Users, Tenants, and Channels

Tenants and channels

Tenants are organizational units. Administrator user accounts are provisioned within these tenants. Once provisioned, users can view protected sites, attack heuristics, real-time data, and other configuration information.

Alternatively, you can have your ThreatX platform organized by channels, where a channel can contain multiple tenants. If you have channels, you can administer all users and sites within the tenants and add tenants as needed.

Audit Log

The ThreatX platform has an audit feature that logs a number of events, such as updating users, updating sites, and adding IP addresses to whitelists and blocked lists.

Table 1. Audit Log Event Categories and Actions
Category Actions Description

Lists

  • new_entry

  • remove_entry

Lists are the whitelists and blocked lists. The Description column in the audit log identifies the list. The audit log monitors when IP addresses, called entries, are added to or removed from a list.

Rules

  • new_rule,

  • remove_rule

  • update_rule

The audit log monitors whenever a rule is added, removed, or updated in the ThreatX platform.

Sites

  • new_site

  • remove_site

  • unset_field

  • update_site

The audit log monitors whenever a site is added, removed, or updated in the ThreatX platform. The unset_field action occurs when a user nullifies a field within the site resource.

Users

  • new_user

  • remove_user

  • update_user

The audit log monitors whenever a user is added, removed, or updated in the ThreatX platform.

User Actions

  • blacklist_entity

  • block_entity

  • watch_entity

  • whitelist_entity

The audit log monitors whenever a user blocks an IP address, adds an IP address to the blocked list or whitelist, or chooses to watch an IP address. Whenever a user adds an IP address to a list, the Lists category shows a new_entry action.

Each column in the audit log has a search icon which you can use to search for a string in that column. The search feature is case sensitive and requires an exact match. The table lists all the action strings you can use to search for a specific action.

If you have access to the ThreatX API, you can access the audit logs. The following is an example command.

$ curl https://api.threatx.com/tx_api/v2/logs \
  --header 'Content-Type: application/json' \
  --data @- << EOF
{
       "command":"audit_events",
       "token":" <api_token>",
        "customer_name":"<tenant_name>",
        "limit": 100
}
EOF

Accessing the audit log

Dashboard

Settings  Audit Log
ThreatX API

api.threatx.com/tx_api/v2/logs (command: audit_events )

The ThreatX audit feature logs events, such as updating users, updating sites, and adding IP addresses to whitelists and blocked lists. The audit log lists all events by category and actions. As opposed to the Log Emitter, the audit log focuses mostly on user actions.

The Log Emitter also exports the audit logs.

Managing user accounts

Dashboard

Settings  Users
ThreatX API

api.threatx.com/tx_api/v2/users
Table 2. User Account Settings
Field Description

Email

User’s email address, which is also the username used to log in. It cannot be changed once saved.

Password Reset

Available only when editing a user account. Click Send to send a password reset link.

First Name

The user’s given name

Last Name

The user’s surname.

Active

When selected, the user is active and can log in. When not selected, the account remains valid, but the user cannot log in.

Read-Only

When not selected, the user has full write access. Otherwise, they can make no modifications.

Tenant Admin

When selected, the user has administration permissions to manage users and sites. ️

Channel Admin

When selected, the user has administrator access to the main channel and all of its tenants. ️(Requires Channel Environment architecture).

Site Groups

Assigns the user to one or more user groups, where the user can access those sites only. If none are selected, the user can access all sites.

API Access

Generating and revoking API keys

If using the ThreatX API to access the ThreatX platform, you need first need to use an API key with the login command to receive a session token, after which you will be allowed to execute other commands.

To generate an API key:

  1. Navigate to Settings  API Keys

  2. Click Add API Key in the top right corner

  3. Complete the necessary fields

  4. Click Save

  5. Store your new key in a safe place! 🗝️

To revoke an API key:

  1. Navigate to Settings  API Keys

  2. Click Edit API Key next to the API key you want to revoke

  3. Click Revoke

  4. Click Revoke a second time in the confirmation pop-up.

Generating and revoking sensor API keys

If you deploy sensors in your environment, you are asked to provide a Sensor API key.The sensor uses the key to authenticate to the ThreatX platform.

The Sensor API key is a not the same as the API key mentioned above.

To generate a Sensor API key:

  1. Navigate to Settings  Sensors  Sensor Keys

  2. Click Add Sensor Key

  3. Store the key securely until you need to deploy a sensor 🗝️

    1. If at any point you no longer require a sensor key, simply delete it.

Configuring Single Sign On (SSO)

You can manage SSO configuration directly using the ThreatX API. Once SSO has been configured for a ThreatX tenant or channel, your users can sign in using your SSO identity provider, such as Okta or Azure Active Directory B2C, rather than logging in to the ThreatX web application with a username and password.

Prerequisites

  • SAML2 IDP metadata reference URL from your SSO provider (where the most up-to-date metadata file can be found.) Consult your IDP documentation.

  • Users must have accounts in both the IDP and ThreatX platform

  • User’s email address in the IDP must match that which is associated with their ThreatX username.

  • An API key with tenant or channel administrator permissions.

  • The name and UUID of your tenant or channel

Use the Customers:list command to retrieve the name and UUID of the tenant.
If you do not have access to your IDP metadata URL, you can alternatively provide a complete IDP metadata file. Contact ThreatX support if you want to provide an IDP metadata file instead of an IDP metadata URL.
📌 Example 1. IDP Metadata URLs

Additional prerequisites for Channel SSO

If you are configuring your SP Metadata URL:

  • Audience restriction setting (also called “Entity ID”) in the IDP must be set to the path: x.threatx.io/sign-in

  • IDP metadata must provide the NameID in the format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

We use the email address of the user to locate users within our database

If you are configuring your ACS URL:

Configuring SSO access

Use the following steps to configure SSO access for your ThreatX tenant and channel partners:

  1. Log into the API. Authenticate to the API using the Login command.

  2. Gather the tenant or channel data you need using the Customers:list or Channels:list command.

    • You need to copy the Customer or Channel Representation information response exactly and paste it into the body of the Customers:update or Channels:updat command with the UUID field omitted.

  3. Assemble your tenant update API request.

  4. Supply your Customer or Channel Representation information to the Customers:update or Channels:update command described in step 2. (See the examples below.)

  5. Set the value of “sso” to an object and define these attributes:

    • “enabled” (true),

    • “required” (false)

    • saml_metadata_url

  6. Submit the tenant or channel update API request. If it succeeds, you should see Customer Update Response or Channel Update Response.

  7. Test the new configuration by using a web browser to navigate to:

    1. x.threatx.io/auth/v2/customers/<name>/saml

    2. x.threatx.io/auth/v2/channels/<name>/saml

  8. You should be redirected to your SSO Identity Provider to confirm you want to authorize ThreatX Dashboard to act on your behalf.

  9. Follow the prompts in your SSO Identity Provider.

  10. You should be then redirected to the ThreatX Dashboard and authorized to access the system on behalf of your configured user account.

  11. Single-Sign On access is now configured for your tenant.

(optional) You can now update your tenant configuration again using “required: true” to force all your users to use SSO to access the ThreatX Dashboard. This option prevents users from accessing the ThreatX Dashboard directly using the username/password authentication.