什么是 Azure 高级威胁防护?What is Azure Advanced Threat Protection?

Azure 高级威胁防护 (ATP) 是一个基于云的安全解决方案,可利用本地 Active Directory 信号识别、检测并调查针对组织的高级威胁、身份盗用和恶意内部操作。Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Azure ATP 可以使 SecOp 分析员和安全专业人员能够在混合环境中检测高级攻击,以便:Azure ATP enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:

  • 使用基于学习的分析监视用户、实体行为和活动Monitor users, entity behavior, and activities with learning-based analytics
  • 保护存储在 Active Directory 中的用户标识和凭据Protect user identities and credentials stored in Active Directory
  • 识别并调查整个杀伤链中的可疑用户活动和高级攻击Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
  • 提供关于简单时间线的明确事件信息,以进行快速会审Provide clear incident information on a simple timeline for fast triage

监视和配置用户行为和活动Monitor and profile user behavior and activities

Azure ATP 监视并分析网络中的用户活动和信息(例如权限和组成员身份),为每个用户创建行为基线。Azure ATP monitors and analyzes user activities and information across your network, such as permissions and group membership, creating a behavioral baseline for each user. 然后,Azure ATP 通过自适应内置智能识别异常情况,让你深入了解可疑活动和事件、揭示组织面临的高级威胁、用户侵害和内部威胁。Azure ATP then identifies anomalies with adaptive built-in intelligence, giving you insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization. Azure ATP 的专有传感器监视组织域控制器,提供每个设备中所有用户活动的全面视图。Azure ATP's proprietary sensors monitor organizational domain controllers, providing a comprehensive view for all user activities from every device.

保护用户标识并减少攻击面Protect user identities and reduce the attack surface

Azure ATP 提供有关标识配置和建议的安全最佳做法的宝贵见解。Azure ATP provides you invaluable insights on identity configurations and suggested security best-practices. 通过安全报告和用户配置文件分析,Azure ATP 可以显着减少组织攻击面,使入侵用户凭据和推进攻击更加艰难。Through security reports and user profile analytics, Azure ATP helps dramatically reduce your organizational attack surface, making it harder to compromise user credentials, and advance an attack. Azure ATP 的可视横向移动路径有助于快速准确地了解攻击者如何在组织内横向移动来入侵敏感帐户,并协助提前预防这些风险。Azure ATP's visual Lateral Movement Paths help you quickly understand exactly how an attacker can move laterally inside your organization to compromise sensitive accounts and assists in preventing those risks in advance. Azure ATP 安全报告有助于识别使用明文密码进行身份验证的用户和设备,并提供其他见解以改善组织安全状况和策略。Azure ATP security reports help you identify users and devices that authenticate using clear-text passwords and provide additional insights to improve your organizational security posture and policies.

识别网络攻击杀伤链中的可疑活动和高级攻击Identify suspicious activities and advanced attacks across the cyber-attack kill-chain

通常情况下,会针对任何可访问实体(例如低权限用户)发起攻击,然后快速横向移动,直到攻击者获得对有价值资产(如敏感帐户、域管理员和高度敏感数据)的访问权限。Typically, attacks are launched against any accessible entity, such as a low-privileged user, and then quickly move laterally until the attacker gains access to valuable assets – such as sensitive accounts, domain administrators, and highly sensitive data. Azure ATP 能在整个网络攻击杀伤链中从源头识别这些高级威胁:Azure ATP identifies these advanced threats at the source throughout the entire cyber-attack kill chain:


发现未授权用户和攻击者获取信息的企图。Identify rogue users and attackers' attempts to gain information. 攻击者使用各种方法搜索用户名、用户的组成员身份、分配给设备的 IP 地址、资源等信息。Attackers are searching for information about user names, users' group membership, IP addresses assigned to devices, resources, and more, using a variety of methods.

泄露的凭据Compromised credentials

识别使用暴力攻击、失败的身份验证、用户组成员身份更改以及其他方法来入侵用户凭据的尝试。Identify attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.

横向移动Lateral movements

检测利用诸如 Pass the Ticket、Pass the Hash、Overpass the Hash 等方法在网络内横向移动以进一步控制敏感用户的尝试。Detect attempts to move laterally inside the network to gain further control of sensitive users, utilizing methods such as Pass the Ticket, Pass the Hash, Overpass the Hash and more.

