Azure Advanced Threat Protection (ATP) is a cloud service that helps protect your enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats.
How Azure ATP works
Azure ATP leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by Azure ATP via either:
- Deploying Azure ATP sensors directly on your domain controllers
- Port mirroring from Domain Controllers and DNS servers to the Azure ATP standalone sensor
Azure ATP takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization and build a behavioral profile about them. Azure ATP can receive events and logs from:
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector (for the sensor)
- RADIUS Accounting from VPNs
go to https://portal.atp.azure.com/ and create an Azure ATP workspace
Optionally turn on integration with Windows Defender ATP
Type credentials to local Active Directory and press Save.
Download Sensor Setup files
Extract and install setup files on a domain controller.
Optionally setup automatic reboots for when the Azure Advaced Threat Protetion Sensor updates.
Reboot server and continue the installation.
insert Azure ATP workspace Access Key
locate “HEALTH” and click “Not Config…”
Enable network capture and enable Domain synchronizer candidate.
overview of failed logon attempts