Azure Advanced Threat Protection for Enhanced Security

Azure Advanced Threat Protection is a game-changer for organizations looking to boost their security. It provides real-time threat protection against sophisticated attacks.

By integrating with Azure Active Directory, Azure ATP can detect and prevent attacks that target your users and data. This integration also enables you to monitor and respond to threats more effectively.

With Azure ATP, you can identify and block suspicious activities, such as login attempts from unknown devices or locations. This helps to prevent lateral movement and contain threats before they spread.

Azure ATP also provides detailed analytics and reporting, which can help you refine your security posture and make data-driven decisions.

To get started with Azure Advanced Threat Protection, you'll first need to create a Security Monitoring workspace, which will allow you to define what you want to monitor by specifying various logging sources.

Azure Advanced Threat Protection is an affordable way to enhance an organization's security posture analysis, helping to identify attacks, compromised identities, and hostile insider behavior.

Deploying Azure Advanced Threat Protection requires creating a Security Monitoring workspace, which is a crucial step in setting up the system.

The Security Analysis workspace is where you'll use analytics, investigation, and attribution services to discover threats and advanced capabilities like graph analysis and actionable insights.

Creating a Security Analysis workspace is the next step after setting up the Security Monitoring workspace, enabling you to analyze the data generated.

Azure Sentinel experts can assist you in making the most of Azure Advanced Threat Protection for your business, helping you maximize ROI with the right mix of security, automation, and analytics.

The Azure ATP portal is a tool that allows you to create and manage your Azure ATP instance, display the data received from Azure ATP sensors, and enable you to monitor, manage, and investigate threats in your network environment.

The Azure ATP sensor is deployed on your domain controllers as a direct-attach security gadget. It immediately observes domain controller traffic without the need for a dedicated server or port mirroring setup.

Azure ATP cloud service is a scalable and secure cloud platform that runs on Azure infrastructure. It provides advanced threat protection for your digital assets and delivers scalable services that you can use to meet the needs of any business.

Azure ATP helps detect and investigate security events across your network. It uses learning-based analytics to identify suspicious user and device activity.

Azure ATP protects user identities and credentials stored in the Active Directory. It monitors multiple entry points and leverages threat intelligence across the cloud and on-premises environments.

Azure ATP identifies threats at every step of the cyber attack kill chain, including reconnaissance, compromise credentials, lateral movements, and domain dominance.

Here are the different types of threats Azure ATP identifies:

Azure Advanced Threat Protection provides robust protection and security features to safeguard against advanced threats. It detects and investigates suspicious user and device activity with learning-based analytics.

Azure ATP helps protect user identities and credentials stored in the Active Directory, and monitors multiple entry points. This ensures that even the most sophisticated attacks are caught and addressed.

Azure ATP identifies threats at every step of the cyber attack kill chain, including reconnaissance, compromise credentials, lateral movements, and domain dominance. By doing so, it minimizes the potential attack surface and makes it more challenging for attackers to steal user credentials and carry out advanced assaults.

Here are some common methods used by attackers to gain access to company networks:

Azure Advanced Threat Protection (ATP) is a powerful tool that helps protect your network from advanced threats. It monitors user activities and information across your network, establishing a behavioral baseline for each user.

Azure ATP uses adaptive built-in intelligence to detect abnormalities, providing insights about shady behaviors and occurrences. This helps expose advanced threats, compromised users, and insider threats.

The tool's proprietary sensors monitor organizational domain controllers, providing a comprehensive view of all user activities from every device. This allows Azure ATP to identify suspicious activities and alert you to potential threats.

Azure ATP's security alerts are designed to help you understand precisely what is happening on your network. They describe the suspicious actions on your network, the people and computers responsible for the risks, and how they were discovered using simple language and images.

Compromising Credentials Detection is one of the ways Azure ATP helps protect your network. This includes detecting brute-force attacks, where an attacker tries to log into a user account multiple times until they succeed.

Azure ATP also helps reduce your organization's attack surface with visual Lateral Movement Paths and clear-text password detection. This makes it more challenging for attackers to steal user credentials and carry out advanced assaults.

Here are some common advanced attack methods that Azure ATP helps protect against:

By using Azure ATP, you can stay secure and protect your network from these advanced threats.

Exclusions are a crucial part of fine-tuning your security measures to minimize false positives.

Azure ATP can generate false positive alerts, like when it alerts on AD replication traffic from your AAD Connect server.

This is normal AD synchronization to Azure AD, and you can exclude this server from such alerts to avoid unnecessary notifications.

You can be very specific with exclusions, even doing them per detection type as shown in the Azure ATP management portal.

To configure exclusions, browse to the Exclusions section in the Azure ATP management portal.

When deploying Azure Advanced Threat Protection (ATP), you have two options for collecting logs from domain controllers: downloading an agent (Azure ATP sensor) on each domain controller or configuring a server (Azure standalone sensor) that receives a copy of all traffic sent to domain controllers via port mirroring.

To get started with Azure ATP deployment, you'll need to choose one of these options. Both methods are viable, but it's essential to consider your environment and requirements before making a decision.

