Enable Azure ATP and integrate to Microsoft Cloud App Security

Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. With all this signals integrated in Cloud App Security it’s possible to create alerts and actions on all this signals. If something happens from the inside network you can get notified about it.

OS Level requirements

• .Net Framework 4.7
• Server 2019 requires KB4487044 to be installed
• Power option set to High Performance

Directory Service Account

• Requires
  • Read permission to the objects the domains
  • Permissions to perform SAMR query on local workstations
• One set of credentials needed per forest and with multi-forest with two-way trusts.
• Additional credentials are requires for each forest with non-kerberos trust or no trust
• Default limit of 10 directory services accounts per Azure ATP instance. Connect support if your organization needs more.

Ports required

• Sensor -> ATP service, SSL 443
• Sensor -> DNS, TCP / UDP 53
• Sensor -> All devices, TCP / UDP 445
• Sensor -> All devices, TCP 135
• Sensor -> All devices, UDP 137
• Sensor -> All devices, TCP 3389

NIC Teaming will not function on domain controllers. This are typically used on physical servers. Download and install NPCAP before deploying the sensor to fix this.

Domain controllers running on VMware

• Dropped packets health alerts
• PowerShell script to check large send offload setting
• To see status of LSA
  • Get-NetAdapterAdvancedProperty | Where-Object DisplayName -Match “^Large*”

• To disable it run the following command-lets
  • Disable-NetAdapterLso -Name {name of the adapter}

Plan your server with the sizing tool from this link.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning

Configure the Azure ATP

When all pre request are at place the we can configure the portal. Create an service account with read permissions to all object in the domain. Go to https://portal.atp.azure.com/ and enter the credentials.

Download the sensor packages and the Access key to the installation later.

Install the Azure ATP sensor on domain controllers

Make sure Microsoft .Net Framework 4.7 is installed. If not the the sensor packages install and require an reboot of the server. Copy the Access key from portal to the sensor installation.

When the sensor is installed. Give the portal a couple of minutes before the sensor have contact with the server. If your have more than one Domain controller download the sensor and install on all other servers also.

When the sensor is running without any error. Push the Updates and configure the settings. You can choose to automatic restart the domain controller or delay the updates.

Reports

There are some reporting to download from the portal. All another configuration will be done in the Microsoft Cloud App Security.

Hardening access to the portal with Conditional Access

Create an Condition Access rule with all users and exclude the users that need access to the portal. Set an Block of the rule. You can also limit based on named locations or from trusted devices.

Cloud App Security

In MCAS you need to enabled the integration of Azure ATP. Push the wheel in the upper right corner and choose settings. Then push the Azure ATP and enable the Azure ATP integration.

Then from the navigation menu choose Investigate, Users and Account, App = Active Directory. From this view you can see all the activities and then create policies and alerts.