Skip to main content

Identity Threat Detection & Response FAQ for OneView

Updated: 

What is ThreatDown ITDR?

ThreatDown Identity Threat Detection & Response (ITDR) is a security module that monitors identity infrastructure—including Active Directory (AD), Microsoft Entra ID, and Okta—to detect and respond to identity-based threats in real time. It ingests authentication logs and identity events, correlates them with endpoint telemetry from ThreatDown Endpoint Detection and Response (EDR), and surfaces high-confidence alerts for threats such as credential theft, privilege escalation, lateral movement, and Multi Factor Authentication (MFA) abuse.

Which identity providers does ITDR support?

ITDR integrates with three identity sources:

  • On-Premise Active Directory: via the existing ThreatDown EDR agent (no additional agent required).
  • Microsoft Entra ID (Azure AD): via Microsoft Graph API and O365 API.
  • Okta: via the Okta System Log API.

Can I use ITDR without a cloud identity provider (IdP)?

A cloud IdP is required. ITDR supports two deployment scenarios depending on your environment.

Scenario A: Hybrid Scenario B: Cloud-first Scenario C: On-prem only (Not Supported)

On-prem AD synced with Entra ID

  • ITDR Fully functional
  • Identities pulled via Microsoft Graph API
  • Response actions land on the Entra ID side and propagate to AD via sync (if AD configured for 2-way communication)
  • On-prem AD covered by EDR

Entra ID or Okta (on-prem AD present but not synced with cloud IdP)

  • ITDR fully functional
  • Identities pulled directly from the cloud IdP
  • Response actions land on cloud IdP and never to on-prem AD
  • On-prem AD covred by EDR

AD only, no Entra ID or Okta

  • No identity data source to query
  • On-prem AD (which acts as an IdP) only is not supported

Does ITDR require a separate agent?

No. ITDR does not require a new agent. It leverages the same ThreatDown EDR agent already deployed on endpoints. Activation simply enables additional backend modules for AD telemetry, identity hooks, and cloud API integrations.

How is ITDR different from Identity and Access Management (IAM) or Identity Governance and Administration (IGA) solutions?

ITDR is focused exclusively on threat detection and response within your identity infrastructure. It does not handle user provisioning, access governance, or certification reviews. Think of it as the security layer that watches your identity fabric for signs of compromise, complementing your existing IAM and IGA tools rather than replacing them.

What are the prerequisites for activating ITDR?

There are two requirements before ITDR can monitor for identity-based threats:

  • Endpoint Agent with EDR policy settings enabled
  • Entra ID or Okta connected to OneView

How does the deployment process work? Is it lengthy?

Deployment is designed to be fast, automated, and low-touch. Since ITDR uses the same EDR agent already installed on endpoints, there is no new agent to deploy. The setup involves activating ITDR in OneView and connecting the desired identity provider(s) through the available connectors. Most deployments are complete within minutes.

How do I connect Active Directory (on-premises)?

Active Directory telemetry is collected through the existing ThreatDown EDR agent. No additional software or configuration is needed. Once ITDR is activated, the agent automatically begins collecting AD security events from domain controllers.

How do I connect Microsoft Entra ID?

Entra ID connects via Microsoft Graph API and O365 API. During activation, you will authorize ThreatDown to read identity and authentication logs from your Entra ID tenant. For optimal coverage of identity-based attacks, both Graph API integration O365 API are required.

See Configure Identity Threat Detection & Response

Can I connect multiple identity providers at the same time?

Yes. You can connect Entra ID and Okta simultaneously. ITDR will correlate identity events across all connected sources, giving you unified visibility over your entire identity fabric.

What is the Identity Risk Score?

The Identity Risk Score is an aggregated metric that reflects the current threat posture of your identity infrastructure. It accounts for the volume and severity of active incidents, MFA adoption and coverage gaps, the number of high-risk users, and recent detection trends. The score provides a quick, at-a-glance assessment that helps security teams prioritize their response efforts.

Are detections correlated with EDR data?

Yes. One of ITDR’s key strengths is its ability to correlate identity events with endpoint telemetry from ThreatDown EDR. For example, if a suspicious login is detected from a specific device, the alert will include the device’s EDR context, if available, giving analysts the full picture needed for rapid triage.

How does my Microsoft Entra ID license affect ITDR?

With P1, ITDR can leverage sign-in and audit telemetry to identify suspicious authentication behaviors. With P2, Microsoft exposes additional Identity Protection risk telemetry which can improve Detection confidence, User risk correlation, Investigation context, and Prioritization fidelity.

Back to ITDR Guide

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more