Azure Advanced Threat Protection (ATP) is probably a bit misunderstood as its main purpose is to identify threats in the traditional on-premises Active Directory with the help of multiple sources of information from other security controls that have visibility into various streams of data. It combines information collected from critical Windows event logs, network traffic captures, other authentication servers such as Radius and even through deception techniques using honeypot accounts. Behind the scene, the user and machine data is subjected to behaviour analytics and enriched with information from MDATP EDR and feeds its data into Microsoft Cloud App Security for further correlation and advanced SOAR capabilities.
The diagram below is a one-page view of the core Azure ATP components and how other security controls interact with it. It also provides information on how an MSSP can assist in optimizing its use and integration with other M365 components such as Defender ATP, MCAS and Azure Sentinel SIEM.
Contact us for full walk-through of this diagram and a review on how Azure ATP can give your organization full visibility into an area that is not typically covered by the traditional security controls.