Microsoft Defender for Identity Basic Deployment

Azure Advanced Threat Protection (Azure ATP) is a cloud service based that allows you to detect advanced threats and is the Microsoft ATA solution’s evolution.

Azure ATP is part of Microsoft Enterprise Mobility and Security (EMS) and provides a security layer for the Active Directory and Hybrid Identity. Also, Azure ATP can be integrated with other security layers, such as Office 365 ATP, Windows Defender ATP, and Azure AD.

Azure ATP is a behavior analytics cloud solution and is essentially the cloud version of Advanced Threat Analytics (ATA). Both Azure ATP and ATA helps protect your environment from multiple types of advanced targeted attacks and insider threats; however, Azure ATP is meant for hybrid environments. 

Both have very similar designs and functions.  Below is the architecture of Azure ATP.  Again, it is basically the same as ATA, except the Azure ATP keeps the workspace in Azure Cloud.  ATA required a dedicated server for the ATA Center workspace that had massive resource requirements. 

Additionally, ATA was part of the Enterprise Mobility + Security (EMS) E3 bundled license.  Azure ATP requires the EMS E5 license.

The main difference between Azure ATP deployment and the ATA deployment is the following differences:

  • Based on Cloud
  • Agent-based on sensor
  • Azure ATP detects newer threats and more quickly.
  • A different approach (logs, deployment, architecture, etc.)

Architecture

The Azure ATP architecture, including two main configurations, and each one is based on requirements.

Azure ATP Sensor

Each domain controller in your environment and that agent will send data directly to the cloud service.
The first option is the easiest as all that you need to do is to install the Azure ATP sensor on each domain controller.

Microsoft re-engineered the Azure ATP sensor as it comes with up to 15 times performance improvement compared to the old ATA agent. The Azure ATP Sensor name is new to clarify that this is a brand new enhanced agent and not just changing names.

Azure Standalone Sensor

Connect one or more domain controllers to a separate Azure ATP standalone by sending the traffic through port mirroring so that the Azure ATP standalone sensor server can see the traffic without deploying anything on the domain controller itself.
Receives a copy of all traffic sent to domain controllers via port mirroring.

Azure ATP architecture topology diagram

Azure ATP includes the following components:

Azure ATP Portal – The Azure ATP portal allows you to create your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment.

Azure ATP Workspace Portal – a Primary interface that receives data from all Azure ATP sensors and gives a space to monitor, manage, and investigate data.

Azure ATP Cloud Service – Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.

Azure ATP Sensor – Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic without a dedicated server or configuration of port mirroring.

Azure ATP Standalone Sensor – Full agent installed on a dedicated server that can monitor traffic from multiple domain controllers. This is an alternative to those that do not wish to install an agent directly on a domain controller.

Azure ATP uses proprietary analytical algorithms to capture and parse data from domain controllers or standalone sensors to detect and investigate certain malicious behaviors related to authentication and service authorization.  Azure ATP can learn the behavior of users and build a profile to determine typical use.  Azure ATP can also receive information from other data sources such as events and logs via:

  • SIEM Integration
  • Windows Event Forwarding (WEF)
  • Directly from the Windows Event Collector (WEC)
  • RADIUS Accounting from VPN

Azure ATP Basic Deployment

Before you start, you have a few prerequisites to prepare based on your deployment.

Azure ATP Prerequisites

The basic Prerequisites  for Azure ATP:

  • Prepare with Azure ATP capacity planning (determine how many sensors do you need)
  • Active Directory Forest Functional Level of Windows 2003 and above
  • License for Enterprise Mobility & Security (EMS) E5
  • Internet connectivity to the Azure ATP Cloud Service
  • An on-premises Active Directory account with reading access to all objects in the monitored domains

Azure ATP Deployment

  • Azure ATP deployment option
  • Create an Azure ATP workplace
  • Deploy Azure ATP Sensor
  • Post Configuration Steps

Azure ATP Deployment Steps

Azure ATP deployments step, including few components: workspace, sensor, boundaries, DC’s, etc.

Create Azure ATP workspace

The first thing first is to create the environment in Azure ATP with a workspace that is based on your chosen deployment and based on another few points that are required to take place within Azure ATP workspace.

  • Azure ATP can have multiple workplaces on the same tenant.
  • A workspace helps you define the region where your data is stored.
  • Each workspace requires you to define the account for domain connectivity.
  • A workspace is a boundary for the Active Directory forest.
  • A workspace is considered a unit of integration with Windows Defender Advanced Threat Protection.

Open https://portal.atp.azure.com/ and provide a Name and a Geolocation for your data will be stored.

Note: The name chosen for your workplace will be the URL for your workplace management portal.

Microsoft Defender for Identity Basic Deployment

Next, provide an account used by the Azure ATP sensor on-premises to access your domain controller.

Next, download the Azure ATP Sensor.

Install Azure ATP Sensor

Note: make sure that you’ve. Net 4.7 on your DC. If you don’t have you need to install.Net 4.7 and reboot your DC.

After downloading the Azure ATP Sensor, go to Domain Controller and run the installation.

Next, configure the sensor with the access key (from the Azure ATP portal).

Once the Azure ATP Sensor is installed and connected to the Azure ATP workspace, you can continue installing the other domain controller (if you’ve) and continue with Azure ATP post configuration.

