Current ThreatQ Version Filter
 

ThreatQ CDF for Microsoft Entra

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The ThreatQ CDF for Microsoft Entra integration provides users with the ability to import Microsoft Entra Users into the ThreatQ platform.  

The integration provides the following feed:

  • Microsoft Entra Users - ingests users from a Microsoft Azure Organization into ThreatQ as Incidents.

The integration ingests Identity and Identity Attribute system object types.  

Prerequisites

The following is required to run the integration:

  • Azure Tenant ID
  • Azure Client ID
  • Azure Client Secret
  • A Microsoft Azure Application with Microsoft Graph access for the User.ReadWrite.All permission.

Microsoft Graph Required Permissions

Your Microsoft Azure Application must have Microsoft Graph access for the User.ReadWrite permission.

  1. Navigate to the API Permissions for your Azure Application.
  2. Click on Add a Permission.
  3. Click on Microsoft Graph > Application Permissions.  
  4. Search and enable the User.ReadWrite.All permission.
  5. Click on the Add permissions button.
  6. Click on Grant admin consent for <Organization> button to fully enable the permissions.

    This last step may take several minutes to propagate the permissions to your application.  See the following link for additional information: https://learn.microsoft.com/en-us/graph/api/user-list

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

  1. Log into https://marketplace.threatq.com/.
  2. Locate and download the integration yaml file.
  3. Navigate to the integrations management page on your ThreatQ instance.
  4. Click on the Add New Integration button.
  5. Upload the integration yaml file using one of the following methods:
    • Drag and drop the file into the dialog box
    • Select Click to Browse to locate the file on your local machine

      ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

The feed will be added to the integrations page. You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Commercial option from the Category dropdown (optional).

    If you are installing the integration for the first time, it will be located under the Disabled tab.

  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Azure Tenant ID Enter your Azure Tenant ID. 

    This can be obtained from the Azure Active Directory App Registrations page.

    Azure Client ID Enter your Azure Client ID. 

    This can be obtained from the Azure Active Directory App Registrations page.

    Azure Client Secret Enter your Azure Client Secret. 

    This can be obtained from the Azure Active Directory Certificates and Secrets page.

    Enable SSL Certificate Verification Enable or disable verification of the server's SSL certificate.  
    Disable Proxies Enable this option if the feed should not honor proxies set in the ThreatQ UI.
    Domain Enter a domain in order to only ingest users that have userPrincipalName for that specific domain. Leave this parameter blank to ingest all users.  
    Context Filter Select the pieces of enrichment context to ingest into ThreatQ. Options include:
    • Display Name (default)
    • Is Enabled (default)
    • Business Phone
    • Job Title
    • Office Location
    • Street Address
    • City
    • State
    • Country

    Configuration Screen
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

Microsoft Entra Users

The Microsoft Entra Users feed ingests as ThreatQ Identity objects the users from a Microsoft Azure Organization using Microsoft Entra. The feed can be configured to ingest all the users or only those from a specific domain via the Domain configuration parameter.

GET https://graph.microsoft.com/v1.0/users

Sample Request Parameters:

{
  "$select": "displayName,businessPhones,jobTitle,officeLocation,userPrincipalName,streetAddress,city,state,country,accountEnabled,createdDateTime",
  "$filter": "endsWith(userPrincipalName,threatq.com)",
  "$count": "true"
}

Sample Response:

[
  {
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,businessPhones,jobTitle,officeLocation,userPrincipalName,streetAddress,city,state,country,accountEnabled,createdDateTime)",
    "value": [
      {
        "accountEnabled": true,
        "businessPhones": [
          "3046169799"
        ],
        "city": "Martinsburg",
        "country": "US",
        "createdDateTime": "2020-11-24T15:50:56Z",
        "displayName": "threatq",
        "jobTitle": "Threat Intelligence Engineer Intern",
        "officeLocation": "3046169773",
        "state": "West Virginia",
        "streetAddress": "171 ABC",
        "userPrincipalName": "threatq@threatq.com"
      }
    ]
  }
]

ThreatQuotient provides the following default mapping for this feed based on fields within each of the value:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.displayName Identity.Value Identity .createdDateTime threatq N/A
.userPrincipalName Identity.Attribute User Principal Name .createdDateTime threatq@threatq.com User-configurable.
.businessPhones Identity.Attribute Business Phone .createdDateTime 3046169799 User-configurable.
.jobTitle Identity.Attribute Job Title .createdDateTime Threat Intelligence Engineer Intern User-configurable.
.accountEnabled Identity.Attribute Is Enabled .createdDateTime True User-configurable. Updatable.
.officeLocation Identity.Attribute Office Location .createdDateTime 3046169773 User-configurable.
.streetAddress Identity.Attribute Street Address .createdDateTime 171 ABC User-configurable.
.city Identity.Attribute City .createdDateTime Martinsburg User-configurable.
.state Identity.Attribute State .createdDateTime West Virginia User-configurable.
.country Identity.Attribute Country .createdDateTime US User-configurable.

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Metric Result
Run Time 1 minute
Identities 82
Identity Attributes 400

Change Log

  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
ThreatQ CDF for Microsoft Entra Guide v1.0.0 5.29 or Greater