Securing your business with Advanced Threat Protection (ATP)

Securing your business with Advanced Threat Protection (ATP)

Microsoft 365’s Advanced Threat Protection protects businesses against malicious attacks, abnormal behavior, and other security risks. Learn how to leverage ATP for your, and your customers’, businesses.

Advanced Threat Protection

Enterprise-level security is becoming a top priority for every successful business. As we witness staggering data breaches compromise even the most trusted companies, we should have all accepted by now that everyone is a potential target. With the average cost of a data breach coming in at $3.8 million and the median number of days an attacker stays in a network undetected at 146 days, it’s easy to see that companies are in need of better solutions.

To help alleviate companies from these sobering statistics, Microsoft has provided an on-premises platform that helps protect businesses from advanced, targeted cyber-attacks and insider threats. Advanced Threat Protection (ATP) is a simple and fast security solution under Microsoft’s Enterprise Mobility + Security (EMS). Revealing what is happening within a network, ATP quickly identifies suspicious activity and provides clear and actionable threat information.

Azure Information Protection

Curious about Azure Information Protection? Learn how to leverage the full ease and security here!


ATP helps you protect your enterprise from advanced targeted attacks by automatically analyzing, and identifying normal and abnormal entity (user, devices, and resources) behavior as well as provide actionable next steps.

How ATP Benefits US Partners

With current security hysteria under siege, US Partners can provide the peace of mind through ATP.  Advanced Threat Protection (ATP) gives Microsoft partners a quick, effective and affordable way to improve customers’ email security.

Whether you’re extending an existing engagement or developing new business, ATP is a natural starting point for a security practice that will drive growth and profit.

In 2016 alone, $1 Billion was lost from 4,000 daily ransomware attacks. This makes ATP a quick win for partners and opens the door to create managed security services that provide recurring revenue.

Now, let’s look at how it works with the benefits, main components and key features.

ATP Benefits:

  • Detect threats fast with behavioral analytics- proprietary algorithm pinpoints suspicious activities in your systems
  • Adapt as fast as your attackers- adjusts to reflect the changes in rapidly-evolving enterprises by continuously-learning behavioral analytics
  • Focus on only important events- determines important events worth focusing on and investigating, based on a timeline
  • Reduce false positive fatigue- filters and receives receipts only after suspicious activity is contextually aggregated and verified
  • Prioritize and plan– provides recommendations for investigation and remediation for each suspicious activity

Three main components of ATP:

  • ATP Gateway– installed on a dedicated server to help monitor traffic from the domain controllers by using either port mirroring or a network TAP
  • ATP Lightweight Gateway– Same core functionality as the ATP Gateway installed directly on domain controllers to monitor traffic without a dedicated server
  • ATP Center – Receives the data from the ATP Gateways or ATP Lightweight Gateways.

Key Features of ATP

  • Behavioral analytics– learning capability that understands users and entity behaviors while automatically adjusting to known and approved changes in the enterprise
  • Attack timeline– simple and easy-to-understand timeline which measures security and lists questionable activities
  • Mobility support– mobile devices and vendors closely monitored as internal assets, to protect corporate resources
  • Organizational Security Graph– maps all entity interactions representing the context and activities of users, devices, and resources
  • SIEM (Security Information and Event Management) Integration– configure ATP to send an event to SIEM for suspicious activity with a link to the specific event on the attack timeline
  • Email Alerts– receive email alerts when ATP detects suspicious activity
  • Easy Deployment– automatically starts analyzing and detecting suspicious activity

Advanced Threat Protection

How ATP works

ATP uses a proprietary network parsing engine that captures and parses the network traffic for authentication, authorization, and information gathering.

ATP collects information from either Port mirroring from Domain Controllers and DNS servers, or by deploying an ATP Lightweight Gateway (LGW) directly on Domain Controllers. After that, ATP takes information from multiple data sources like log files and events in your network. ATP can receive events and logs from SIEM Integration, Windows Event Forwarding, or Windows Event Collector for the Lightweight Gateway.

ATP uses this data to learn about the behavior of users and other entities and builds behavioral profiles based on the information.

ATP detects multiple suspicious activities by focusing on the phases of the cyber-attack kill chain.  The three phases of this chain are Reconnaissance, Lateral Movement Cycle, and Domain Dominance.


Attackers gather information of their victim’s environment (how the network is built, what assets and entities exist in the environment) to build a plan for the next phase.

Lateral Movement Cycle

Attackers invest time and effort into spreading the attack surface inside the victim’s network.

Domain Dominance

The attacker captures entry points, credentials and techniques to move forward with the attack.

ATP provides early detection in theses phases, alerting the system to suspicious activity.

ATP searches for three main types of attacks

  • Malicious attacks– ATP detects known malicious attacks almost as instantly as the occur.
    • Pass-the-Ticket (PtT)
    • Pass-the-Hash (PtH)
    • Overpass-the-Hash
    • Forged PAC (MS14-068)
    • Golden Ticket
    • Malicious replications
    • Reconnaissance
    • Brute Force
    • Remote Execution
  • Abnormal behavior– Behavioral analytics leverage Machine Learning to uncover questionable activities and abnormal behavior
    • Anomalous logins
    • Unknown threats
    • Password sharing
    • Lateral movement
    • Modification of sensitive groups
  • Security issues and risks – ATP identifies known security issues using world-class security researcher’s work
    • Broken trust
    • Weak protocols
    • Known protocol vulnerabilities

How to use ATP

To monitor and respond to the suspicious activities that ATP detects use the ATP console. The console provides you with a quick and easy view of all the suspicious activities in chronological or sequential order. It provides you details of any activity that is shown in the console and perform actions based on the activities. The console also displays alerts and notifications that highlight problems with the ATP network or new activities considered suspicious.

Key ATP Console Elements

  • Attack timeline

In the default page of the console, the timeline categorizes suspicious activity by high, medium, and low security levels

  • Notification bar

Automatically opens when suspicious activity is detected.

  • Search bar

Search for specific users, computers, or groups within ATP.

  • User and computer profiles

Profiles are built for each user and computer in the environment and displays general information such as group membership, recent logins, and recently accessed resources.

  • Mini profile

Quickly view activities between profiles anywhere within the ATP console.

The console works to provide details, determine security levels, and update the status of suspicious activities. It can also share activity in the organization via email, export activity to Excel, and provide input regarding the detected activity. ATP also provides recommendations for how to respond to each activity.

Suspicious Activity is Classified as:

True Positive– malicious action detected

Benign true positive– an action is detected is real but not malicious, such as penetration testing

False positive– a false alarm generates but no activity happened


Once you have ATP, and enable all the best features, you’ll wonder how you previously operated without it. To learn more details about ATP and how to navigate it, go to to see all of our Microsoft 365 Security & Compliance Training and unlock the full potential of Microsoft 365 security.

CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *