You may have heard that Microsoft recently made Azure Advanced Threat Protection (Azure ATP) generally available as a new Microsoft 365 service, which was added to all EMS E5 licenses as of March 1st, 2018. But, you may be wondering, just what is Azure ATP, and why should you consider using it in your organization?

This blog answers those questions. We’ll talk about what Azure ATP is, how it’s related to other Microsoft security products, why you should use it in your organization, and we’ll briefly explain how it works.


What is Azure ATP?

Initially released in September 2017, Azure ATP helps to detect and investigate advanced attacks and insider threats across on-premises, cloud, and hybrid environments. Using Azure ATP, you can monitor your identity and network traffic, and identify and track any malicious activities in your environment. With its end-to-end investigation experience, you can use Azure ATP to pivot between an entity’s behaviour across the organization, and the behaviour of a specific endpoint (by using Windows Defender ATP).

Why Use Azure ATP?


By leveraging a proprietary network parsing engine, Azure ATP takes information from multiple data sources and can capture and parse network traffic from multiple protocols (like DNS, NTLM, Kerberos, RPC, or others) for authorization, authentication, and information gathering. By learning the behaviour of your organization’s users, Azure ATP can build a behavioural profile, which helps to flag suspicious activities.


How is Azure ATP Related to Other Microsoft Security Products?

Microsoft takes security seriously and invests heavily on security solutions. But, you may be asking yourself how Azure ATP fits into the Microsoft Security family. Below, we’ve outlined three other Microsoft security products, to show you how they differ from Azure ATP.

  • Advanced Threat Analytics (ATA) is an on-premise platform that protects against insider threats and advanced targeted cyberattacks. Azure ATP is a Cloud-based version of ATA.
  • Office 365 Advanced Threat Protection works to protect your email, files, and Office 365 applications against potential attacks. It works by securing your inbox against advanced threats, protecting against unsafe attachments, and protecting your environment when a user clicks a malicious link.
  • Windows Defender Advanced Threat Protection (Windows Defender ATP) integrates with Azure ATP to detect and protect against malicious activity, but its focus is on the end points – the actual devices being used.


Why Use Azure ATP?

Before we get into the how, let’s talk a bit about the why? Why use Azure ATP? Azure ATP provides organizations with the opportunity to monitor unauthorized access to their IT environment, track suspicious or nefarious activities, and map undocumented service accounts on client Active Directory networks.

Let’s look at these opportunities a little closer.

Consider the last time you had an employee exit your organization. What procedures did you have in place for limiting that employee’s access to your company data or network? Maybe you’ve had a negative experience where an exited employee has removed vital data from your network. By implementing Azure ATP, you can label any exiting employees as “sensitive”. If that employee attempts to access your company data after they’ve left, Azure ATP will immediately trigger an email to be sent to various team members, alerting them that an unauthorized person is attempting to access data.

Azure ATP also helps to map undocumented service accounts that may be residing on your network. Last year, ProServeIT had a customer that discovered one of their service accounts was being used on a recurring basis. They approached us, and asked us to track where this account was being used in their network, how often it had been used, which computers it was being used on, and where the passwords for this account were stored.

Tracking this information manually, ProServeIT spent considerable time and resources determining what the client wanted to know. However, with the introduction of Azure ATP, manual investigations like the one ProServeIT completed for our client is a thing of the past. Because Azure ATP tracks everything happening within a client’s Active Directory network, a few clicks of the mouse will produce a report that will show you service account activity. Simply put, if you want to track or map undocumented service accounts, Azure ATP puts account and user information at your fingertips.


What does Azure ATP do exactly?

Azure ATP monitors user, device, or resource behaviour in order to create a baseline for comparison. Then, it detects any anomalies through adaptive built-in intelligence. This gives you insights into your network traffic, so you can identify and quickly respond to any potential threats.

Any cyber attacks usually follow the following phases: 1) the attackers gather information about your environment; 2) the attackers spread their surface inside your organization’s network; and 3) the attackers collect various information including user credential to start their activities. Azure ATP detects suspicious activities throughout these different phases.

The threats that Azure ATP looks for include malicious attacks, like Pass-the-Ticket, Pass-the-Hash, malicious replication, DNS reconnaissance, horizontal or vertical brute force attacks, unusual protocols, remote execution, or malicious service creation, or security issues and risks, such as weak protocols, known protocol vulnerabilities, or lateral movement paths to sensitive accounts.

Why Use Azure ATP?



Want to know more about Azure ATP?

Azure ATP was just made publicly available on March 1, 2018, and we are getting many questions from our customers about it. We will publish additional blog posts and host a webinar (with a live demo) to help you understand what it is and what it can do for your organization. Stay tuned! In the meantime, drop us an email if you would like to chat with our Azure expert.