ThreatQ Operation for Microsoft Active Directory
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 3.6.0 |
| Support Tier | ThreatQ Supported |
Introduction
The ThreatQ Operation for Microsoft Active Directory allows a ThreatQ user to query their Active Directory for identity matches.
The operation provides the following action:
- Query - queries your Active Directory for identity matches.
The operation is compatible with Email Address and Username Indicator types.
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the integration whl file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the integration whl file using one of the following methods:
- Drag and drop the file into the dialog box
- Select Click to Browse to locate the file on your local machine
ThreatQ will inform you if the operation already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the operation contains changes to the user configuration. The new user configurations will overwrite the existing ones for the operation and will require user confirmation before proceeding.
The operation is now installed and will be displayed in the ThreatQ UI. You will still need to configure and then enable the operation.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Server Your Active Directory server. Include ldap:// or ldaps://. Domain The domain for your Active Directory Server. Certificate If you are using SSL, provide a path to your certificate on your ThreatQ instance. This file must be accessible by the operation, so it must be placed on the ThreatQ instance in a directory that is accessible.
Entering a path here will automatically enable SSL.Use TLS Use this parameter if you use TLS to connect to your Active Directory server. Username The username to authenticate with the Active Directory server. Password The password to authenticate with the Active Directory server. Groups A comma-delimited list of groups to perform the query on It is possible to list multiple groups that are nested within each other.
It is not possible to list multiple groups that are at the same level.
You cannot use groups alongside organizational units.Organizational Units A comma-delimited list of organizational units to perform the query on It is possible to list multiple organizational units that are nested within each other.
It is not possible to list multiple organizational units that are at the same level.
You cannot use organizational units alongside groups.Version The version of your Active Directory server. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Query | Queries your Active Directory for identity matches. | Indicator | Email Address, Username |
Query
The Query action allows you to query your Active Directory server for identity matches.
Parameters
This action allows you to override the settings that are set in the operation's configuration settings.
The Query action has the following parameters:
| Parameter | Description |
|---|---|
| Groups (Override) | This allows you to override the Group setting in the operation's configuration. |
| Organizational Units (Override) | This allows a user to override the Organizational Units setting in the operation's configuration. |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| ThreatQ Operation for Microsoft Active Directory Guide v1.0.0 | 3.6.0 or Greater |