In a previous blog post (https://albandrodsmemory.wordpress.com/2020/03/10/brief-introduction-to-atp/) I was talkng about the protection measures that we have against attackers, but today I want to go deeper with Azure ATP.
Azure Advanced Threat Protection (Azure ATP) assists security professionals in monitoring on-premises Active Directory to identify, detect, and protect from advanced threats and malicious activities.
Azure ATP is a cloud-based service that utilizes agents / sensors on the domain controllers to track authentication activities. Azure ATP gives IT the tools to proactively assess the environment:
- Monitor users, entity behavior, and activities with learning-based analytics
- Protect user identities and credentials stored in Active Directory
- Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
- Provide clear incident information on a simple timeline for fast triage
Once the portal and the sensors has been enabled and tuned, ATP gives the possibility to have access to information such as:
- Lateral movement paths of sensitive accounts
- Modification of sensitive groups
- Passwords exposed in clear text
- Summaries of suspicious activities and health issues
For those not familiarized with all those language, let me put it clear, Azure ATP gives in a plan language and graphics, which suspicious activities were identified on the network, and the actors and computers involved in the threats.
Moreover, alerts are graded for severity, color-coded, and organized by threat phase. Each alert is designed to quickly understand exactly what is occurring on the network.
As you can see, Azure ATP is a great tool, and if we combine this tool with MDATP, you will have a clear line of defense against attackers.