Applies to: Azure Advanced Threat Protection
Azure ATP readiness guide
This article provides you with a readiness roadmap that gives you a list of resources that assist you getting started with Azure Advanced Threat Protection.
Understanding Azure ATP
Azure Advanced Threat Protection (ATP) is a cloud service that helps identify and protect your enterprise from multiple types of advanced targeted cyber-attacks and insider threats. To learn more about Azure ATP:
- Azure ATP overview
- Azure ATP introductory video (25 minutes)- Full
- Azure ATP deep dive video (75 minutes)- Full
Azure ATP is comprised of a Cloud Service residing in Azure, and integrated sensors that can be installed on a domain controller or standalone sensors on dedicated servers. Before you get Azure ATP up and running, it's important to choose the type of sensors that best suit your deployment and needs. Azure ATP integrated sensors (Azure ATP sensors) provide enhanced security, lower operational costs and easier deployment than Azure ATP standalone sensors. Azure ATP standalone sensors require physical hardware, additionl configuration steps and heavier operational costs.
If you are using physical servers, capacity planning is critical. Get help from the sizing tool to allocate space for your sensors:
- Azure ATP sizing tool - The sizing tool automates collection of the amount of traffic Azure ATP monitors. It automatically provides supportability and resource recommendations for sensors.
- ATP capacity planning guidance
Deploy Azure ATP
These resources will help you set up Azure ATP, connect to Active Directory, download the sensor package, set up event collection and optionally integrate with your VPN and set up honeytoken accounts and exclusions.
- Try Azure ATP (part of EMS E5) The trial is valid for 90 days.
- Azure ATP Set up Deploy Azure ATP in your environment following these steps.
- Integrate Azure ATP with Windows Defender ATP
Azure ATP settings
The basic settings necessary in Azure ATP are configured automatically when creating your instance. There are several additional configurable settings in Azure ATP to improve detection and alert accuracy for your environment, such as VPN integration, SAM required permissions, and advanced audit policy settings.
- VPN integration
- SAM-R required permissions
- Audit policy settings – Audit your domain controller health before and after an ATP deployment.
Work with Azure ATP
After Azure ATP is up and running, view security alerts in the Azure ATP portal activity timeline. The activity timeline is the default landing page after logging in to the Azure ATP portal. By default, all open security alerts are shown on the attack time line. You can also see the severity assigned to each alert. Investigate each alert by drilling down into the entities (computers, devices, users) to open their profile pages with more information. Lateral movement paths show potential moves that can be made in your network and sensitive users at risk. Investigate and remediate exposure uding the lateral movement path detection graphs. These resources help you work with Azure ATP's security alerts:
- Azure ATP security alert guide Learn to triage and take the next steps with your Azure ATP detections.
- Azure ATP lateral movement paths
- Tag groups as sensitive Gain visibility into credential exposure on sensitive security groups.
Security best practices
- Azure ATP Frequently Asked Questions - This article provides a list of frequently asked questions about Azure ATP and provides insight and answers.
Blog: Azure ATP blog
Public Community: Azure ATP Tech Community
Private Community: Azure ATP Yammer Group
Channel 9: Microsoft Security Channel 9 page