Microsoft Entra ID (formerly Azure AD) & Active Directory

Query’s integration with Microsoft EntraID (formerly Azure AD) & Active Directory, utilizing Query’s integration with Microsoft’s GraphAPI, allows analysts to do the following:

  • Retrieves user directory information as stored in their user profile such as their email and principal name
  • Retrieves domain information such as the description and directory groups

For example, the analyst could obtain the following context:

  • Searching by the user’s name, i.e. username contains barbara, the response would contain any directory information on the user including their email address, their active directory groups, etc.

To integrate Microsoft EntraID (formerly AzureAD), see integration documentation here.

The integration will normalize data pulled from Microsoft EntraID, via the GraphAPI,  into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes Microsoft Intune data into QDM User and Device objects, and Authentication events. Analysts can see key attributes like hostname, Active Directory group names, domains assigned, and other directory information in the QDM device, security finding, and observables objects..

With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with.

Based upon additional integrations in your environment, Query can show you:

  • Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.