ThreatQ CDF for Microsoft Entra
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
Current Integration Version | 1.0.0 |
Compatible with ThreatQ Versions | >= 5.29.0 |
Compatible Third-Party Environment | Microsoft Azure Cloud |
Support Tier | ThreatQ Supported |
Introduction
The ThreatQ CDF for Microsoft Entra integration provides users with the ability to import Microsoft Entra Users into the ThreatQ platform.
The integration provides the following feed:
- Microsoft Entra Users - ingests users from a Microsoft Azure Organization into ThreatQ as Incidents.
The integration ingests Identity and Identity Attribute system object types.
Prerequisites
The following is required to run the integration:
- Azure Tenant ID
- Azure Client ID
- Azure Client Secret
- A Microsoft Azure Application with
Microsoft Graph
access for theUser.ReadWrite.All
permission.
Microsoft Graph Required Permissions
Your Microsoft Azure Application must have Microsoft Graph access for the User.ReadWrite
permission.
- Navigate to the API Permissions for your Azure Application.
- Click on Add a Permission.
- Click on Microsoft Graph > Application Permissions.
- Search and enable the
User.ReadWrite.All
permission. - Click on the Add permissions button.
- Click on Grant admin consent for <Organization> button to fully enable the permissions.
This last step may take several minutes to propagate the permissions to your application. See the following link for additional information: https://learn.microsoft.com/en-us/graph/api/user-list
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the integration yaml file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the integration yaml file using one of the following methods:
- Drag and drop the file into the dialog box
- Select Click to Browse to locate the file on your local machine
ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.
The feed will be added to the integrations page. You will still need to configure and then enable the feed.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Azure Tenant ID Enter your Azure Tenant ID. This can be obtained from the Azure Active Directory App Registrations page.
Azure Client ID Enter your Azure Client ID. This can be obtained from the Azure Active Directory App Registrations page.
Azure Client Secret Enter your Azure Client Secret. This can be obtained from the Azure Active Directory Certificates and Secrets page.
Enable SSL Certificate Verification Enable or disable verification of the server's SSL certificate. Disable Proxies Enable this option if the feed should not honor proxies set in the ThreatQ UI. Domain Enter a domain in order to only ingest users that have userPrincipalName
for that specific domain. Leave this parameter blank to ingest all users.Context Filter Select the pieces of enrichment context to ingest into ThreatQ. Options include: - Display Name (default)
- Is Enabled (default)
- Business Phone
- Job Title
- Office Location
- Street Address
- City
- State
- Country
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Microsoft Entra Users
The Microsoft Entra Users feed ingests as ThreatQ Identity objects the users from a Microsoft Azure Organization using Microsoft Entra. The feed can be configured to ingest all the users or only those from a specific domain via the Domain configuration parameter.
GET https://graph.microsoft.com/v1.0/users
Sample Request Parameters:
{
"$select": "displayName,businessPhones,jobTitle,officeLocation,userPrincipalName,streetAddress,city,state,country,accountEnabled,createdDateTime",
"$filter": "endsWith(userPrincipalName,threatq.com)",
"$count": "true"
}
Sample Response:
[
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,businessPhones,jobTitle,officeLocation,userPrincipalName,streetAddress,city,state,country,accountEnabled,createdDateTime)",
"value": [
{
"accountEnabled": true,
"businessPhones": [
"3046169799"
],
"city": "Martinsburg",
"country": "US",
"createdDateTime": "2020-11-24T15:50:56Z",
"displayName": "threatq",
"jobTitle": "Threat Intelligence Engineer Intern",
"officeLocation": "3046169773",
"state": "West Virginia",
"streetAddress": "171 ABC",
"userPrincipalName": "threatq@threatq.com"
}
]
}
]
ThreatQuotient provides the following default mapping for this feed based on fields within each of the value
:
Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
---|---|---|---|---|---|
.displayName |
Identity.Value | Identity | .createdDateTime |
threatq |
N/A |
.userPrincipalName |
Identity.Attribute | User Principal Name | .createdDateTime |
threatq@threatq.com |
User-configurable. |
.businessPhones |
Identity.Attribute | Business Phone | .createdDateTime |
3046169799 |
User-configurable. |
.jobTitle |
Identity.Attribute | Job Title | .createdDateTime |
Threat Intelligence Engineer Intern |
User-configurable. |
.accountEnabled |
Identity.Attribute | Is Enabled | .createdDateTime |
True |
User-configurable. Updatable. |
.officeLocation |
Identity.Attribute | Office Location | .createdDateTime |
3046169773 |
User-configurable. |
.streetAddress |
Identity.Attribute | Street Address | .createdDateTime |
171 ABC |
User-configurable. |
.city |
Identity.Attribute | City | .createdDateTime |
Martinsburg |
User-configurable. |
.state |
Identity.Attribute | State | .createdDateTime |
West Virginia |
User-configurable. |
.country |
Identity.Attribute | Country | .createdDateTime |
US |
User-configurable. |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
Metric | Result |
---|---|
Run Time | 1 minute |
Identities | 82 |
Identity Attributes | 400 |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
Document | ThreatQ Version |
---|---|
ThreatQ CDF for Microsoft Entra Guide v1.0.0 | 5.29 or Greater |