Skip to content

enabling Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) is a cloud service that helps protect your enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats.

How Azure ATP works

Azure ATP leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by Azure ATP via either:

  • Deploying Azure ATP sensors directly on your domain controllers
  • Port mirroring from Domain Controllers and DNS servers to the Azure ATP standalone sensor

Azure ATP takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization and build a behavioral profile about them. Azure ATP can receive events and logs from:

  • SIEM Integration
  • Windows Event Forwarding (WEF)
  • Directly from the Windows Event Collector (for the sensor)
  • RADIUS Accounting from VPNs


go to and create an Azure ATP workspace

Optionally turn on integration with Windows Defender ATP


Type credentials to local Active Directory and press Save.

Download Sensor Setup files

Extract and install setup files on a domain controller.

Optionally setup automatic reboots for when the Azure Advaced Threat Protetion Sensor updates.


Reboot server and continue the installation.

insert Azure ATP workspace Access Key


locate “HEALTH” and click “Not Config…”

Enable network capture and enable Domain synchronizer candidate.

overview of failed logon attempts


Published inActive DirectoryWindows Azure

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *