Microsoft attack detection products

Microsoft has several products that can be used to detect suspicious activity on an organization’s information systems based on collection and analysis of telemetry. These products can be used individually or together depending on the organization’s need. Some of these products can run locally on an organization’s network and other products use Microsoft’s cloud infrastructure for management and analytic functionality.

Advanced Threat Analytics

Advanced Threat Analytics (ATA) is a solution that you can deploy in on-premises environments to detect threats. ATA uses behavioral analytics to determine what constitutes abnormal behavior on your organization’s network based on its understanding of prior behavior of security entities. For example, noticing when an account has suspicious sign-on activity that differs from normal sign-on activity, when an account performs an enumeration of the membership of sensitive groups, or when a computer appears to be participating in attacks, such as a golden ticket attack.

For more information on Advanced Threat Analytics, consult the following documentation: https://www.microsoft.com/en-au/cloud-platform/advanced-threat-analytics

Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) has very similar functionality to ATA, except all of the telemetry is funneled for analysis into the cloud rather than that analysis being performed on-premises. Similar to ATA, Azure ATP uses behavioral analytics to determine what constitutes abnormal behavior on your organization’s network based on learning the prior behavior of security entities. Azure ATP can ingest telemetry data from SIEM systems, Windows Event Forwarding, directly from Windows Event Collector as well as RADIUS accounting from VPN endpoints.

For more information on Azure ATP, consult the following documentation: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp

Azure Security Center

Originally deployed as a tool to analyze and report on the security of resources in Azure, Azure Security Center agents can be deployed to on-premises servers. Azure Security Center can analyze event telemetry from servers running both on-premises both bare metal or virtualized as well as servers running as IaaS virtual machines, correlating events so that administrators are able to view the timeline of a specific attack as well as steps that can be taken to mitigate that attack.

For more information on Azure Security Center, consult the following documentation: https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection is a product for Windows 10 endpoints that provides the following functionality:

• Endpoint behavioral sensors. Monitors a Windows 10 computer’s telemetry, including gathering data from event logs, running processes, registry, file, and network communications data. This data is forwarded to the organization’s Windows Defender ATP cloud instance.
• Cloud security analytics. Cloud security analytics takes the telemetry gathered at the endpoint level and analyzes that data, providing threat detections and recommended responses back to the organization. This analysis occurs against information available to Microsoft across the Windows ecosystem as well as cloud products such as Office 365 and Azure. For example, Microsoft may learn about and resolve a specific threat from the telemetry of one set of Windows Defender ATP customers. This insight allows Windows Defender ATP to make recommendations when the same threat is detected in the endpoint telemetry of another Windows Defender ATP customer.
• Threat intelligence. Windows Defender ATP doesn’t just rely on telemetry collected with customer’s consent across the Microsoft ecosystem. Microsoft also has security researchers and engages with partner organizations to identify attacker tools and techniques and to raise alerts when evidence of these tools and techniques surfaces in customer telemetry.

For more information on Windows Defender Advanced Threat Protection, consult the following web page: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

Office 365 ATP

Office 365 ATP is a service that you can add to an existing Office 365 subscription. Office 365 provides functionality around email messaging and files that are used with an Office 365 subscription, such as those stored in a SharePoint Online or Teams site. Office 365 ATP provides the following functionality:

• Scan email attachments to find malware
• Scan email messages and office documents to locate malicious web addresses
• Locate spoof email messages
• Determine when an attacker attempts to impersonate your users or organization’s custom domains

Join the discussion

What type of attack detection systems are most appropriate for your organization? Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.