Azure Advanced Threat Protection (ATA in the cloud)

Welcome! You can use this site to give feedback directly to our engineering teams that build the security products you rely on. You can suggest features or design changes, and vote on suggestions others have made. If you would like to further engage our engineering teams, please join our Security Community by visiting https://aka.ms/SecurityCommunity.

To learn more about Azure Advanced Threat Protection, visit this blog post.

How can we improve Microsoft?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Add a mechanism to View Azure ATP Audit Logs (similar to ATA Center audit logs)

    Add a mechanism to allow users to view auditing logs of Azure ATP, similar to the information that shows up at ATA Center audit logs. (https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshoot-audit)

    May be audit logs can be shipped to SIEM solution, or Azure Log Analytics.

    4 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am an employee of Microsoft  ·  Flag idea as inappropriate…  ·  Admin →
  2. Typo found in events /logs in ATP

    We have implemented ATP and it has been to analyze the events. I found a typo in the logs .

    You may search for the following string > Potential sensiive lateral movement path ... > Please change the string incudes to includes. Just little typo. I could have sent a screenshot , but there is no such option here.

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  3. Alerts Integration

    It would be nice to have integration with the alerts through webhook, flow, or Graph API.

    3 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →

    We are actively working against this. We plan on having REST APIs in the vNext version of the console as well as integration with Microsoft Flow.

    To join the Public Preview, please fill out this Microsoft Form:
    https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR6hCSmtvX8BNsp2sW9uyr6hURDdXVEdRWTFXSVZQTkNCMFFPWTk3VTM4Ti4u

    Note that we have not released the specific APIs to-date, but this is a planned delivery as well. All Security Alerts and activities of a user are planned to be exposed in vNext.

  4. ATP replacing SCOM in Red Forrest?

    The article makes mention of ATP monitoring forests across security boundaries (red forest).
    Does this mean that ATP may Replace SCOM as the preferred Red Forrest Monitoring tool?
    Are there (currently-or in development) ESAE/Red Forrest monitoring policies/packages for ATP.
    is Microsoft security updating ESAE model to include Azure, and Azure Services?

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
  5. Azure ATP Not Monitoring Password Change Failures

    Currently Azure ATP doesn't seem to monitor password change failures (in our case, as initiated from the ADFS password change page). We can see the password change failure in the ADFS logs but no corresponding log entry in Azure ATP.

    3 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  6. Add support for Azure AD Domain Services

    I just decommissioned the Active Directory at a customer, but they would still like to have Azure ATP for the newly deployed Azure AD Domain Services :)

    Please consider this as a feature in the future

    10 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →

    Based on relooking at this, we are reviewing this gap area with the Azure ATP team as well as the Azure AD team. Any updates on our end, we will make sure to update you all on here first.

    Please do continue to upvote this as we use this to see just how popular this request is which helps us prioritize.

    Note that we announced at RSA 2019 that we will be merging signals from Microsoft Cloud App Security, Azure ATP and Azure AD into a single pane of glass. This will allow you to see activities in one location, regardless of where those credentials go. However, this does not include visibility into AAD DS.

    Many thanks!

    Andrew + Azure ATP team

  7. Integrate natively with Log Analytics

    Currently, Azure ATA doesn't integrate natively with Log Analytics the way ATA does. See https://www.yammer.com/azureadvisors/threads/1082336424

    15 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →

    We recently announced Azure Sentinel, a SIEM-as-a-service baked directly into Azure’s platform. For Azure ATP, we are building a connector to take Azure ATP’s data and feed it directly into Log Analytics.

    We plan on additional capabiltiies as well, such as taking this data from Azure ATP and fusing it with other data sources in Azure Sentinel to give you a robust investigation experience.

    Please refer here for more information on the integration being actively worked on:
    https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-atp

    Note that this will require a vNext version of Azure ATP. If interested in joining that, please see this Microsoft Form: https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR6hCSmtvX8BNsp2sW9uyr6hURDdXVEdRWTFXSVZQTkNCMFFPWTk3VTM4Ti4u

    Cheers,

    Andrew and the larger Azure ATP team

  8. Add Alerts Search feature

    Currently, ATP can Search Computer, User, Group object.
    Additionally, We'd like to search any Alerts.

    e.g.
    If a user is attacked, We want to extract the users who may be derived from the user or the users who were attacked by the target.
    It will be useful notification.

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am an employee of Microsoft  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add integration with RSA SecureID RADIUS servers

    RSA SecureID is used for authentication extensively as part of MFA. Look at integrating RADIUS events from RSA servers

    2 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  10. Observer Azure AD with Azure ATP

    Please enhance Azure ATP to also monitor Azure Active Directory in Addition to local Active Directory. Also monitoring Azure AD standalone via Azure ATP may be interesting.

    4 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
  11. Combine Azure estate telemetry to further enhance ATP capability

    Combine the telemetry of ATA/Azure ATP with other data from AAD, Intune, and Windows 10 to provide mapping capabilities of users and device, with historical tracking as the user activity changes across devices, applications, group membership etc.

    4 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →

    There are various efforts planned to do just this.

    We announced at RSA a Unified Identity Security Dashboard, bringing together Microsoft Cloud App Security, Azure AD and Azure ATP signals into a single dashboard. This means all signals for Identity will be in one location—wherever your users go, you have one single dashboard to review and ingestigate.
    To sign up for this preview, please refer to this Microsoft Form:
    https://forms.office.com/Pages/ResponsePage.aspx?id=v4j5cvGGr0GRqy180BHbR6hCSmtvX8BNsp2sW9uyr6hURDdXVEdRWTFXSVZQTkNCMFFPWTk3VTM4Ti4u

    Further, we announced the Microsoft Security Center, which will take your M365 E5 capabilities and put that into a common dashboard as well. This is still under development but can be found at:
    https://security.microsoft.com

    This will give you visibility of your Identity data as well as WDATP—which we just announced will also be supporting Mac and thus renamed “Microosft Defender ATP”.

    Both portals are in active development.

  12. Change the product's name

    The product's current name ("Azure Advanced Threat Protection") is confusing, because it doesn't make it clear that it's the cloud version of Advanced Threat Analytics. The name should be changed to "Advanced Threat Analytics in the Cloud" or something that similarly makes it more obvious that it's the cloud version of ATA.

    12 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support comments on alerts

    I'd like to be able to add comments to an alert to explain to team members why it was closed/suppressed/excluded, or just to discuss the alert. Bonus points for supporting @ mentions!

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  14. ERSPAN should be supported soon

    Port mirroring would be our preferred solution instead of installing an additional agent (which may force performance leaks) on Domain Controllers. As ERSPAN is not supported yet, the agent installation is the only way to use ATA / ATP within a larger environment.

    2 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Azure Advanced Threat Protection (ATA in the cloud)

Feedback and Knowledge Base