域控制Domain dominance

如果通过域控制器上的远程代码执行以及 DC Shadow、恶意域控制器复制、黄金票证活动等方法实现域控制,则突出显示攻击者行为。Highlighting attacker behavior if domain dominance is achieved, through remote code execution on the domain controller, and methods such as DC Shadow, malicious domain controller replication, Golden Ticket activities, and more.

调查警报和用户活动Investigate alerts and user activities

Azure ATP 旨在降低一般警报噪音,在简单的实时组织攻击时间线中仅提供相关、重要的安全警报。Azure ATP is designed to reduce general alert noise, providing only relevant, important security alerts in a simple, real-time organizational attack timeline. Azure ATP 攻击时间线视图使你可以轻松地专注于重要事项,充分利用智能分析。The Azure ATP attack timeline view allows you to easily stay focused on what matters, leveraging the intelligence of smart analytics. 使用 Azure ATP 快速调查威胁并深入了解组织中的用户、设备和网络资源。Use Azure ATP to quickly investigate threats, and gain insights across the organization for users, devices, and network resources. 与 Microsoft Defender ATP 的无缝集成通过额外检测并抵御操作系统上的高级持久威胁,增添了另一层增强的安全屏障。Seamless integration with Microsoft Defender ATP provides another layer of enhanced security by additional detection and protection against advanced persistent threats on the operating system.

Azure ATP 的其他资源Additional resources for Azure ATP

开始使用免费试用版Start a free trial


在 Microsoft 技术社区中关注 Azure ATPFollow Azure ATP on Microsoft Tech Community


加入 Azure ATP Yammer 社区Join the Azure ATP Yammer community


请访问 Azure ATP 产品页Visit the Azure ATP product page


了解有关 Azure ATP 体系结构的详细信息Learn more about Azure ATP architecture

Azure ATP 体系结构Azure ATP Architecture

Microsoft IgniteMicrosoft Ignite

Microsoft Ignite 2018 针对 Azure 高级威胁防护召开了多次会议。Microsoft Ignite 2018 featured multiple sessions focused on Azure Advanced Threat Protection. 这些会议有录像,所以如果你错过了活动,建议你在此处观看:Sessions were recorded, so if you missed the event, we recommend you watch here:

Azure ATPAzure ATP

BRK3117 - Azure ATP 的 SecOp 和事件响应 - 观看 YouTube 视频BRK3117 - SecOp and incident response with Azure ATP - watch the YouTube video

Azure ATP 和 Azure AD IP(Active Directory 标识保护)Azure ATP and Azure AD IP (Active Directory Identity Protection)

BRK3237 - 使用 Azure AD 标识保护和 Azure ATP 保护混合云环境 - 观看 YouTube 视频BRK3237 - Securing your hybrid cloud environment with Azure AD Identity Protection and Azure ATP - watch the YouTube video

BRK2157 - 加速部署和采用 Microsoft 信息保护解决方案 - 观看 YouTube 视频BRK2157 - Accelerate deployment and adoption of Microsoft Information Protection solutions - watch the YouTube video

有关在 Ignite 2018 上发布的 Azure ATP 公告摘要,请参阅博客文章 Azure 高级威胁防护对集成、检测和取证功能进行了扩展For a summary of Azure ATP announcements that were made at Ignite 2018, see the blog post - Azure Advanced Threat Protection Expands Integrations, Detections, and Forensic Capabilities.

后续步骤What's next?

我们建议分三个阶段部署 Azure ATP:We recommend deploying Azure ATP in three phases:

第 1 阶段Phase 1

  1. 设置 Azure ATP,以保护主要环境。Set up Azure ATP to protect your primary environments. Azure ATP 的快速部署模型可以立即开始保护你的组织。Azure ATP's fast deployment model enables you to start protecting your organization today. 安装 Azure ATPInstall Azure ATP
  2. 设置敏感帐户蜜标帐户Set sensitive accounts and honeytoken accounts.
  3. 审核报告和横向移动路径Review reports and lateral movement paths.

第 2 阶段Phase 2

  1. 保护组织中的所有域控制器和Protect all the domain controllers and forests in your organization.
  2. 监视所有警报 - 调查横向移动和域控制警报。Monitor all alerts – investigate lateral movement & domain dominance alerts.
  3. 使用安全警报指南了解威胁和会审潜在攻击。Work with the Security Alert guide to understand threats and triage potential attacks.

第 3 阶段Phase 3

  1. 将 Azure ATP 警报集成到 SecOp 工作流。Integrate Azure ATP alerts into your SecOp workflows.

另請參閱See Also