This blog post talks about Azure ATP and Windows defender ATP integration, and how powerful this can be during suspicious activity investigation. You can also read about Azure advanced threat protection deployment, lateral movement, and Azure ATP vs ATA blog posts.
INTEGRATING AZURE ATP WITH WINDOWS DEFENDER ATP
I quote from Microsoft documentation “Azure Advanced Threat Protection enables you to integrate Azure ATP with Windows Defender ATP, for an even more complete threat protection solution. While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment.”
Microsoft has three ATP solutions now, and they all work together for better integrated solution that covers identities, emails, and endpoints. The power of this integration between Azure ATP and Windows ATP is to help you get more insights when doing your investigation. A suspicious activity on an endpoint (reported by Windows Defender ATP) that John uses frequently, means that his identity might be compromised, which Azure ATP can help carry on the investigation from an endpoint point of view, to an identity point of view, by observing if John’s identity is trying to log on to suspicious abnormal locations.
HOW TO ENABLE THE INTEGRATION BETWEEN AZURE ATP AND WINDOWS DEFENDER ATP?
Azure ATP and Windows defender ATP integration might look complex at first and might need complex configuration and digital certificates. Don’t worry, since both Windows Defender ATP and Azure ATP are cloud services, enabling Azure ATP and Windows defender ATP integration is just a matter of turning on a switch.
To enable Azure ATP and Windows defender ATP integration from Azure advanced threat protection side, you just need to enable the Windows Defender ATP integration as shown below.
To enable Azure ATP and Windows defender ATP integration from Windows Defender ATP side, you just need to enable the Azure ATP integration as shown below.
The full documentation on how to enable this can be find at Microsoft site here.
HOW THIS INTEGRATION LOOKS LIKE?
FROM WINDOWS DEFENDER ATP SIDE
If you are inside Windows Defender ATP console, and investigating a device, you can see that “Ahmad” for example is the primary or more frequent user for that device. Since the device might be compromised as shown below, we can assume that the credentials of “Ahmad” are stolen. The next step would be looking at Ahmad’s identity, and see where it was used, and whether there is any suspicious behavior from identity perspective (logon from abnormal devices, or pass the hash activity). Here we are jumping from investigating a device in Windows Defender ATP, to investigating identity in Azure ATP.
If we are looking at Ahmad’s machine in Windows Defender ATP, we will see that the machine has couple of alerts.
Now we can see that there are Zero alerts inside Azure ATP. Clicking that link, will get us to Azure ATP in the context of that machine, so that we can investigate what identities are using that machine, and from there, we can follow Ahmad’s identity and see where it was used across the enterprise. You can also see that from Azure ATP view of that machine, we can see a link to Windows Defender ATP showing 11 alerts. Clicking there, will return us back to the machine’s view in Windows Defender ATP.
So you start with a machine in Windows Defender ATP, and then you move context to what identity activities are reported on that machine in the Azure ATP management console.
FROM AZURE ATP SIDE
let us start by investigating Ahmad’s identity, which Azure ATP flagged with a risk as seen in the below figure. So now while we are inside Azure Advanced Threat Protection management console, and investigating Ahmad’s identity, we can see an icon for Windows Defender ATP, showing a count of 1, which means that Azure ATP is exchanging signals with Windows Defender ATP, that detects that Ahmad is using a machine that has Windows Defender ATP agent, and this machine has one alert.
Clicking the Windows Defender ATP icon from within Azure ATP, will pivot into Windows Defender ATP in the context of Ahmad, listing all his machines and alerts reported.
So if you start with Azure ATP, you can move context to Windows Defender ATP, and see if Ahmad’s identity has any reported alerts in Windows Defender ATP across devices, and whether devices Ahmad logs into have any alerts.
THOUGHTS ON AZURE ATP AND WINDOWS DEFENDER ATP INTEGRATION
I want to mention that although this integration might look simple, but a lot is happening in the background. Just by looking at an entity inside Azure ATP, you can immediately see the health or risk level of that identity at the endpoint level without even clicking any buttons. This is huge, as if you are looking at John profile inside Azure ATP, and John is using a device with Windows Defender ATP deployed, then the correlation happens at real time between John’s identity in Azure ATP and [What devices John logs on to, check the health of those devices, determine the risk value, and send those back to Azure ATP].
I thought previously that living with Azure ATP is good enough, but it worth looking at Windows Defender ATP and enable such integration.
Here is a real example that I faced lately. I recently saw this scary alert in Azure ATP about pass the ticket attack. I can see that John kerberos ticket was stolen using a computer with an IP address 10.10.1.1 and used to access Server1. Now since I am in the head office, and this machine is located at the other side of the world, I cannot call the local IT there to ask him to investigate the machine. Perhaps there is no local IT at that site.
Azure AP notified me about a suspicious activity, but I still need to investigate the PC1 endpoint, which can be a click away if I have Windows Defender ATP. Since I already have Windows Defender ATP on PC1, within one click I can zoom in that machine and see what is going on there in extremely detailed matter. You can see that there are a lot of suspicious activities and tools detected on that machine, within one click from the Windows Defender ATP console, I can:
- Isolate the machine from the network.
- Run quick Anti-malware scan on the machine.
- Generate investigation package.
- Restrict app execution so that nothing will run on the machine except those applications signed by Microsoft.
Notice that we start from Azure ATP, detecting pass the ticket attack, then we zoom in with Windows Defender ATP to the endpoint itself, and finally we could immediately take actions from within the management portal. This is the power of integration in its simplest form.
Reference: Hasayen, A. (2018). Azure ATP and Windows Defender ATP Integration. Available at: https://blog.ahasayen.com/azure-atp-and-windows-defender-atp-integration/ [Accessed: 10 May 2018]