When you consider the modern IT landscape, one of the biggest challenges for IT departments is how to protect your users and data from the ever-changing, ever-more-advanced complex threats that can target your environment. In the Microsoft 365 world, where you have users, email, and documents in the cloud—or on a hybrid cloud—this is particularly challenging. It is not possible to wrap a traditional firewall around your Microsoft 365 tenant or to deploy an old-style anti-virus solution, and yet it is absolutely crucial that you do everything that you can to prevent malicious actors from gaining access to and disrupting your business' data and intellectual property.
Azure Advanced Threat Protection (Azure ATP) provides IT departments with the means to take preventative measures against modern threats and, in this chapter, we will discuss how Azure ATP works, as well as what the prerequisites and processes for configuring and implementing Azure ATP are. We will also review the Azure ATP sensor settings, which are used to examine data within your ATP instance. We will examine the Azure ATP health center, where you can see how your Azure ATP instance is performing, as well as view alerts and reports when there are problems. Finally, we will examine how Azure ATP is monitored and how to interpret security alerts.
We will cover these topics in the following order:
To identify your organization's needs in relation to Azure ATP, we first need to examine, in greater detail, exactly what Azure ATP is and what it can do. Essentially, Azure ATP is a security solution that is designed for use in hybrid cloud environments, where you have a mixture of on-premises and cloud users, data, and resources.
Azure ATP can monitor your on-premises domain controllers to identify and investigate advanced threats and compromised identities by using machine learning and behavioral algorithms to do the following:
Azure ATP can create behavioral profiles for your users and diligently analyze user activities and events to detect any advanced threats, compromised users, and malicious insiders that could threaten your organization. The information gathered by Azure ATP provides recommended security best practices and helps you significantly reduce the areas that are vulnerable to attack.
Let's look at Azure ATP in more detail, starting with how you can identify suspicious activity.
Let's first examine what represents suspicious user activity from an Azure ATP perspective. To further understand this concept, you must first have an awareness of the cyber-attack kill chain, which is a series of steps to trace the progress of a cyber-attack from the beginning (which is referred to as the reconnaissance stage) to the end (which results in unauthorized data exfiltration).
Azure ATP focuses on the phases of the kill chain to detect suspicious activities, which can include the following:
It is crucial to understand these phases of the kill chain in order to identify suspicious activities in your Microsoft 365 environment.
Next, let's look at how we can identify advanced attacks and malicious activities.
By focusing on the phases of the kill chain, Azure ATP can protect your environment from attack vectors before they cause any damage or disruption. Decoy accounts can be set up and used to track any malicious activities within your environment and generate security alerts that can include the following:
The malicious activities listed here are only a few of the many that can generate security alerts within Azure ATP.
Important note
Please see the References section at the end of this chapter for links to further information and greater details on the available Azure ATP security alerts.
Before you can start working with Azure ATP, it is important to have an understanding of the Azure ATP architecture. Azure ATP is a combination of services and components that work together to provide your Microsoft 365 tenant with comprehensive protection from modern threats and attacks that may target your environment. The following diagram shows the architecture of Azure ATP:
Azure ATP can function to protect your hybrid identity by leveraging three key components, as follows:
When you create your Azure ATP instance using the Azure ATP portal, this enables you to integrate with Microsoft security services, configure your Azure ATP sensor settings for your domain controllers, and review the data retrieved by these sensors to interpret any suspicious and malicious activities.
The Azure ATP sensor can monitor on-premises domain controller ingress and egress traffic. It receives events from domain controllers, which can include information about on-premises users and computers. The information gathered is passed on to the Azure ATP cloud service.
So, how does this information help you to understand and plan for your organization's needs for Azure ATP deployment? Essentially, we can break this down by answering the following questions:
The simple answers to these questions are as follows:
It is Microsoft's recommended best practice to deploy Azure ATP in three stages.
The following steps should be completed for stage 1 of deploying Azure ATP:
The following steps should be completed for stage 2 of deploying Azure ATP:
The following step should be completed for stage 3 of deploying Azure ATP: Integrate Azure ATP alerts into your security operation's workflows if applicable.
