The Microsoft Threat Modeling Tool Importer Extension library provides a tool to import TM7 documents and TB7 templates produced with Microsoft Threat Modeling Tool, a widely adopted tool to produce Threat Models, which can be downloaded from https://aka.ms/threatmodelingtool. You need to install this Extension library separately from the Threats Manager Studio (TMS), from Downloads.
The TMT Import extension library is not able to import everything from a .TM7 file. For instance, the Line Boundaries are not imported, because it would not be possible to determine which objects are inside the boundary and what is outside. Moreover, annotations are not imported, because it is not possible to determine where they must be applied.
Moreover, some .TM7 or .TB7 files go beyond the tool intent and capabilities. For example, the templates from GitHub – AzureArchitecture/threat-model-templates: Templates for the Microsoft Threat Modeling Tool defines non-standard categories, like Azure Asset and Azure Service. This causes Microsoft Threat Modeling Tool to behave abnormally. For this reason, those templates must be considered as malformed and will not be imported correctly by TMS. If you still want to import them, please consider that the result may be different from what is expected.
For all those reasons, it is strongly recommended to verify the correct conversion before using the generated file.
The Microsoft Threat Modeling Tool Importer Extension library adds a button in the Import ribbon: Import Document in the MS TMT section.
If you click this button, you will be offered the opportunity to select the Threat Model (.TM7) or template (.TB7) to be imported. After a fast processing, you should see a Threat Modeling Tool Import Results dialog similar to the following one.
The meaning of the various results shown, is:
|Diagrams||Counter of the migrated Diagrams.|
|DataStores||Counter of the migrated Data Stores.|
|ExternalInteractors||Counter of the migrated External Interactors.|
|Processes||Counter of the migrated Processes.|
|EntityTypes||Counter of the migrated Item Types.|
|DataFlows||Counter of the migrated Data Flows.|
|CustomThreatTypes||Counter of the imported Threats that were not associated with Threats defined in the source template used by the TM7 file.|
|MissingThreats||Counter of the Threat Events that it has not been possible to import.|
|Threats||Counter of the imported Threat Events.|
|ThreatTypes||Counter of the imported Threat Types.|
|TrustBoundaries||Counter of the imported Trust Boundaries|
Auxiliary Diagramming Tools
The Microsoft Threat Modeling Tool Importer Extension library includes also two buttons to support some cleaning up activities on freshly imported Threat Models:
- Merge Entities button, which allows merging two entities together.
- Merge Flows button, which allows merging two flows together.
Merging Entities is important because the Microsoft Threat Modeling tool considers the same entity included in two different diagrams as two different objects. To use it, you have to include the missing Entity using the Existing Object palette, then to select both copies, and finally click the Merge Entities button. This opens the Merge Entities dialog.
You need to select the Entity which must remain, and click the Target button on it. Automatically, the other Entities will be marked as Source. When you click the OK button, the Entity marked as Target will receive all the Flows associated with the Sources. To succeed, it is necessary that the moved Flows are not already existing, because Threats Manager Platform, the engine behind Threats Manager Studio (TMS), does not allow to have two Flows with the same source and target. For this reason, we have the Replacement Strategy options:
- Stop if at least a Flow already exists, will interrupt the merge operation if there is an overlap.
- Replace existing Flows, will remove the existing Flows to replace them with the new ones.
- Skip existing Flows, will leave the existing Flows.
The second command, Merge Flows, addresses a second typical issue that occurs as a result of importing a document built with Microsoft Threat Modeling Tool, that is having two flows to represent a relationship, when in TMS only a single Flow would be required. Merge Flows allows to do that. A simple way is to select the duplicated Flows, perhaps using CTRL+A to select all, and then by clicking Merge Flows. This will open the Merge Flows dialog.
The tool already identifies the candidates. You have to select the Master flow, which is the one to be maintained. When done, you should click OK.