Integrate Office 365 Threat Intelligence with Windows Defender Advanced Threat Protection

If you are part of your organization's security team, you can integrate Office 365 Advanced Threat Protection and Threat Intelligence features with Windows Defender Advanced Threat Protection. This can help you quickly understand if users' machines are at risk when you are investigating threats in Office 365. For example, once integration is enabled, you will be able to see a list of machines that are used by the recipients of a detected email message, as well as how many recent alerts those machines have in Windows Defender Advanced Threat Protection.

The following image shows the Devices tab that you'll see when have Windows Defender Advanced Threat Protection integration enabled:

When Windows Defender ATP is enabled, you can see a list of machines with alerts.

In this example, you can see that the recipients of the email message have four devices and one has an alert. Clicking the link for a device opens its page in the Windows Defender Advanced Threat Protection portal.

Requirements

  • Your organization must have Office 365 Threat Intelligence and Windows Defender ATP.

  • You must be an Office 365 Global Administrator or have a security administrator role (such as Security Administrator) assigned in the Security & Compliance Center. (See Permissions in the Office 365 Security & Compliance Center)

  • You must have access to both Office 365 Threat Intelligence and the Windows Defender Advanced Threat Protection portal.

To integrate Office 365 Threat Intelligence with Windows Defender ATP

Integrating Office 365 Threat Intelligence with Windows Defender Advanced Threat Protection is set up by using both the Office 365 Security & Compliance Center AND the Windows Defender Advanced Threat Protection portal.

  1. As an Office 365 global administrator or a security administrator, go to https://protection.office.com and sign in with your work or school account for Office 365.

  2. Choose Threat management > Explorer.
    Explorer in Threat Management menu

  3. In the upper right corner of the screen, choose WDATP Settings.

  4. In the Windows Defender ATP connection dialog box, turn on Connect to Windows ATP.
    Windows Defender ATP connection

  5. Enable the connection in Windows Defender Advanced Threat Protection. See Use the Windows Defender Advanced Threat Protection portal.

Office 365 Threat Intelligence

Office 365 Advanced Threat Protection