Important note
For detailed guidance on implementing Azure ATP in line with Microsoft best practice, please refer to the An overview of Azure ATP link that is included in the References section at the end of this chapter
So, the preceding steps will help you understand the principles of Azure ATP and show you how you can prepare to configure it. Now, you are ready to set up your Azure ATP instance and start taking advantage of the various features and capabilities of the product.
In order to set up Azure ATP for the first time, you must first ensure that you have the required licenses. Azure ATP requires an Enterprise Mobility + Security E5 or Microsoft 365 E5 license in order to function. Azure ATP data centers are set up in the following locations:
Your Azure ATP instance will be automatically provisioned in the data center that is geographically closest to your Azure AD tenant. To begin setting up Azure ATP, log in to the Azure ATP portal, which can be accessed at https://portal.atp.azure.com, as a global administrator (or with the appropriate Role-Based Access Control (RBAC)) and complete the following steps:
https://triprd1wceuw1sensorapi.atp.azure.com (for Europe)
https://triprd1wcuse1sensorapi.atp.azure.com (for the US)
Important note
Should you ever need to regenerate your access key, as in the following screenshot, you can do so without affecting the previous Azure ATP sensor installations.
Choose the installation path, as in the following screenshot. The wizard will alert you, at this point, if any of the prerequisites for installing the sensor are not met, such as insufficient disk space:
The preceding steps complete the initial setup of your Azure ATP instance. Should you need more sensors, you can repeat the preceding steps to do so.
Important note
It is possible to install a sensor onto both a domain controller and a dedicated server. When you deploy a sensor to a domain controller, it is installed as an Azure ATP sensor. However, when you deploy a sensor to a dedicated server and use port mirroring, it is installed as an Azure ATP standalone sensor.
By logging into the Azure ATP portal at https://portal.atp.azure.com and choosing the Configuration tab in the left menu, you can see all of the configuration options available to you within Azure ATP, as shown:
The Configuration section is divided into the following sub-sections:
Important note
Depending on your organizational requirements for Azure ATP, you may not need to configure all of the features within the preceding sub-sections. However, it is recommended that you familiarize yourself with all of the available options as you may be tested on these in the MS-500 exam.
So, we have now configured our Azure ATP instance and deployed the first Azure ATP sensor to a domain controller. Now that we have Azure ATP up and running in a basic form, we will look at how you can manage your Azure ATP instance and carry out monitoring and reporting tasks.
Now that we have deployed our Azure ATP instance, we can start managing and monitoring the service. It is important to review the Azure ATP portal regularly, in addition to creating alerts, to keep on top of all potential suspicious and malicious activities that may target your hybrid cloud identities.
There are a number of ways to manage and monitor the Azure ATP instance. Some of them are as follows:
We will now look at each of these in greater detail, starting with the security alerts timeline.
When you first launch the Azure ATP portal, it opens the security alerts timeline, as follows:
Important note
There are no alerts in my own timeline at the moment because the Azure ATP instance has just been generated on my tenant.
In the security alerts timeline, you can see any security alerts that have been detected in chronological order.
Security alerts contain events relating to the following information:
You can share any security alerts via email with other users in your organization and you can also export a security alert to Excel. Some examples of the types of activities you could see in your timeline are as follows:
You should review the security alerts timeline regularly in order to respond to and classify any recorded alerts. Microsoft has the following classifications for security alerts:
If you have a large number of security alerts to review on your timeline, you can filter the alerts by All, Open, Closed, or Suppressed. You can also filter further by High, Medium, or Low.
The Azure ATP Reports section is the second option visible on the sidebar from the Azure ATP portal, as follows:
In Reports, you can generate and download reports relating to suspicious activities and system health. You can also schedule regular reports from the top-right corner of the screen, as follows:
Important note
You can also access Scheduled reports from the Notifications and Reports section of the Configuration screen within Azure ATP.
