microsoft advanced threat protection

Microsoft is at it again with its bad naming of products. I’d heard the term ATP thrown around at Ignite last year and on lots of different blog post. But today I was reading

Azure Advanced Threat Protection or Azure ATP

Which really helped clear things up. Because of Microsoft’s naming we have 3 different ATP products.

  • Office 365 ATP [You can think of this as 1st line of protection] : Zero-day attack and malware inspection received via email or uploaded to SharePoint online using Safe Attachment and Safe Links features.

  • Windows ATP [You can think of this as 2nd line of protection]:  device level protection on machines to detected advanced persistent malware, and provide post breach investigation and automated responses.

  • Azure ATP [You can think of this as 3rd line of protection]: Allows IT Admins to monitor attackers who are inside a network (not malware), what they are doing/what they did and actions to take.

We’ve enabled safe links in o365 and have thought about windows defender, but we currently use Cylance for end point security. Azure ATP used to be an onprem solution only and now they have it so the feeds from your domain controllers can be sent to Azure for processing. One of the things the post leaves out his where do you manage these tools.

Office 365 ATP is managed through the admin portal for o365, windows and Azure ATP are a bit harder to find.

Windows ATP – https://securitycenter.windows.com/dashboard

Azure ATP – https://portal.atp.azure.com/tenantPortal

Have you tried any of the ATP products. How did you like them? Have they helped you track down security issues or blocked an attack? Let me know in the comments below.