Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Microsoft Entra integration allows a ThreatQ user to interact with the Microsoft cloud-based identity and access management service. This can be used to control access to external Microsoft resources and applications.

The integration provides the following action:

• Microsoft Entra Conditional Access Policy - creates or updates a Microsoft Entra Conditional Access Policy that blocks access to applications based on network locations.

The action is compatible with the following indicator types: 

• IP Address
• IPv6 Address
• CIDR Block

This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

Prerequisites

• An active ThreatQ TDR Orchestrator (TQO) license.
• A data collection containing at least one of the following indicator types:
  • IP Address
  • IPv6 Address
  • CIDR Block

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the action zip file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the action zip file using one of the following methods:
   • Drag and drop the zip file into the dialog box
   • Select Click to Browse to locate the zip file on your local machine

   ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.

You will still need to configure the action.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
 

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Actions option from the Category dropdown (optional).
3. Click on the action entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.

   Parameter	Description
   Tenant ID	Enter your Microsoft Tenant ID.  This is retrieved from the App Registrations page in the Azure Active Directory.
   Client ID	Enter your Microsoft Client ID.  This is retrieved from the App Registrations page in the Azure Active Directory.
   Client Secret	Enter your Microsoft Tenant ID.  This is obtained from your Azure Active Directory Certificates and Secrets.
   Disable Proxies	Enable this option to have the action ignore proxies set in the ThreatQ UI.
   Enable SSL Verification	Enable this option if the action should verify the SSL certificate.
   Conditional Access Policy Name	Specify the name of the Microsoft Entra Conditional Access policy that should be applied to the input indicators.
   Delete Existing Policy	Enabling this option to automatically delete the policy name specified above if it already exists. Otherwise, if the policy exists, it will be updated.
   Conditional Access Policy State	Specify the state of the conditional access policy.  Options include: Enabled Disabled Enabled for Reporting But Not Enforced
   Sign-in Risk Level (Optional)	Sign-in risk levels included in the policy.  Options include: Low Medium High
   Applications Excluded From The Policy	Select an application suite from this list that should be excluded from the policy.  Options include: Office 365 Applications Suite Microsoft Admin Portals
   Client IDs (appId) Explicitly Excluded From The Policy	To exclude particular apps enter a comma-separated list of app Ids that should be excluded from the policy.
   Applications Included In The Policy	Select an application suite from this list that should be included in the policy.  Options include: All Office 365 Applications Suite Microsoft Admin Portals
   Client IDs (appId) Explicitly Included In The Policy	To include particular apps enter a comma-separated list of app Ids that should be included in the policy.
   Client Application Types (Optional)	Select the client application types included in the policy. If All is selected the other enabled types are ignored.  Options include: All Browser Mobile Apps And Desktop Clients Exchange Active Sync Other
   Network Location Name	Specify the name of the network location where the input indicators are uploaded to.
   Clear Network Location on Manual Run	Enabling this will clear the existing values in the network location specified above. This is done to ensure that the location is always up-to-date with the ThreatQ data collection.
   Network Location Is Trusted	Enabled this option if this network location is explicitly trusted.
   Exclude Network Location	Enable this option if this network location should be excluded from the policy.
   Platforms excluded from the policy scope	Select the platforms excluded from the policy scope.  Options include: All Android iOS Windows Windows Phone Mac OS Linux
   Platforms included in the policy scope	Select the platforms included in the policy scope.Options include: All Android iOS Windows Windows Phone Mac OS Linux
   Objects per run	Maximum number of objects to process per-run.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.

Actions

The following actions are available:

{
  "conditions": {
    "applications": {
      "excludeApplications": [
        "81fc9bc8-1140-43e1-a525-336e4e654561",
        "a1c1be3d-ca33-4606-a9e6-97fe099e3902",
        "MicrosoftAdminPortals"
      ],
      "includeApplications": [
        "0ed33d48-cb51-4711-953d-4468c52da87d",
        "Office365"
      ]
    },
    "locations": {
      "excludeLocations": [],
      "includeLocations": [
        "028b6391-2bdf-4ea6-b843-52b35d5c0568"
      ]
    },
    "platforms": {
      "excludePlatforms": [
        "iOS"
      ],
      "includePlatforms": [
        "all"
      ]
    },
    "signInRiskLevels": [
      "low"
    ],
    "users": {
      "includeUsers": [
        "none"
      ]
    }
  },
  "grantControls": {
    "builtInControls": [
      "block"
    ],
    "operator": "OR"
  },
  "state": "enabled"
}

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies/$entity",
  "conditions": {
    "applications": {
      "applicationFilter": null,
      "excludeApplications": [
        "81fc9bc8-1140-43e1-a525-336e4e654561",
        "a1c1be3d-ca33-4606-a9e6-97fe099e3902",
        "MicrosoftAdminPortals"
      ],
      "includeApplications": [
        "0ed33d48-cb51-4711-953d-4468c52da87d",
        "Office365"
      ],
      "includeAuthenticationContextClassReferences": [],
      "includeUserActions": []
    },
    "clientAppTypes": [],
    "clientApplications": null,
    "devices": null,
    "insiderRiskLevels": null,
    "locations": {
      "excludeLocations": [],
      "includeLocations": [
        "028b6391-2bdf-4ea6-b843-52b35d5c0568"
      ]
    },
    "platforms": {
      "excludePlatforms": [
        "iOS"
      ],
      "includePlatforms": [
        "all"
      ]
    },
    "servicePrincipalRiskLevels": [],
    "signInRiskLevels": [
      "low"
    ],
    "userRiskLevels": [],
    "users": {
      "excludeGroups": [],
      "excludeGuestsOrExternalUsers": null,
      "excludeRoles": [],
      "excludeUsers": [],
      "includeGroups": [],
      "includeGuestsOrExternalUsers": null,
      "includeRoles": [],
      "includeUsers": [
        "None"
      ]
    }
  },
  "createdDateTime": "2024-09-11T10:11:30.2438623Z",
  "displayName": "ms_entra_act_policy",
  "grantControls": {
    "authenticationStrength": null,
    "authenticationStrength@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/policies('bf70a9a4-bfdb-469b-8dcb-0c99218a02b0')/grantControls/authenticationStrength/$entity",
    "builtInControls": [
      "block"
    ],
    "customAuthenticationFactors": [],
    "operator": "OR",
    "termsOfUse": []
  },
  "id": "bf70a9a4-bfdb-469b-8dcb-0c99218a02b0",
  "modifiedDateTime": null,
  "sessionControls": null,
  "state": "enabled",
  "templateId": null
}

Use Case Example

1. A Threat Analyst identifies a collection of IPs for which they would like to create a Microsoft Entra Conditional Access Policy
2. The Threat Analyst adds the Microsoft Entra Conditional Access Policy action to a Workflow
3. The Threat Analyst configures the action with the desired parameters, and enables the Workflow
4. The Workflow executes all Actions in the graph, including Microsoft Entra Conditional Access Policy
5. The action adds the IPs from the collection to a network location and creates the policy

Known Issues / Limitations

• Not all values specified in Client Application Types are compatible with all platforms. Selecting incompatible values throws 400 Bad Request.

Change Log

• Version 1.0.0
  • Initial release