When you choose to schedule a report, you will see the following options for the built-in reporting options of Azure ATP:
The reports available within Azure ATP are as follows:
When scheduling one of these reports, you have the following configuration options:
You can choose to send a report on a daily, weekly, or monthly basis. You can also choose the time of day that the report will be sent and you can choose the recipients who should receive the report via email.
When you have configured your report schedule settings, they will be shown on the Scheduled reports page, as follows:
If you choose to download one of the reports from the Azure ATP portal, the report is exported to Microsoft Excel, as in the following example, which shows the downloaded Summary report. There are two tabs available:
When using Azure ATP in your environment, reports are an excellent way for you to diligently and proactively assess activities within your Azure ATP instance. It is highly recommended that you schedule regular reports to be emailed to administrators.
The Azure ATP workspace health center can be accessed from the Azure ATP portal by clicking on the heart icon, as follows:
The health center shows you the performance information that relates to your Azure ATP workspace and alerts you on any issues. Should there be any potential problems, the health center icon will display a red dot, as in the preceding screenshot, so you have a clear visual indication when there are health issues that require your attention.
In the following example (which shows the health center of the Azure ATP instance that we set up in the previous section of this chapter), we can see that there is already a reported issue that requires attention. When we set up the Azure ATP instance on this tenant, we purposely selected an AD user account whose password is soon to expire, knowing that this would generate an alert:
There are three alert types in the Azure ATP health center, which are as follows:
Alerts provide you with a lot of detail as to what the issue is and also suggest corrective measures that can be taken. Any open issues that appear in your Azure ATP instance can be addressed by clicking on the ellipsis in the right-hand corner of the alert, as follows:
From the open alert, you can select from one of the available options, as follows:
In the previous example, we closed the alert that was detected in the Azure ATP health center and it now shows in the Closed alerts section:
If we click on the ellipsis, we can reopen the alert if we need to, as follows:
If we chose to suppress the activity instead of closing it, the activity would move to the Suppressed alerts section. We would have the same option to re-open the alert from the Suppressed section as we did from the Closed section, if required.
Important note
If you close an activity and Azure ATP detects a reoccurrence within a short time frame, Azure ATP may automatically reopen the activity.
There are three levels of activity that detection can be assigned to depending on the severity of the issue. They are as follows:
The Azure ATP health center is an extremely useful tool for Microsoft 365 administrators and will enable you to diligently and proactively respond to any suspicious or malicious activities detected in your environment. We have shown you how it can be used to monitor alerts recorded by Azure ATP and how to understand the different levels of alerts and their varying severity. You have also learned how to change the status of alerts by closing or suppressing them.
In this chapter, we examined Azure ATP, which is a feature included with Enterprise Mobility + Security E5 that enables you to protect your Microsoft 365 hybrid cloud environment against malicious actors who are attempting to access vulnerable user accounts and conduct reconnaissance activities in order to gain elevation of privilege and achieve domain dominance.
We showed you how to configure your Azure ATP instance in the Azure ATP portal and install sensors onto domain controllers or dedicated servers. We then examined how the Azure ATP portal establishes a timeline of suspicious and malicious activities, the steps you can take to review and resolve these within the Azure ATP health center, and how to use reports and report schedules.
In the next chapter, we will examine the principles of Windows Defender ATP. We will show you how to plan for and configure Windows Defender ATP, and how it can be used to protect your Windows devices.
a. A domain controller
b. A Windows 10 workstation
c. A dedicated Windows server
a. Hourly
b. Daily
c. Weekly
d. Monthly
a. True
b. False
a. The Azure ATP portal
b. The Azure ATP sensor
c. The Azure ATP configuration manager
d. The Azure ATP cloud service
e. The Azure ATP cloud app security
a. True
b. False
a. Open
b. Pending
c. Suppressed
d. Closed
e. Deferred
a. Modifications to sensitive groups report
b. Directory services report
c. Summary report
d. Lateral movements paths to sensitive accounts report
a. True
b. False
a. Excel (.xlsx)
b. Word (.docx)
c. .txt
d. .xml
a. True
b. False
Please refer to the following links for more information:
18.225.31.159