Azure ATP readiness guide

This article provides you with a readiness roadmap list of resources that help you get started with Azure Advanced Threat Protection.

Understanding Azure ATP

Azure Advanced Threat Protection (ATP) is a cloud service that helps identify and protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats.

To learn more about Azure ATP:

Deployment decisions

Azure ATP is comprised of a Cloud service residing in Azure, and integrated sensors that can be installed on domain controllers or standalone sensors on dedicated servers. Before you get Azure ATP up and running, it's important to choose the type of sensors that best suit your deployment and needs. Azure ATP integrated sensors (Azure ATP sensors) provide enhanced security, lower operational costs and easier deployment than Azure ATP standalone sensors. Azure ATP standalone sensors require physical hardware, additional configuration steps and heavier operational costs.
If you are using physical servers, capacity planning is critical. Get help from the sizing tool to allocate space for your sensors:

Deploy Azure ATP

Use these resources to help you set up Azure ATP, connect to Active Directory, download the sensor package, set up event collection, and optionally integrate with your VPN, and set up honeytoken accounts and exclusions.

Azure ATP settings

When creating your Azure ATP instance, the basic settings necessary are configured automatically. There are several additional configurable settings in Azure ATP to improve detection and alert accuracy for your environment, such as VPN integration, SAM required permissions, and advanced audit policy settings.

Work with Azure ATP

After Azure ATP is up and running, view security alerts in the Azure ATP portal activity timeline. The activity timeline is the default landing page after logging in to the Azure ATP portal. By default, all open security alerts are shown on the activity timeline. You can also see the severity assigned to each alert. Investigate each alert by drilling down into the entities (computers, devices, users) to open their profile pages with more information. Lateral movement paths show potential moves that can be made in your network and sensitive users at risk. Investigate and remediate exposure using the lateral movement path detection graphs. These resources help you work with Azure ATP's security alerts:

Security best practices

Community resources

Blog: Azure ATP blog

Public Community: Azure ATP Tech Community

Private Community: Azure ATP Yammer Group

Channel 9: Microsoft Security Channel 9 page

See Also