Azure ATP monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers, then analyzes the data for attacks and threats. Utilizing profiling, deterministic detection, machine learning, and behavioral algorithms Azure ATP learns about your network, enables detection of anomalies, and warns you of suspicious activities.
The Azure ATP sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Core but not Nano).
The domain controller can be a read-only domain controller (RODC).
For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.
During installation, the .Net Framework 4.7 is installed and might require a reboot of the domain controller, if a restart is already pending.
The Azure ATP sensor monitors the local traffic on all of the domain controller’s network adapters.
After deployment, you can use the Azure ATP workspace portal if you want to modify which network adapters are monitored.
The sensor is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.
Azure ATP Components
- Azure ATP portal
The Azure ATP portal allows you to create your Azure ATP instance, displays the data received from Azure ATP sensors and enables you to monitor, manage, and investigate threats in your network environment. - Azure ATP sensor
Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring. - Azure ATP cloud service
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.
Try selecting and removing or editing the caption, now you don’t have to be careful about selecting the image or other text by mistake and ruining the presentation.
Deployment Options
There are two Azure advanced threat protection deployment options, that is, you have two methods to collect logs from :
- Download an agent (Azure ATP sensor) on each domain controller in your environment, and that agent will send data directly to the cloud service.
- Configure a server (Azure standalone sensor), that receives a copy of all traffic sent to domain controllers via port mirroring.
ATP Deployment
Once you have decided your option , You need to take following steps to deploy Azure Advance Threat Protection
- Create an Azure ATP workplace. : To successfully login to the Azure ATP portal, you have to log in with a user assigned to an Azure Active Directory security group with access to the Azure ATP portal.
You can enter the Azure ATP portal either by logging in to the portal https://portal.atp.azure.com and selecting the relevant or browsing to the workspace URL: https://workspacename.atp.azure.com. - Install Azure ATP sensor. : After downloading the package, go to your Azure ATP standalone sensor server, that is configured with port mirroring to capture domain controller’s traffic and run the installation. The installation will immediately detect that this server is not a domain controller, and will try to install Azure ATP standalone sensor server, and not the Azure ATP sensor
- VPN Integration. : Azure Advanced Threat Protection (ATP) can collect accounting information from VPN solutions. When configured, the user’s profile page includes information from the VPN connections, such as the IP addresses and locations where connections originated. This complements the investigation process by providing additional information on user activity as well as a new detection for abnormal VPN connections. The call to resolve an external IP address to a location is anonymous. No personal identifier is sent in this call.
Azure ATP integrates with your VPN solution by listening to RADIUS accounting events forwarded to the Azure ATP sensors. - Configure , Honeytoken accounts are dummy accounts that you create with a name that attract hackers to attack first.
- Configure exclusions, browse to the Exclusions section in the Azure ATP management portal.
- Configure Sensitive Accounts by automatic or manual tagging
- One of the most important parts during your Azure advanced threat protection deployment is to configure event forwarding. If the sensor is installed directly on the DC, then nothing to worry about, but if you are using Azure ATP sensor standalone, then remember that you need to send some Windows Events from your DC to your Azure ATP sensor standalone server using either Windows Event Forwarding or via SIEM integration.
- Configure your proxy server manually using a registry-based static proxy, to allow Azure ATP sensor to report diagnostic data and communicate with Azure ATP cloud service when a computer is not permitted to connect to the Internet.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with the Azure ATP service in port 443:
| Service location | .Atp.Azure.com DNS record |
|---|---|
| US | triprd1wcusw1sensorapi.atp.azure.com triprd1wcuswb1sensorapi.atp.azure.com triprd1wcuse1sensorapi.atp.azure.com |
| Europe | triprd1wceun1sensorapi.atp.azure.com triprd1wceuw1sensorapi.atp.azure.com |
| Asia | triprd1wcasse1sensorapi.atp.azure.com |
Integrate Azure ATP with Windows Defender ATP
Azure Advanced Threat Protection enables you to integrate Azure ATP with Windows Defender ATP, for an even more complete threat protection solution. While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment.
- Click Configuration, and under Data sources select Windows Defender ATP. Then click the link to Workspace management. This is only available if you have a license for Windows Defender ATP and you already performed the on-boarding process for Windows Defender ATP. Turn the integration On
- In the Windows Defender ATP portal, go to Settings, Advanced features and set Azure ATP integration to ON.
Types of Azure ATP security groups
Azure ATP provides three types of security groups:
- Azure ATP (workspace name) Administrators
- Azure ATP (workspace name) Users
- Azure ATP (workspace name) Viewers.