theCloudXperts

Demystifying Microsoft Cyber Security Products ; Advanced Threat Analytics & Advanced Threat Protection; ATA/ATP

Sharing is caring!

Cyber threats are emerging more frequently and prevalently and to protect your organisation from those threats Microsoft offers cyber security products for every area of your organisation from on-premise servers, networks, desktops, email, apps, cloud, and storage. I will discuss two in demand Microsoft security products, Advance Threat Analytics and Advanced Threat Protection.

Microsoft Advanced Threat Analytics / ATA

Traditional IT security tools provide limited protection against sophisticated cyber-security attacks. Microsoft Advanced Threat Analytics; See the intruder before they can hurt your bottom line.  Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.

Microsoft Advanced Threat Analytics (ATA) provides a simple and fast way to understand what is happening within your network by identifying the suspicious user and device activity with built-in intelligence and providing clear and relevant threat information on a simple attack timeline.

Key Features: 

  • Detect threats fast with behavioural analytics
  • Simple, actionable attack timeline
  • Mobility support
  • Organizational Security Graph
  • Reduce false positive fatigue
  • Prioritise and plan for next steps
  • SIEM Integration
  • Email Alerts

ATA provides detection for the phases of an advanced attack: reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, and others.

Advanced Threat Protection / ATP

Microsoft Advanced Threat Protection has 3 flavours of products. All these three products protect different areas of the organisation from cyber attack. 

Azure Advanced Threat Protection (ATP

Azure Advanced Threat Protection (ATP) is a cloud-based security solution in contrast to ATA.  Azure ATP parses network traffic via on-premise ATP sensors, which function very similarly to ATA gateways, but all parsed data is sent to the Azure cloud for analysis and reporting which identifies, detects, and helps you investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Azure ATP sensor plays a vital role in Azure ATP solution, It reads events locally, supports Event Tracing for Windows (ETW) include both Suspicious Replication Request and Suspicious Domain Controller Promotion, both are potential DCShadow attacks. Azure ATP analyze the logs of the following Windows events: 4776,4732,4733,4728,4729,4756,4757, and 7045.


Azure ATP is composed of the Azure ATP cloud service, which consists of the Azure ATP portal, the Azure ATP sensor and/or the Azure ATP standalone sensor. 

Key Features: 

  • Detect and investigate advanced attacks on-premises and in the cloud.
  • Identify suspicious user and device activity with both known-technique detection and behavioural analytics.
  • Analyse threat intelligence from the cloud and on premises.
  • Protect user identities and credentials stored in Active Directory.
  • View clear attack information on a simple timeline for fast triage
  • Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection
  • Investigate alerts and user activities

Windows Defender Advanced Threat Protection (Windows Defender ATP)

Windows Defender ATP  solution is designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.  It’s Included with Windows 10 Enterprise E5, Windows 10 Education E5, or Microsoft 365 E5 (which includes Windows 10 Enterprise E5). You need to create a dedicated cloud instance of Windows Defender Security Center by configuring on the Windows Defender Security Center and Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them.

Key Capabilities 

  • Attack surface reduction
  • Next generation cloud protection / Microsoft Advanced Protection Service (MAPS)
  • Auto investigation and remediation
  • Endpoint detection and response
  • Secure score; security posture to help you assess the security state.
  • Advanced hunting; Using a powerful search, custom detection rules  and query tool
  • Supports a rich set of application programming interface (APIs)
  • Windows Defender ATP supports (SIEM) tools to pull alerts
  • Windows Defender ATP includes a built-in PowerBI based reporting solution


Office 365 Advanced Threat Protection (Office 365 ATP)

Finally, the third ATP product is Office 365 Advanced Threat Protection. Office 365 ATP is an improvement to Exchange Online Protection. Its 
an email filtering service that protects organizations from unknown threats in real time using these additional features:

  •  ATP Safe Attachments (Protection through Office 365 ATP is determined by policies that your organization’s security team defines for Safe Links, Safe Attachments, and Anti-Phishing)
  • ATP Safe Links (ATP Safe Links can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents)
  • Identifying and blocking malicious files in online libraries with ATP for SharePoint, OneDrive, and Microsoft Teams
  • Spoof Intelligence Review all senders who are spoofing either domains that are part of your organization, or spoofing external domains.
  • ATP anti-phishing ATP anti-phishing applies a set of machine learning models together with impersonation detection algorithms to incoming messages to provide protection for commodity and spear phishing attacks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

shares