Azure ATP provides deep insight into alerts and the underlying user activities. After watching this video, you will understand the basics of navigation in the Azure ATP portal.
- [Instructor] We're going to take a quick look at some basic alert and user activity navigation in the Azure Advanced Threat Protection portal. So I'll open a browser, I'll go to portal.atp.azure.com. That's going to take me to the Azure ATP portal, which puts me right in to the Alerts page. So generally speaking, your security analyst because they get so many alerts, they're frequently going to be looking at only the high priority alert. So as an ATP administrator, you might want to help guide folks to make sure they're looking at some of those lower priority alerts, but you in particular will want to make sure you look at the Health icon in the ATP portal, which is going to show you some lower priority activity related to the health of your Azure ATP instance. So if I go down here and look at for example some instances I have closed, you'll see I have some alerts that were low priority or medium priority actually where I had sensors that stopped communicating. So that means I have a domain controller that's having some connectivity issues at least with regards to the Azure ATP Center. And when I look at my alerts, I can actually drill into a user's activity by clicking on the username anywhere that I see it. So once I click on a user, I can see a timeline of their activity, the protocols that are being used in those activities, and the resources that are being accessed. I can also see the devices from which they're accessing those resources. So for Jeff Leatherman here as you can see, I can then click on his logged on computers and I can see from where the alerts were generated. So in Jeff's case I can see that most of his alert-related activity was from an RDP server. So I can really pivot from a high level incident looking at a large scale of activity into my users and drill down to see what a specific user's timeline looks like and really where they traveled, what devices they were using, the resources they were accessing. But you'll notice that because Azure ATP is working with Active Directory, we're getting really user friendly information here. I'm getting computer names and usernames and resource names. I'm not getting SIDs and GUIDs and IDs that I have to go look up in a database somewhere using some sort of script or query. And when I want to go from the user back to the top level view, I can simply click over here at the top icon at the left and I'm back into my Alerts view. And if I'd like to deliver data to folks that don't use the Azure ATP portal, maybe management or somebody higher up or in a different part of the support organization, I can go to the Reports tab and here I have a summary report of alerts and health related issues. And reports related to lateral movements and passwords exposed in clear text. And if I want to enrich my visibility just a bit further, I can actually integrate Azure ATP with Microsoft Defender ATP. So in the setting of Azure ATP, I can flip a switch, I can then go to my Microsoft Defender Security Center which is the Microsoft Defender ATP portal, I can click on Settings there, Advanced Features. And down the page here I'll find an Azure ATP Integration switch, so I can then send enriched data in both directions. So if you're running both services, it's so easy to turn that integration on, there's really no reason not to do it. And that's your basic navigation in Azure ATP.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure