Azure Advanced Threat Protection integration

Applies to: Microsoft Cloud App Security

Important

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

Microsoft Cloud App Security integrates with Azure Advanced Threat Protection (Azure ATP) to provide user entity behavioral analytics (UEBA) across a hybrid environment - both cloud app and on-premises, for more information, see Tutorial: Investigate risky users. For more information about the machine learning and behavioral analytics provided by Azure ATP, see What is Azure ATP?

Prerequisites

For complete user investigation across a hybrid environment, you must have:

  • A valid license for Azure ATP connected to your Active Directory instance
  • You must be an Azure Active Directory global admin to enable integration between Azure ATP and Cloud App Security

Note

  • If you don't have a subscription for Microsoft Cloud App Security, you will still be able to use Cloud App Security to get Azure ATP insights.
  • Azure ATP administrators may require new permissions to access Cloud App Security. To learn how to assign permissions to Cloud App Security, see Manage admin access.

Enable Azure ATP

To enable Cloud App Security integration with Azure ATP:

  1. In Cloud App Security, under the settings cog, select Settings.

    Settings menu

  2. Under Threat Protection, select Azure ATP.

    enable azure advanced threat protection

  3. Select Enable Azure ATP data integration and then click Save.

Note

It may take up to 12 hours until the integration takes effect.

After enabling Azure ATP integration, you'll be able to see on-premises activities for all the users in your organization. You will also get advanced insights on your users that combine alerts and suspicious activities across your cloud and on-premises environments. Additionally, policies from Azure ATP will appear on the Cloud App Security policies page. For a list of Azure ATP policies, see Security Alerts.

You should also use the Azure ATP configuration links to configure Azure ATP settings that are relevant to Cloud App Security. Use the following information to learn more about these settings:

Disable Azure ATP

To disable Cloud App Security integration with Azure ATP:

  1. In Cloud App Security, under the settings cog, select Settings.

  2. Under Threat Protection, select Azure ATP.

  3. Clear Enable Azure ATP data integration and then click Save.

Note

When the integration is disabled, existing azure ATP data is kept in accordance with Cloud App Security retention policies but the Identity Security Posture assessments section is removed.

Known issues

Missing SIEM alert updates

This issue affects alerts that are triggered more than once. The first instance of the alert is sent to the SIEM, but subsequent triggers of the same alert are not sent.

Resolution

No known resolution.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.