This article walks you through connecting your identity providers to ThreatDown Identity Threat Detection & Response (ITDR) within OneView, setting up login restrictions, and dark web monitoring. ITDR supports Microsoft Entra ID, Okta, and On-Premises Active Directory.
Access the ITDR onboarding guide
When ITDR is enabled on your account, a prompt appears during login until setup is complete.
- Click Get Started on the ITDR prompt to open the setup wizard.
- The wizard displays all configuration steps. Click Connect to begin connecting your identity sources.
- Select how identities from all sources are protected. This affects coverage and billing.
- Protect all identities automatically: Protection activates for all identities as soon as syncing completes. This ensures all identities are protected, and each identity is counted towards billing.
- Review identities before activating: Identities are synced, but you must manually select which to protect, up to the allowed number of licenses. Increase your license allotment on the Sites page, or disable unnecessary identities to enable others
You can also navigate directly to Investigate > ITDR Management > Configurations at any time to manage your identity provider connections, login restrictions, and dark web monitoring. You can also update how the sources are protected and billed with the settings button on this page.
Connect Okta
Configuration for Okta requires steps in both the Okta Admin Console and OneView.
Step 1: Create a Dedicated Service Account
- Sign in to the Okta Admin Console as a Super Administrator.
- Navigate to Directory > People > Add Person.
- Create a dedicated service account user (for example, threatdown-itdr@yourdomain.com).
- Set a strong password and uncheck User must change password at next sign-in.
- Activate the user, this account serves as the dedicated ThreatDown ITDR service account for telemetry and response.
Step 2: Assign Administrator Roles
- In the Okta Admin Console, navigate to Security > Administrators > Add Administrator.
- In the Grant administrator role field, enter the service account you just created.
- In the Administrator roles section, select the following roles:
| Role | Required | Purpose |
|---|---|---|
| Read-Only Administrator | Required | Access to Okta System Log and Event Hook data |
| Organization Administrator | Required | Enables response actions (suspend/unsuspend users) |
| Super Administrator | Optional | Provides additional user insights |
- Click Add Administrator to save.
Step 3: Generate an API Token
- Sign out of your Super Admin account and sign in to the Okta Admin Console as the new service account.
- Navigate to Security > API.
- Click Create Token, enter a token name, then click Create Token.
Note: Ensure the API token has no expiration date. - Copy the API token. It is only displayed one time.
- Click OK, got it.
These are the permissions needed for Okta.
| Capability | Required Okta Role / Privilege |
|---|---|
Read System Logs |
Read-Only Administrator |
Collect Identity Events |
Read-Only Administrator |
Disable / Suspend / Unlock Users |
Organization Administrator (or higher) |
Manage API Tokens |
Token-owning account must retain admin privileges |
Integration Stability |
Token should belong to a dedicated service account |
Step 4: Connect Okta to ThreatDown
- In the OneView, go to Investigate > ITDR Management > Configurations > Integrations and click Connect next to Okta.
- Enter your Okta Hostname (e.g., yourcompany.okta.com).
- Enter the API Token generated in Step 3.
- Click Save.
Once connected, the Okta card displays a green status indicator. You can click Disable to pause the integration or Update to change credentials at any time.
Connect Microsoft Entra ID
Entra ID uses two separate API connections for full coverage: MS Graph API and O365 API. Both are required for complete identity telemetry coverage from Microsoft Entra ID and are connected via an OAuth consent flow.
Connect MS Graph API
- In the OneView, go to Investigate > ITDR Management > Configurations > Integrations and click Connect next to Entra ID.
- Next to Connect with MSGraph API, click Connect.
- You are redirected to a Microsoft login screen. Sign in with a Global Administrator or Privileged Role Administrator account.
- Review the requested permissions and click Accept.
- MS Graph API is now connected.
Connect O365 API
- Next to Connect with O365 API, click Connect.
- Sign in with a Global Administrator or Privileged Role Administrator account.
- Click Accept to authorize the connection.
- O365 API is now connected.
Once connected, the Entra ID card displays a green status indicator. You can click Disable to pause the integration or Update to change credentials at any time.
Enable Endpoint Detection and Response
Deploy the Endpoint Agent to your devices with Endpoint Detection and Response enabled. This allows ITDR to automatically collect Active Directory telemetry, including Windows Security Events and identity hooks. For more information on enabling EDR, see Endpoint Detection and Response policy settings in OneView.
Validate Your Connections
After configuring your identity sources, data begins flowing from your IdPs to OneView and can take 30 minutes to a few hours to complete the initial sync, dependent on the tenant size and rate IdP rate limits. Navigate to the Investigate > ITDR Management > Configurations > Integrations page. Each connected source displays:
-
Connection status:
- Green: Connected
- Yellow: Delayed
- Red: Error
- Last log seen timestamp to confirm active data flow
If a source shows no recent data, review your credentials and network connectivity, then use Update to re-enter credentials.
Login restrictions
On the Login restrictions tab, set up restricted countries and working hours. An identity can only belong to one login restriction group.
To create a new login restriction group:
- Click New group.
- Enter a group name
- Assign identities to the group.
- Select which countries to restrict access from. Optionally, toggle on Select all countries except and only enter the allowed countries instead.
- Select the working hours. Any login attempts outside of of working hours are flagged as an alert.
- Click Save.
Dark web monitoring
On the Dark web monitoring tab, select which identities to monitor for exposed credentials and data on dark web sources.
To monitor identities on the dark web:
- Click Add item.
- Select identities.
- Click Save.
Authorize Managed Detection and Response analysts
When subscribed to both ITDR and Managed Detection and Response (MDR), you can authorize MDR analysts to take response on identities in your environment when a security incident is detected. You should be prompted to make these selections when adding ITDR. To update the settings:
- In OneView, click on Manage > Sites.
- Click on the site you need to edit.
- Click Manage Subscription > Manage Subscription.
- Click Next until you get to the Services step.
- Under Identity response authorization, select the level of authorization:
- Full authorization: MDR analysts can perform any of the actions listed below as needed.
-
Partial: Select which individual response actions MDR analysts can perform.
- Disabling an identity: Suspend the user to stop them from logging in.
- Enforcing multi-factor authentication: Require the user to set up multi-factor authentication
- Removing identities from groups: Removes the selected users from an Entra group, revoking access and permissions granted by that group.
- Resetting passwords: Forces the user to set a new password the next time they sign-in.
- Revoking active sessions: Terminate all active user sessions on devices, forcing them to log in again.
- No: MDR analysts are not authorized to perform any response actions for identity related threats.
Back to ITDR Guide