π Introduction
The Cloud Directory Posture is a critical security feature that continuously scans user activities, login patterns, and mailbox configurations across Google Workspace and Microsoft 365.
β Key Benefits:
π Detects abnormal login locations & suspicious mailbox rules.
π‘οΈ Provides real-time security alerts for potential account takeovers.
π Serves as the foundation for multiple Guardz security controls.
π Available in: Starter, Pro, and Ultimate Plans
π‘ First Time Setup?
Before using Cloud Directory Posture, you must integrate your cloud provider:
π Navigating Cloud Directory Posture in Guardz
πΉ Where to Find It
1οΈβ£ Log into Guardz.
2οΈβ£ Navigate to Security Controls > Cloud Directory Posture.
3οΈβ£ In this dashboard, you can:
View all integrated cloud applications.
See the number of active users.
Manage Approved Locations.
πΉ Single Customer View Features
In Single Customer view, you can:
β
Change license allocations.
β
Activate the "Approved Locations" tool.
β
View and edit the list of Approved Locations.
π Approved Locations & Abnormal Logins
πΉ How Does Guardz Identify Suspicious Logins?
Guardz analyzes historical login data for 7 days to establish a normal login benchmark.
If a login occurs outside the approved norm, it is flagged as abnormal.
Abnormal logins help detect potential account compromise & unauthorized access.
πΉ Managing Approved Locations in Guardz
1οΈβ£ Go to Security Controls > Cloud Directory Posture.
2οΈβ£ Click Edit to modify Approved Locations.
3οΈβ£ Approved Locations are tracked by:
IP Addresses π
Countries π
Cities ποΈ
π‘ You can add or remove locations anytime to refine detection accuracy.
β Removing a location:
Logins from that location will no longer generate an issue.
Existing issues related to that location will be closed.
β Adding a location:
You can specify either an IP address or City/Country.
For broader control, add an IP range (e.g.,
1.1.1.1/24) or allow an entire country.
π¨ Each newly added location requires a reason (system benchmark vs. admin approval).
π FAQ: Cloud Directory Security Insights
πΉ Why does an issue state βMFA Missing Memberβ even though MFA is enabled?
β
Answer: The user may need to create a password specifically for MFA authentication.
β
πΉ How often does the MFA scan run?
β
Answer: The scan runs every 2 hours, and immediately when new users are added within the tenant. If a user is deleted within the tenant, it can take up to 2 hours for the user to be removed within Guardz.
β
πΉ How does Guardz determine the benchmark for normal logins?
β
Benchmark Rules:
Guardz pulls login activity from the last 7 days upon initial setup.
If a login occurs 3+ times from the same location, it becomes an approved benchmark location.
πΉ Why canβt I enable Audit Logs in Microsoft 365?
β
Cause: Microsoft 365 Basic License does not support Audit Logs. You must upgrade to a higher-tier license.
β
πΉ How does Guardz classify suspicious login severity?
β
Risk Level Criteria:
Risk Level | Condition |
π΄ Critical | Admin user logs in from a high-risk country |
π High | Login from a suspicious country OR Admin login from an unrecognized location |
π‘ Medium | Other detected anomalies (e.g., unusual devices) |
π΅ Info | If all detections meet a known security benchmark |
π Benchmarks that Reduce False Positives:
β User-Agent Consistency β If a user logs in 100+ times from the same User-Agent in 30 days, it is considered safe.
β Device Agent Matching β If a known device logs in from a known IP, it is marked safe.
β IP Reputation Score β If the IPβs reputation score is 0, it is safe.
π Best Practices for Cloud Directory Security
β Regularly update Approved Locations to prevent unnecessary login alerts.
β Use Guardz MFA Enforcement to secure all accounts.
β Monitor login trends for potential account compromise attempts.
β Investigate & resolve abnormal login alerts quickly.