More information

Microsoft Defender for Identity Basic Deployment

Azure Advanced Threat Protection (Azure ATP) is a cloud service based that allows you to detect advanced threats and is the Microsoft ATA solution’s evolution.
Azure ATP is part of Microsoft Enterprise Mobility and Security (EMS) and provides a security layer for the Active Directory and Hybrid Identity. Also, Azure ATP can be integrated with other security layers, such as Office 365 ATP, Windows Defender ATP, and Azure AD.
Azure ATP is a behavior analytics cloud solution and is essentially the cloud version of Advanced Threat Analytics (ATA). Both Azure ATP and ATA helps protect your environment from multiple types of advanced targeted attacks and insider threats; however, Azure ATP is meant for hybrid environments. 
Both have very similar designs and functions.  Below is the architecture of Azure ATP.  Again, it is basically the same as ATA, except the Azure ATP keeps the workspace in Azure Cloud.  ATA required a dedicated server for the ATA Center workspace that had massive resource requirements. 
Additionally, ATA was part of the Enterprise Mobility + Security (EMS) E3 bundled license.  Azure ATP requires the EMS E5 license.
The main difference between Azure ATP deployment and the ATA deployment is the following differences:

  • Based on Cloud
  • Agent-based on sensor
  • Azure ATP detects newer threats and more quickly.
  • A different approach (logs, deployment, architecture, etc.)

Architecture

The Azure ATP architecture, including two main configurations, and each one is based on requirements.

Azure ATP Sensor

Each domain controller in your environment and that agent will send data directly to the cloud service.
The first option is the easiest as all that you need to do is to install the Azure ATP sensor on each domain controller.
Microsoft re-engineered the Azure ATP sensor as it comes with up to 15 times performance improvement compared to the old ATA agent. The Azure ATP Sensor name is new to clarify that this is a brand new enhanced agent and not just changing names.

Azure Standalone Sensor

Connect one or more domain controllers to a separate Azure ATP standalone by sending the traffic through port mirroring so that the Azure ATP standalone sensor server can see the traffic without deploying anything on the domain controller itself.
Receives a copy of all traffic sent to domain controllers via port mirroring.
Azure ATP architecture topology diagram
Azure ATP includes the following components:
Azure ATP Portal – The Azure ATP portal allows you to create your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment.
Azure ATP Workspace Portal – a Primary interface that receives data from all Azure ATP sensors and gives a space to monitor, manage, and investigate data.
Azure ATP Cloud Service – Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure ATP cloud service is connected to Microsoft’s intelligent security graph.
Azure ATP Sensor – Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic without a dedicated server or configuration of port mirroring.
Azure ATP Standalone Sensor – Full agent installed on a dedicated server that can monitor traffic from multiple domain controllers. This is an alternative to those that do not wish to install an agent directly on a domain controller.
Azure ATP uses proprietary analytical algorithms to capture and parse data from domain controllers or standalone sensors to detect and investigate certain malicious behaviors related to authentication and service authorization.  Azure ATP can learn the behavior of users and build a profile to determine typical use.  Azure ATP can also receive information from other data sources such as events and logs via:

  • SIEM Integration
  • Windows Event Forwarding (WEF)
  • Directly from the Windows Event Collector (WEC)
  • RADIUS Accounting from VPN

Azure ATP Basic Deployment

Before you start, you have a few prerequisites to prepare based on your deployment.

Azure ATP Prerequisites

The basic Prerequisites  for Azure ATP:

  • Prepare with Azure ATP capacity planning (determine how many sensors do you need)
  • Active Directory Forest Functional Level of Windows 2003 and above
  • License for Enterprise Mobility & Security (EMS) E5
  • Internet connectivity to the Azure ATP Cloud Service
  • An on-premises Active Directory account with reading access to all objects in the monitored domains

Azure ATP Deployment

  • Azure ATP deployment option
  • Create an Azure ATP workplace
  • Deploy Azure ATP Sensor
  • Post Configuration Steps

Azure ATP Deployment Steps

Azure ATP deployments step, including few components: workspace, sensor, boundaries, DC’s, etc.

Create Azure ATP workspace

The first thing first is to create the environment in Azure ATP with a workspace that is based on your chosen deployment and based on another few points that are required to take place within Azure ATP workspace.

  • Azure ATP can have multiple workplaces on the same tenant.
  • A workspace helps you define the region where your data is stored.
  • Each workspace requires you to define the account for domain connectivity.
  • A workspace is a boundary for the Active Directory forest.
  • A workspace is considered a unit of integration with Windows Defender Advanced Threat Protection.

Open https://portal.atp.azure.com/ and provide a Name and a Geolocation for your data will be stored.
Note: The name chosen for your workplace will be the URL for your workplace management portal.
Microsoft Defender for Identity Basic Deployment
Next, provide an account used by the Azure ATP sensor on-premises to access your domain controller.

Next, download the Azure ATP Sensor.

Install Azure ATP Sensor

Note: make sure that you’ve. Net 4.7 on your DC. If you don’t have you need to install.Net 4.7 and reboot your DC.
After downloading the Azure ATP Sensor, go to Domain Controller and run the installation.


Next, configure the sensor with the access key (from the Azure ATP portal).

Once the Azure ATP Sensor is installed and connected to the Azure ATP workspace, you can continue installing the other domain controller (if you’ve) and continue with Azure ATP post configuration.

More information

You may also like...

4 Responses

  1. Jonathan Santos says:

    How i should license Azure ATP in my organization?

    • Eli Shlomo says:

      sure the azure atp license can be part of EMS or a standalone license. each user needs to be licensed.

  2. Jonathan Santos says:

    Hi Eli,
    Thanks for all information.

  3. Peter P says:

    Possible to use in multi tenant environment?

Leave a Reply

error: Content is Protected !!
%d bloggers like this: