Azure Advanced Threat Protection

Azure Advanced Threat Protection, also known as Azure ATP or AATP, is a Microsoft Azure service that pre-detects and pre-analyzes suspicious information indicating a possible attack in an on-premises Active Directory.  

In general terms, ATP is capable of: 

  • Detecting suspicious activities from user accounts and devices through Artificial Intelligence using Microsoft Services. 
  • Analyzing information in real-time, which allows quick identification in case of a possible attack. 
  • Sending alerts based on information analysis. 

The Azure ATP Architecture consists of the following components: 

Azure ATP Portal: ATP service has its own portal: https://portal.atp.azure.com. On this portal, you can view and monitor the information that is sent by the configured sensors.  

Sensors (Domain Controllers): For sensors, there are two options: 

  • Option a: Install a sensor software component directly on Domain Controller. This sensor monitors the traffic without a port mirror or a dedicated server. 
  • Option b: If you don’t want to install any software on your Domain Controllers, you can install an Azure standalone sensor, a service that receives a copy of all the traffic sent to the Domain Controllers through a port mirror. 

ATP Cloud Service: Cloud Service is the component hosted in Azure infrastructure that provides the required Artificial intelligence service.  

 

 

How it works:

The activities performed by Azure ATP service are: 

 

Collect: The information sent by the sensors:

What kind of information is sent by the sensors?

The information sent and collected includes Authentication information (NTLM and Kerberos), DNS queries, and security logs (in event viewer).

Analyze & Learn: After the network analysis of the sensors, Azure ATP can establish user and device behaviors using Machine learning and Artificial Intelligence in Microsoft Azure.

Detect: Using Machine Learning capabilities, the ATP service is able to detect threats like:

  • Credential Attacks
    • Pass the hash
    • Pass the ticket
  • User Abnormal Behavior
    • Suspicious log-in
    • Impossible traveling
  • Security Risks
    • Weakness protocols
    • Known vulnerabilities

Alert & Investigate:

After logging in to the Azure portal, we can see all the alerts generated by the information analysis. These alerts are in the order of the newest to the oldest with a complete map of the threat.

These alerts can be exported to an Excel sheet.

Integrate: Azure ATP can be integrated with other services, such as:

  • Microsoft CloudApp Security (MCAS)
    • A Central monitoring platform (requires licensing considerations)
  • Microsoft Defender ATP
    • Gives analysis and protection to endpoints (Azure ATP is focused on Domain Controllers) so both integrated platforms give an extensive view of our network

(requires licensing considerations)

  • Office 365 ATP: protects your inbox from attacks like phishing and provides e-mail filtering service (requires licensing considerations)

How to get Azure ATP:

Azure ATP is available as a part of the Enterprise Mobility + Security 5 suite (EMS E5), as well as a standalone license. You can acquire the license directly from Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model.