4/22/2020 published by: Softeng

Microsoft Defender Advanced Threat Protection (ATP)

In recent months, we have seen in the media how important companies and institutions have suffered computer attacks that have exposed millions of sensitive data and collapsed their corporate networks. According to INCIBE (National Cybersecurity Institute) data, last year more than 120,000 incidents were recorded in Spain, this figure being 40% higher than the previous year.

Indeed, security is one of the great challenges that companies face, however, the sophistication of attacks evolves by leaps and bounds reaching such a high level that it can take many months to discover network intrusion and therefore causing a great impact on the company.

To deal with these types of advanced threats, Microsoft offers us Microsoft Defender Advanced Threat Protection , hereinafter Microsoft Defender ATP. It is a powerful solution that combines Windows 10 technology and Azure's intelligent cloud service to offer companies preventive protection , post-violation detection , automated investigation , and response to advanced threats on their networks.

Much more than an antivirus
Microsoft's antivirus is Windows Defender and is included in all Windows operating systems. Instead, Microsoft Defender ATP is a set of advanced security solutions in the cloud that, among other sources, is powered by antivirus (whether or not Windows Defender).

How exactly does it help protect you?

In general, it helps you to:

  • Detect advanced and zero-day attacks ( Attack that exploits an unknown vulnerability ), based on analysis of the environment, behavior and the use of machine learning, showing you detailed information on the scope of the security breach through the central console and offering you solutions to mitigate it.
  • Obtain a real-time analysis of all your equipment infrastructure through a central console that shows information on the status and activity of protected computers.
  • It offers you instant access to the 6-month analysis of information regarding the behavior of the company to carry out a forensic analysis, offering you an inventory of files, URLs and connections throughout the network.
  • Save time for your IT department thanks to the automatic investigation of alerts.
  • Offers a single platform approach
  • Protection against next-generation attacks: Polymorphic or mutant viruses that are difficult to detect because they change their malicious code constantly.
  • Reduction of attack surfaces, through different functionalities such as web protection, controlled access to folders or application control, protect computers by minimizing attack surfaces.

Microsoft Defender Advanced Threat Protection (ATP)

How does it work?

The tool continuously monitors the network for malicious activity or abnormal behavior through:

  • Behavior sensors: Integrated into devices and devices, they collect and process behavioral signals from the operating system (for example, network communications, file and process modifications). This information is then sent to the Cloud Security console to analyze them and exchange signals with the Microsoft Intelligent Security Graph.
  • Threat Intelligence: Microsoft has a team of global security specialists and a community of hunters, dedicated exclusively to searching and finding new malicious techniques, continually training ATP to help it become more and more cash.
  • Security analysis in the cloud: Thanks to BigData and machine learning, it analyzes the information received from the sensors and contrasts it with historical and anonymous information from millions of devices distributed around the world as well as by the Artificial Intelligence of threats included in the ATP itself, to detect anomalous behavior, hacker techniques and similarity to known attacks.

Automatic threat investigation and resolution

Windows defender advanced Threat Protection

Powered by the cloud, machine learning, and behavioral analytics, Microsoft Defender ATP provides intelligent protection capable of dealing with the most sophisticated and advanced threats. In numbers, ATP processes 970 million malicious events a day through Microsoft's consumer and business ecosystem, making its intelligence more powerful every day. However, detecting threats is only half the battle, 80% of companies receive a high volume of alerts on their systems, causing the IT department to spend a large part of its resources on investigation and remediation tasks.

To solve this problem, Microsoft Defender ATP includes a feature that we want to highlight called " automatic investigation ": This feature automatically investigates alerts and applies artificial intelligence to determine if it is really a threat in order to decide what actions to take, too, automatically. This functionality saves IT departments time and effort, allowing them to focus on more strategic tasks for the company.

    Features of the Microsoft Defender Atp portal

    Microsoft Defender ATP helps the IT department to effectively manage the company network, offering a centralized administration and management portal for all alerts and security measures of the equipment, with functionalities that allow you to:

    • Windows defender advanced Threat Protection Move through the different navigation panels to access: Security Operations, Security Score or the Threat Analysis Panel.
    • Manage security alerts throughout the network.
    • Control and manage the automatic investigations that have been carried out.
    • Through a powerful advanced search tool based on queries, you can "hunt" and proactively investigate through your company's data.
    • In the list of machines section you can control the equipment incorporated into Windows Defender ATP obtaining detailed information on risks and alerts.
    • Get a quick overview of the application's service status .
    • Update your configuration options, allowing you to customize retention policies, enable advanced features, and create Power BI reports that allow you to interactively analyze machines, alerts, and research status.

    Navigation Panels

    Security Operation Panel

    This panel provides a snapshot of the network showing a detailed view of the various security alerts on computers and users. Through this panel you can quickly explore, investigate and determine where and when suspicious activities have occurred and be able to easily understand the context in which they arose.

