Microsoft Defender for Identity Basic Deployment
Azure Advanced Threat Protection (Azure ATP) is a cloud service based that allows you to detect advanced threats and is the Microsoft ATA solution’s evolution.
Azure ATP is part of Microsoft Enterprise Mobility and Security (EMS) and provides a security layer for the Active Directory and Hybrid Identity. Also, Azure ATP can be integrated with other security layers, such as Office 365 ATP, Windows Defender ATP, and Azure AD.
The main difference between Azure ATP deployment and the ATA deployment is the following differences:
- Based on Cloud
- Agent-based on sensor
- Azure ATP detects newer threats and more quickly.
- A different approach (logs, deployment, architecture, etc.)
The Azure ATP architecture, including two main configurations, and each one is based on requirements.
Azure ATP Sensor
Each domain controller in your environment and that agent will send data directly to the cloud service.
The first option is the easiest as all that you need to do is to install the Azure ATP sensor on each domain controller.
Microsoft re-engineered the Azure ATP sensor as it comes with up to 15 times performance improvement compared to the old ATA agent. The Azure ATP Sensor name is new to clarify that this is a brand new enhanced agent and not just changing names.
Azure Standalone Sensor
Connect one or more domain controllers to a separate Azure ATP standalone by sending the traffic through port mirroring so that the Azure ATP standalone sensor server can see the traffic without deploying anything on the domain controller itself.
Receives a copy of all traffic sent to domain controllers via port mirroring.
Azure ATP includes the following components:
Azure ATP Portal – The Azure ATP portal allows you to create your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment.
ATP Cloud Service – Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.
Azure ATP Sensor – Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic without a dedicated server or configuration of port mirroring.
Azure ATP uses proprietary analytical algorithms to capture and parse data from domain controllers or standalone sensors to detect and investigate certain malicious behaviors related to authentication and service authorization. Azure ATP can learn the behavior of users and build a profile to determine typical use. Azure ATP can also receive information from other data sources such as events and logs via:
- SIEM Integration
- Windows Event Forwarding (WEF)
- Directly from the Windows Event Collector (WEC)
- RADIUS Accounting from VPN
Azure ATP Basic Deployment
Before you start, you have a few prerequisites to prepare based on your deployment.
Azure ATP Prerequisites
The basic Prerequisites for Azure ATP:
- Prepare with Azure ATP capacity planning (determine how many sensors do you need)
- Active Directory Forest Functional Level of Windows 2003 and above
- License for Enterprise Mobility & Security (EMS) E5
- Internet connectivity to the Azure ATP Cloud Service
- An on-premises Active Directory account with reading access to all objects in the monitored domains
Azure ATP Deployment
- Azure ATP deployment option
- Create an Azure ATP workplace
- Deploy Azure ATP Sensor
- Post Configuration Steps
Azure ATP Deployment Steps
Azure ATP deployments step, including few components: workspace, sensor, boundaries, DC’s, etc.
Create Azure ATP workspace
The first thing first is to create the environment in Azure ATP with a workspace that is based on your chosen deployment and based on another few points that are required to take place within Azure ATP workspace.
- Azure ATP can have multiple workplaces on the same tenant.
- A workspace helps you define the region where your data is stored.
- Each workspace requires you to define the account for domain connectivity.
- A workspace is a boundary for the Active Directory forest.
- A workspace is considered a unit of integration with Windows Defender Advanced Threat Protection.
Open https://portal.atp.azure.com/ and provide a Name and a Geolocation for your data will be stored.
Note: The name chosen for your workplace will be the URL for your workplace management portal.
Next, provide an account used by the Azure ATP sensor on-premises to access your domain controller.
Next, download the Azure ATP Sensor.
Install Azure ATP Sensor
Note: make sure that you’ve. Net 4.7 on your DC. If you don’t have you need to install.Net 4.7 and reboot your DC.
After downloading the Azure ATP Sensor, go to Domain Controller and run the installation.
Next, configure the sensor with the access key (from the Azure ATP portal).
Once the Azure ATP Sensor is installed and connected to the Azure ATP workspace, you can continue installing the other domain controller (if you’ve) and continue with Azure ATP post configuration.