Microsoft Azure Active Directory
Gurucul offers machine learning behavior analytics and context to facilitate risk-based authentication enforcement. There are several capabilities with Microsoft Azure AD, all focused on detecting risky anomalous behavior before a malicious actor can do harm.
- Detect access over-provisioning, account compromise, privilege access misuse, and policy violations
- Link multiple accounts and account aliases to one central identity for identity knowledge and enrichment.
- Detect unusual download and hoarding behavior, data exfiltration, disgruntled employees, data breaches, and Intellectual Property theft.
- Dynamic privileged access discovery
- Identify and remove any dormant accounts and unused or unassigned groups
- Perform access outlier analysis using peer group analytics
- Prioritize alerts using a risk-based approach
- MITRE ATT&CK Mapping
- Threat intelligence enrichment
Microsoft Azure Log Analytics and Azure Monitor
The Gurucul Security Analytics and Operations Platform drives high-efficacy threat detection with machine-learning based behavior analytics. Gurucul integrates with Azure Monitor to protect your Azure environment and resources by identifying, correlating, and prioritizing threats within Azure. Gurucul also integrates with Log Analytics to help ingest and analyze various Azure Monitor resources and your application logs.
- Enriches data using identity and cross resource correlation from other data sources within Gurucul.
- Detects potentially malicious or unwanted activity on your Azure resources.
- Prioritizes alerts with context and visibility for risk-scoring.
- Consolidates, analyzes, and queries logs from multiple Azure resources and subscriptions using Log Analytics integration.
The Gurucul Security Analytics and Operations Platform drives high-efficacy threat detection and automated response with machine learning-based behavior analytics. There are several integrations with Microsoft 365 solutions, all focused on detecting risky anomalous behavior before a malicious actor can do harm.
- Detects compromise and misuse of user and privileged accounts
- Perform security analytics and provide full visibility into on-premises and cloud applications
- Improve anomaly detection with context and visibility for risk-scoring
- Provide a two-way API and an open architecture for additional integration use cases
User/Entity Risk Scoring Based on Microsoft 365 Events
The Gurucul Platform collects, enriches, and auto-correlates Microsoft 365 events with other 3rd party data sources, to validate and prioritize events that reflect real risk. The Gurucul Platform can increase/decrease a user’s risk score based on these Microsoft 365 events. The integration ensures timely analysis and detection of threats to improve the productivity of analysts by providing additional contextual information to investigate, analyze and respond to malicious attacks.
Microsoft 365 events are used by Gurucul’s ML-based behavioral analytics to detect user behavior anomalies that can be classified as real threats. Azure AD identifies characteristics such as first name, last name, email, and manager. Permission and group information are also used to build a persona of the individual and combined with Microsoft 365 day-to-day user activity and peer behavior. Microsoft SharePoint events provide an insight into privilege escalation, configuring privileged access management directly and granting access rights, adding a user to a group, and changing group rights.
OneDrive and SharePoint Activity Monitoring
The Gurucul system monitors user-to-file activity, segregation of duties, application, and file privileges. When detecting malicious activities such as insider attacks, the platform not only baselines file-to-user and file-to-peer behaviors but can also monitor transport and application behavior. For example, a disgruntled employee, who is leaving the company, may have access to specific documents. In this scenario, the employee starts printing sensitive documents, to which they have access. This abnormality in user behavior can be directly linked to other events, such as HR violations, increased job sites visited, etc. to provide additional context.
Message Trace Data Analytics
Gurucul integrates with Microsoft 365 Message Trace to support a wide variety of use cases. By analyzing Message Trace data, the Gurucul Platform can quickly identify an insider or disgruntled employee by learning about the user, enriching the user’s stance and profile, and then feeding the ML models with the user and network-based events. The Gurucul Platform also analyzes Message Trace data, such as known malicious URLs, IPs, and known hashes, which can be used to identify and classify specific files, malicious domains, and C2 data flows. Microsoft Message Trace provides a deeper insight into the event details, and in the case of the sandbox activity, details like the filename can be found.