    Windows defender advanced Threat Protection

    The dashboard has interactive windows that provide indications on the overall health status of the organization, such as active alerts, machines and users at risk, active automatic investigations, and a suspicious activity dashboard that displays audit events based on detections from various safety components.

    The tool also offers the possibility of simulating attacks so that you can check their level of effectiveness before continuing to add teams to Microsoft Defender Atp.


    Threat Analysis Panel

    Threats emerge more and more frequently and through this panel, you can quickly assess your security position, including the impact and resistance of your company in the context of specific threats. In addition, you will be able to continuously assess and control risk exposure to Specter and Meltdown , two of the main vulnerabilities in processor chips through which attackers can access your computer.

    The panel offers a set of interactive reports released by the Microsoft Defender ATP research team at the time a new threat and attack is identified. From the mitigation recommendations section, you can execute specific actions to improve the visibility of the threat and increase the resistance of your company.

    Windows defender advanced Threat Protection

    In addition to the features that we have discussed in the article, we want to highlight the following:


    Speed of response and isolation are the keys to successful security attack prevention. Therefore, when the tool detects that a computer is compromised, it automatically suspends the user's account and isolates the infected device to prevent access to the network, drastically reducing the surface of the attack. Also, even if the machine is isolated, the IT department has full control over that equipment at risk, in order to analyze it and mitigate the security breach.


    You can submit suspicious files for deep inspection and full analysis in minutes, in an isolated network environment, and lock files if they are malicious.

    Conditional access based on team risk

    Microsoft Defender ATP can control access to sensitive information based on the risk level of the team itself. In this way, it guarantees that only authenticated users who use a device registered in the company will be able to access the company's data in Office 365 and, in addition, that it can only be accessed if the equipment is in good condition (without viruses, Trojans, etc). Therefore, if a threat is detected on a device, the possibility of access to sensitive information by the affected device is instantly blocked while the threat is still active.

    Threat and vulnerability management

    This capability uses a risk-based approach to identify, prioritize, and repair equipment vulnerabilities and misconfigurations. It includes:

    • Real-time discovery through device inventories, which provide automatic information about security configuration data and vulnerabilities of computers.
    • Inventory of company software, as well as changes related to new installations, uninstalls and patches.
    • Constant visibility of application usage patterns for better prioritization and decision-making against suspicious behavior.
    • Control and visibility over the security settings of the company, showing information and alerts in real time about emerging problems such as disabled antivirus or wrong settings. Problems are reported on the dashboard with actionable recommendations.
    • Threat intelligence that helps prioritize and target those vulnerabilities or threats that pose the most critical risk to the business.
    • One-click remediation requests, through integration with Microsoft Intune. It also provides real-time monitoring of the status and progress of remediation activities across the enterprise.
    • Provides information on additional alternative mitigations, such as configuration changes that can reduce the risk associated with software vulnerabilities.

    Integration with Microsoft 365 tools
    You can equip Microsoft Defender ATP with more information and more intelligence when evaluating the risk level of each machine with the integration of:

    • Azure Advanced Threat Protection (ATP): Detects if the machine suffers anonymous behaviors (lateral attacks, for example) and, if so, increases the risk of the machine in order to prioritize its revision.
    • Azure Information Protection (AIP): Comparing two machines with the same vulnerabilities, the one that has documents tagged with AIP will have a higher risk level (due to having sensitive information) and, therefore, will be prioritized.
    • Microsoft Cloud App Security (MCAS): It allows those applications that MCAS has marked as unauthorized, to be blocked on the computer without being able to be used, regardless of the network to which it is connected.

    Microsoft Defender ATP licensing?

    There are different licensing modalities depending on the type of endpoint we want to protect.

    For Pc's:

    • Microsoft Defender ATP can be purchased individually
    • Included in Windows 10 E5 ( includes all the security capabilities of the E3 + Microsoft Defender ATP version)
    • Included in Microsoft 365 E5 (includes Windows 10 Enterprise E5, Office 365 E5, and EMS E5)
    • It is included in the Microsoft 365 E5 Security Add-on

    For servers:

    • Connecting servers to Azure Security Center
    • Microsoft Defender ATP Server License

    In conclusion, we can affirm that Microsoft defend ATP covers the life cycle of threats from start to finish, from detection to investigation and response automatically, taking your company to a maximum level of protection, and thus helping to comply with the GDPR.

    From Softeng, we are committed to providing solutions to our clients and offering them our experience in this area, so we encourage you to follow our blog in which we will continue to report on the security tools and solutions that we can offer you.

    Do you want to know more about Windows 10 Enterprise E5 or Microsoft 365? Contact us!

    Yes, I want to know more!



    << back to blog
    Surname *
    Range *
    Nº employees *

    Do you want to receive the items in your mailbox?

    Suscripciones al Blog Rss Blog