucul Azure Log Analytics and Azure Monitor Integration

Microsoft 365

The Gurucul Security Analytics and Operations Platform drives high-efficacy threat detection and automated response with machine learning-based behavior analytics. There are several integrations with Microsoft 365 solutions, all focused on detecting risky anomalous behavior before a malicious actor can do harm.

  • Detects compromise and misuse of user and privileged accounts
  • Perform security analytics and provide full visibility into on-premises and cloud applications
  • Improve anomaly detection with context and visibility for risk-scoring
  • Provide a two-way API and an open architecture for additional integration use cases

User/Entity Risk Scoring Based on Microsoft 365 Events

The Gurucul Platform collects, enriches, and auto-correlates Microsoft 365 events with other 3rd party data sources, to validate and prioritize events that reflect real risk. The Gurucul Platform can increase/decrease a user’s risk score based on these Microsoft 365 events. The integration ensures timely analysis and detection of threats to improve the productivity of analysts by providing additional contextual information to investigate, analyze and respond to malicious attacks.

Behavioral Analytics

Microsoft 365 events are used by Gurucul’s ML-based behavioral analytics to detect user behavior anomalies that can be classified as real threats. Azure AD identifies characteristics such as first name, last name, email, and manager. Permission and group information are also used to build a persona of the individual and combined with Microsoft 365 day-to-day user activity and peer behavior. Microsoft SharePoint events provide an insight into privilege escalation, configuring privileged access management directly and granting access rights, adding a user to a group, and changing group rights.

OneDrive and SharePoint Activity Monitoring

The Gurucul system monitors user-to-file activity, segregation of duties, application, and file privileges. When detecting malicious activities such as insider attacks, the platform not only baselines file-to-user and file-to-peer behaviors but can also monitor transport and application behavior. For example, a disgruntled employee, who is leaving the company, may have access to specific documents. In this scenario, the employee starts printing sensitive documents, to which they have access. This abnormality in user behavior can be directly linked to other events, such as HR violations, increased job sites visited, etc. to provide additional context.

Message Trace Data Analytics

Gurucul integrates with Microsoft 365 Message Trace to support a wide variety of use cases. By analyzing Message Trace data, the Gurucul Platform can quickly identify an insider or disgruntled employee by learning about the user, enriching the user’s stance and profile, and then feeding the ML models with the user and network-based events. The Gurucul Platform also analyzes Message Trace data, such as known malicious URLs, IPs, and known hashes, which can be used to identify and classify specific files, malicious domains, and C2 data flows. Microsoft Message Trace provides a deeper insight into the event details, and in the case of the sandbox activity, details like the filename can be found.

Gurucul Microsoft 365 Integration