All About Azure ATP: Comprehensive Overview

Azure ATP, now recognized as Microsoft Defender for Identity, helps to detect and investigate advanced attacks and insider threats across on-premises, cloud, and hybrid environments. Using Azure ATP, you can monitor your identity and network traffic and identify and track any malicious activities in your environment. With its end-to-end investigation experience, you can use Azure ATP to pivot between an entity’s behavior across the organization, and the behavior of a specific endpoint (by using Windows Defender ATP).

What is Azure ATP in simple language?

For security operators, analysts, and professionals who are struggling to detect advanced attacks in a hybrid environment, Azure ATP is a threat protection solution that helps:

• Detect and identify suspicious user and device activity with learning-based analytics

• Leverage threat intelligence across the cloud and on-premises environments

• Protect user identities and credentials stored in Active Directory

• Provide clear attack information on a simple timeline for fast triaging

• Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection

Cloud-based intelligence

Leveraging the scale and intelligence of Azure, when we detect a new possible threat or attack method, we can automatically update all active tenants. This means that your threat detection capabilities are always up to date.

Investigate alerts and user activities

Azure ATP is designed to reduce general alert noise, providing only relevant, important security alerts in a simple, real-time organizational attack timeline. The Azure ATP attack timeline view allows you to easily stay focused on what matters, leveraging the intelligence of smart analytics. Use Azure ATP to quickly investigate threats, and gain insights across the organization for users, devices, and network resources. Seamless integration with Windows Defender ATP provides another layer of enhanced security by additional detection and protection against advanced persistent threats on the operating system.

License required to user ATP/ Microsoft Defender
To use Microsoft Defender for Identity, you need one of the following licenses:

• Enterprise Mobility + Security E5 (EMS E5/A5)

• Microsoft 365 E5 (Microsoft E5/A5/G5)

• Microsoft 365 F5 Security + Compliance (requires Microsoft 365 F1/F3 or Office 365 F3 and Enterprise Mobility + Security E3)

• Standalone Defender for Identity license

These products offer a defense-in-depth mechanism as follows:

• Since most malware attacks come from email, then Office 365 ATP can be considered the first line of support.

• If Office 365 ATP fails to identify the malware, then the device endpoint Windows Defender ATP will try to catch the malware by identifying unusual right elevation or strange behavior on the machine.

• If identity theft was successful, then you can monitor how the attacker is using that identity to move from machine to another, through Azure ATP. That is, after successful credential theft, what activities the attacker is performing using that stolen identity.

• 

  Thank you, please share if you feel it relates to your job.