Microsoft Defender ATP and Azure ATP Integration

The following post focuses on integration between Windows Defender ATP and Azure ATP and how this integration brings us powerful.

Once integrating Windows Defender ATP into Azure ATP, you can leverage the full power of both services and secure your environment, including:

Azure ATP sensors and standalone sensors can sit directly on your domain controllers or port mirror from your domain controllers to ATP, to capture and parse network traffic of multiple protocols for authentication, authorization, and information gathering.

Endpoint behavioral sensors embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.

Cloud security analytics leveraging big-data, machine-learning, and unique Microsoft view across the Windows ecosystem, enterprise cloud products, and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence is generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

Microsoft has three ATP solutions now, and they all work together for a better-integrated solution that covers identities, emails, and endpoints.

The power of this integration between Azure ATP and Windows ATP is to help you get more insights when doing your investigation.

Enable Integration between MDAP and Azure ATP

Since both Windows Defender ATP and Azure ATP are cloud services, enabling Azure ATP and Windows defender ATP integration is just a matter of turning on a switch.

To enable Azure ATP and Windows defender ATP integration you just need to enable few settings on each service,

Azure ATP Portal

On the Azure ATP portal (AATP) you can enable the integration from the following settings, from workspaces then Windows Defender ATP and then choose ON and save the changes.

Microsoft Defender ATP

Once the Azure portal has configured go to the SecurityCenter (Defender ATP portal) and choose Settings > Advanced features and enable the Azure ATP integration and save the changes.

Once both settings switch to on the integration will be available in 15 minutes.

How to know if the integration is working?

After integrating the ATP services we can start working with the portal whether it’s from Azure ATO or Windows Defender ATP

Summary

When integrating both services a lot is happening in the background, just by looking at an entity inside Azure ATP you can immediately see the health or risk level of that identity at the endpoint level without even clicking any buttons.

If you are looking at the profile inside Azure ATP, then the correlation happens in real-time between identity in Azure ATP.

I thought previously that living with Azure ATP is good enough, but it worth looking at Microsoft Defender ATP and enable such integration.

Remember that when starting with a device in Windows Defender ATP you can view what authenticates and behaviors occur at the Azure ATP, and if you investigate identity on Azure ATP you can view alert and investigate in Windows device in Windows Defender ATP.