Add a mechanism to allow users to view auditing logs of Azure ATP, similar to the information that shows up at ATA Center audit logs. (https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshoot-audit)
May be audit logs can be shipped to SIEM solution, or Azure Log Analytics.8 votes
Azure ATP recognize Azure AD Connect is not DC.
So a part of replication alert(ID 2006...) occurs in many environments when we deploy Azure ATP at first time.
Some customers requested to add a definition for Azure AD Connect.1 vote
Limit NNR on public IPs to reverse DNS lookup.
Our domain controller also forwarding DNS to our public dns provider. ATP Agent attempts 3389, 145, 137 for what looks like every public dns request against our public DNS IPs, and fails on the firewall. very noisy for our firewall logs and no need to add that packet/sec count to the dc/agent.1 vote
It would be nice to have integration with the alerts through webhook, flow, or Graph API.4 votes
We are actively working against this. We plan on having REST APIs in the vNext version of the console as well as integration with Microsoft Flow.
To join the Public Preview, please fill out this Microsoft Form:
Note that we have not released the specific APIs to-date, but this is a planned delivery as well. All Security Alerts and activities of a user are planned to be exposed in vNext.
We have implemented ATP and it has been to analyze the events. I found a typo in the logs .
You may search for the following string > Potential sensiive lateral movement path ... > Please change the string incudes to includes. Just little typo. I could have sent a screenshot , but there is no such option here.1 vote
The article makes mention of ATP monitoring forests across security boundaries (red forest).
Does this mean that ATP may Replace SCOM as the preferred Red Forrest Monitoring tool?
Are there (currently-or in development) ESAE/Red Forrest monitoring policies/packages for ATP.
is Microsoft security updating ESAE model to include Azure, and Azure Services?1 vote
Currently Azure ATP doesn't seem to monitor password change failures (in our case, as initiated from the ADFS password change page). We can see the password change failure in the ADFS logs but no corresponding log entry in Azure ATP.4 votes
I just decommissioned the Active Directory at a customer, but they would still like to have Azure ATP for the newly deployed Azure AD Domain Services :)
Please consider this as a feature in the future12 votes
Based on relooking at this, we are reviewing this gap area with the Azure ATP team as well as the Azure AD team. Any updates on our end, we will make sure to update you all on here first.
Please do continue to upvote this as we use this to see just how popular this request is which helps us prioritize.
Note that we announced at RSA 2019 that we will be merging signals from Microsoft Cloud App Security, Azure ATP and Azure AD into a single pane of glass. This will allow you to see activities in one location, regardless of where those credentials go. However, this does not include visibility into AAD DS.
Andrew + Azure ATP team
Currently, Azure ATA doesn't integrate natively with Log Analytics the way ATA does. See https://www.yammer.com/azureadvisors/threads/108233642415 votes
We recently announced Azure Sentinel, a SIEM-as-a-service baked directly into Azure’s platform. For Azure ATP, we are building a connector to take Azure ATP’s data and feed it directly into Log Analytics.
We plan on additional capabiltiies as well, such as taking this data from Azure ATP and fusing it with other data sources in Azure Sentinel to give you a robust investigation experience.
Please refer here for more information on the integration being actively worked on:
Note that this will require a vNext version of Azure ATP. If interested in joining that, please see this Microsoft Form: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR6hCSmtvX8BNsp2sW9uyr6hURDdXVEdRWTFXSVZQTkNCMFFPWTk3VTM4Ti4u
Andrew and the larger Azure ATP team
Currently, ATP can Search Computer, User, Group object.
Additionally, We'd like to search any Alerts.
If a user is attacked, We want to extract the users who may be derived from the user or the users who were attacked by the target.
It will be useful notification.1 vote
RSA SecureID is used for authentication extensively as part of MFA. Look at integrating RADIUS events from RSA servers2 votes
Please enhance Azure ATP to also monitor Azure Active Directory in Addition to local Active Directory. Also monitoring Azure AD standalone via Azure ATP may be interesting.4 votes
Combine the telemetry of ATA/Azure ATP with other data from AAD, Intune, and Windows 10 to provide mapping capabilities of users and device, with historical tracking as the user activity changes across devices, applications, group membership etc.5 votes
There are various efforts planned to do just this.
We announced at RSA a Unified Identity Security Dashboard, bringing together Microsoft Cloud App Security, Azure AD and Azure ATP signals into a single dashboard. This means all signals for Identity will be in one location—wherever your users go, you have one single dashboard to review and ingestigate.
To sign up for this preview, please refer to this Microsoft Form:
Further, we announced the Microsoft Security Center, which will take your M365 E5 capabilities and put that into a common dashboard as well. This is still under development but can be found at:
This will give you visibility of your Identity data as well as WDATP—which we just announced will also be supporting Mac and thus renamed “Microosft Defender ATP”.
Both portals are in active development.
The product's current name ("Azure Advanced Threat Protection") is confusing, because it doesn't make it clear that it's the cloud version of Advanced Threat Analytics. The name should be changed to "Advanced Threat Analytics in the Cloud" or something that similarly makes it more obvious that it's the cloud version of ATA.12 votes
I'd like to be able to add comments to an alert to explain to team members why it was closed/suppressed/excluded, or just to discuss the alert. Bonus points for supporting @ mentions!1 vote
Port mirroring would be our preferred solution instead of installing an additional agent (which may force performance leaks) on Domain Controllers. As ERSPAN is not supported yet, the agent installation is the only way to use ATA / ATP within a larger environment.2 votes
- Don't see your idea?