Windows Defender Advanced Threat Protection with Azure Security Center

Azure Security Center is extending its Cloud Workload Protection Platforms offering by integrating with Windows Defender Advanced Threat Protection (ATP). This change brings comprehensive Endpoint Detection and Response (EDR) capabilities. With Windows Defender ATP integration, you can spot abnormalities. You can also detect and respond to advanced attacks on server endpoints monitored by Azure Security Center.

Azure Security Center customers can now use features of Windows Defender ATP:

  • Next-generation post breach detection sensors: Windows Defender ATP sensors for Windows servers collect a vast array of behavioral signals.

  • Analytics-based, cloud-powered post breach detection: Windows Defender ATP quickly adapts to changing threats. It uses advanced analytics and big data. Windows Defender ATP is amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.

  • Threat intelligence: Windows Defender ATP identifies attacker tools, techniques, and procedures. When it detects these, it generates alerts. It uses data generated by Microsoft threat hunters and security teams, augmented by intelligence provided by partners.

These capabilities are now available in Azure Security Center:

  • Automated onboarding: The Windows Defender ATP sensor is automatically enabled for Windows servers that are onboarded to Azure Security Center.

  • Single pane of glass: The Azure Security Center console displays Windows Defender ATP alerts.

  • Detailed machine investigation: Azure Security Center customers can access Windows Defender ATP console to perform a detailed investigation to uncover the scope of a breach.

Azure Security Center, displaying a list of alerts and general information about each alert

You can investigate the alert in Azure Security Center:

The alert investigation dashboard in Azure Security Center

You can further investigate the alert by pivoting to Windows Defender ATP. There you can see additional information such as the alert process tree and the incident graph. You can also see a detailed machine timeline that shows every behavior for a historical period of up to six months.

Windows Defender ATP page with detailed information about an alert

Platform support

This feature supports detection on Windows Server 2012 R2 and Windows Server 2016.

Only servers in subscriptions for the standard service tier are supported.

Onboarding servers to Security Center

To onboard servers to Security Center, click Go to Azure Security Center to onboard servers from the Windows Defender ATP server onboarding.

  1. In the Onboarding blade select or create a workspace in which to store the data.

  2. If you can’t see all your workspaces, it may be due to a lack of permissions, make sure your workspace is set to Azure Security Standard tier. For more information see Upgrade to Security Center's Standard tier for enhanced security.

  3. Select Add servers to view instructions on how to install the Microsoft Monitoring Agent.

  4. After onboarding, you can monitor the machines under Compute and apps.

    Onboard computers

Enable Windows Defender ATP integration

To view if Windows Defender ATP integration is enabled, select Security center > Security policy > Subscription > Edit settings.

Azure Security Center Policy Management

Here you can see the integrations currently enabled.

Azure Security Center Threat detection settings page with Windows Defender ATP integration enabled

  • If you've already onboarded the servers to Azure Security Center standard tier, you need take no further action. Azure Security Center will automatically onboard the servers to Windows Defender ATP. This might take up to 24 hours.

  • If you've never onboarded the servers to Azure Security Center standard tier, onboard them to Azure Security Center as usual.

  • If you've onboarded the servers through Windows Defender ATP:

Access to the Windows Defender ATP portal

Follow the instructions in Assign user access to the portal.

Set the firewall configuration

If you have a proxy or firewall that is blocking anonymous traffic, as a Windows Defender ATP sensor is connecting from the system context, make sure that anonymous traffic is permitted. Follow the instructions in Enable access to Windows Defender ATP service URLs in the proxy server.

Test the feature

To generate a benign Windows Defender ATP test alert:

  1. Use Remote Desktop to access either a Windows Server 2012 R2 VM or a Windows Server 2016 VM. Open a Command Prompt window.

  2. At the prompt, copy and run the following command. The Command Prompt window will close automatically.

    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe'); Start-Process 'C:\\test-WDATP-test\\invoice.exe'
    

    A Command Prompt window with the command above

  3. If the command is successful, you'll see a new alert on the Azure Security Center dashboard and the Windows Defender ATP portal. This alert might take a few minutes to appear.

  4. To review the alert in Security Center, go to Security Alerts > Suspicious Powershell CommandLine.

  5. From the investigation window, select the link to go to the Windows Defender ATP portal.

Next steps