Azure ATP deployment requires configuring event forwarding, especially if you're using the standalone sensor. You'll need to send specific Windows Events from your DC to your Azure ATP sensor standalone server using either Windows Event Forwarding or via SIEM integration.

Here are the critical Windows Events you'll need to forward:

Finally, be aware that Azure ATP deployment might require you to consider your proxy configuration. You can configure Azure ATP sensors to work with proxy using Microsoft documentation.

When deploying Azure ATP, you have two main options to collect logs from domain controllers. You can either download an agent (Azure ATP sensor) on each domain controller, which will send data directly to the cloud service, or configure a server (Azure standalone sensor) to receive a copy of all traffic sent to domain controllers via port mirroring.

There are two methods to collect logs from domain controllers, and they are outlined below:

The Azure standalone sensor is a separate server that can be connected to one or more domain controllers to capture traffic without deploying anything on the domain controller itself. However, this method may not provide a full list of detections, such as detecting DCShadow attacks.

You'll need to configure network cards on your standalone server for Azure ATP to function properly. This typically involves using two network cards, one with a non-routable dummy IP address for port mirroring and receiving domain controller traffic.

The first NIC is used for port mirroring, receiving a copy of the domain controller's traffic, and is assigned a non-routable dummy IP address.

The second NIC, on the other hand, is used to send traffic to the Azure ATP service in the cloud and is assigned a valid, routable IP address with a default gateway.

This setup allows the standalone server to receive and forward traffic to the Azure ATP service correctly.

To install Azure Advanced Threat Protection (ATP), you'll need to download the package and run the installation on your Azure ATP standalone sensor server. Make sure it's configured with port mirroring to capture domain controller's traffic.

You can't install the sensor directly on your domain controllers, but you can deploy the Azure ATP Standalone Sensor on a separate server. This sensor monitors traffic that you direct to it by using port mirroring on your network switches.

The installation will immediately detect that this server is not a domain controller, and will try to install the Azure ATP standalone sensor server, and not the Azure ATP sensor. Note the access key you'll use when completing the sensor installation process.

Azure ATP sensor setup requires .NET, so make sure it's installed on your server. When configuring the sensor, enter the access key you got from the management portal.

There are two Azure ATP deployment options: you can either download an agent (Azure ATP sensor) on each domain controller, or configure a server (Azure standalone sensor) to receive a copy of all traffic sent to domain controllers via port mirroring.

Here are the two deployment options in more detail:

The Azure ATP Sensor monitors the domain controller activity for signs of malicious activity and other security risks, including connections made with insecure protocols. It reads events locally without the need to maintain or purchase additional hardware.

Azure Advanced Threat Protection (ATP) is a powerful tool that helps you stay one step ahead of cyber threats. It displays a timeline of events prioritized according to the level of risk they represent, making it easy to identify potential security risks.

With Azure ATP, you can see a complete timeline of authentication and network activity for each machine, including attempts to login with non-existent accounts and reconnaissance events. This level of detail is not typically detected by antivirus software.

Azure ATP sends email notifications to security teams when a detection is found, providing them with all the details of the possible attack. This ensures that potential threats are addressed promptly.

Azure ATP uses two techniques for detection: known suspicious activities and behavioral analysis. Known suspicious activities are predefined and detected right away, while behavioral analysis uses machine learning to learn the authentication patterns of each entity inside the network.

Azure ATP learns the behavior of each entity based on when they usually log on, what devices they use, and what resources they access. This information is used to build a model that can detect anomalies and abnormal behaviors.

Here are some examples of suspicious activities that Azure ATP can detect:

By using Azure ATP, you can strengthen the security of your environment and gain better monitoring capabilities. Its ability to detect anomalies and abnormal behaviors makes it an essential tool in the fight against cyber threats.

Microsoft ATA was a solution for detecting suspicious activities and analyzing abnormal patterns, but it required deploying an on-premise server to collect and analyze logs.

The ATA Center had to be updated regularly with new releases, which added to the maintenance burden.

Azure ATP is the cloud-based evolution of Microsoft ATA, offering better integration with other Microsoft ATP solutions.

It comes with performance improvements for the on-premises agent compared to Microsoft ATA agents.

To ensure a successful Azure Advanced Threat Protection (ATP) deployment, proper configuration and management are crucial.

First and foremost, you need to enable lateral movement by configuring SAM-R permissions. This will allow Azure ATP sensors to query the local admin on machines where sensitive accounts log on, generating a lateral movement graph.

To configure SAM-R permissions, refer to the Microsoft documentation on the topic. This will provide you with a detailed guide on how to set it up correctly.

Another critical aspect of Azure ATP deployment is configuring Windows Event Forwarding. If you're using an Azure ATP sensor standalone, you'll need to send Windows Events from your DC to your Azure ATP sensor server using either Windows Event Forwarding or SIEM integration.

The events you need to forward are 4776, 4732, 4733, 4728, 4729, 4756, 4757, and 7045. These events are essential for enhancing various detection for NTLM authentication and necessary for sensitive group modification and service creation.

Here are the critical events you need to forward:

Lastly, don't forget to consider your proxy configuration during Azure ATP deployment. Azure ATP sensors can work with proxy configurations, and Microsoft documentation provides a guide on how to configure them.