With the increasing use of SaaS services and the rising volume of remote users, security teams must do more to ensure the identity of users and entities interacting and accessing data across cloud domains. Zero Trust remains far-reaching as organizations struggle with configuration complexities and expert support for identity and access management; leaving threat actors shifting targets to IAM services including Microsoft Azure Active Directory (AD). In the face of ever-increasing attacks, security teams need a new and easier way of identifying threat actors leveraging human and machine-privileged accounts. Vectra can help.
What is Vectra Detect for Azure AD?
Vectra Detect for Azure AD is the industry’s most advanced AI-driven Cloud Detection and Response solution for closing the door on cyber attackers accessing Azure AD.
Know when your Azure AD Accounts are Compromised
Vectra Detect for Azure AD harnesses Security AI-driven Attack Signal Intelligence™ to uncover and counter account compromises and close the door on cyber attackers accessing federated applications and services including: Azure AD M365, Salesforce, AWS and VPNs.
Integrated with the Vectra platform, Vectra enriches CDR capabilities with user perspective on activities in federated and SaaS apps, where Security AI makes sense of unauthorized sign-ins, scripting engine access, trusted application abuse, domain federation changes and general cloud privilege abuse. AI is applied to learn from data, identify patterns, and to make decisions with no human intervention, ensuring visibility across changing patterns, users and admins — even when MFA fails or authentication is made with stolen cookies.
Key Capabilities of Vectra Detect for Azure AD
AI-driven Detection Harnessing Security AI-driven Attack Signal Intelligence, Vectra goes beyond signatures and simple anomaly detection to expose the complete narrative of attacks. With comprehensive analysis of Azure AD account data that’s enriched with organizational and consortium insights, Vectra Detect for Azure AD uncovers malicious use of compromised accounts and credentials. Vectra reveals deeper threat context on a per-account basis to drive attribution and detect over 90% of malicious MITRE ATT&CK techniques.
AI-driven Triage Harnessing Security AI-driven Attack Signal Intelligence, Vectra understands previously prioritized threats and suspicious Azure AD activity. By continuously analyzing events, Vectra distinguishes malicious events from those that are benign based on context and commonalities. Benign detections are then triaged automatically with the perspective of an expert analyst.
AI-driven Prioritization Harnessing Security AI-driven Attack Signal Intelligence, Vectra automatically correlates, scores and ranks multiple and concurrent detections when events unfold. AI analytics automatically assess incidents against extant events to the degree of a highly experienced security analyst — instantly revealing levels of risk exposure and related prioritization so SecOps can devote more time to driving action plans.
Advanced Investigation Vectra simplifies deep investigation and puts answers at analysts’ fingertips, reducing the effort and time it takes to run complex queries, interpret findings and proactively surface signals to stop progressing threats. Findings from vast amounts of data are automatically interpreted with up-to-date details, so security analysts become more informed and can drive response action at the right time.
Chaos Dashboard Clearly see the impact and any gaps in your Azure AD configurations. Active posture shows the activity that normal users are performing and where it could be leaving your organization open to future attacks, so that you know which risks to mitigate.
Targeted Response With deeper threat context than native Microsoft tools, security teams gain rich capabilities to respond, contain, investigate, communicate and address compromised systems in less time. Resilient analyst-driven enforcement puts humans in control with a flexible approach allowing automated workflows or through in-UI analyst triggered actions. Out of the box response controls include tools and playbooks already in place — all together instilling confidence throughout the team, reducing burnout and minimizing cost.
Is Vectra Detect for Azure AD compliant?
Vectra securely collects Azure AD and M365 logs from the customer’s tenant into Vectra’s secure cloud, running detection models on those logs in Vectra’s cloud, and publishing detections events and context into the customer’s Vectra UI located on a customer-managed brain (on-premises or a virtual) or in Vectra’s SaaS UI.
Data Ingested
Recognizing the sensitive nature of Azure AD and M365 usage and the information in the resulting logs, Vectra ingests logs on a strictly need-to-know basis. Only the subset of logs required for the analytics are ingested into the Vectra cloud.
Vectra collects the necessary data using a secure OAuth application that runs in the customer’s Azure AD tenant. The application is authorized by the customer’s Global Admin and uses the following read-only permissions:
ActivityFeed.Read (Office Management API)
ActivityFeed.ReadDLP (Office Management API)
Directory.Read.ALL (Graph API for Azure AD logs)
AuditLog.Read.All (Graph API for Azure AD logs)
User.Read (Added by default by Microsoft – this is not actually requested)
The OAuth application can be removed at any time by the customer. Once removed, log collection will stop immediately.
How is the ingested data secured?
Logs are ingested from the Microsoft cloud over secure TLSv1.3-encrypted sessions pursuant to the authorization of the Vectra app by the customer’s Global Admin. The data ingested from each customer tenant is received and stored separately per customer. There are no direct interfaces to access this data.
Only Vectra applications are authorized to access this data.
Only log event objects created by Azure AD and M365 are retrieved.
Data at rest is encrypted leveraging Cryptographic Service Provider (CSP) techniques.
