Integration between Azure Security Center and Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (MDATP) is a security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats. This article discusses how Azure Security Center (ASC) is able to integrate with this platform and what are the aspects to consider to combine the different potentials and effectively contemplate the protection of servers.

Microsoft Defender Advanced Threat Protection (MDATP)

The main characteristics of the solution Microsoft Defender Advanced Threat Protection:

  • Advanced post-breach detection sensors: Thanks to sensors from Microsoft Defender ATP for Windows Servers, a wide range of behavioral signals can be collected.
  • Ability to perform post-breach checks by leveraging the power of the cloud: Microsoft Defender ATP is able to quickly adapt to changing threats as it uses the Intelligent Security Graph with signals from Windows, Azure and Office. With this powerful mechanism, you can respond quickly to unknown threats.
  • Threat intelligence: Microsoft Defender ATP generates alerts when it identifies tools, techniques and procedures used by attackers. The solution uses data generated by Microsoft 'hunters' and security teams, enriched by the intelligence provided by collaboration with different security partners.

The Microsoft Defender Advanced Threat Protection console (MDATP) is accessible to this link.

Features and benefits of integration

ASC integrates with MDATP to provide comprehensive Endpoint Detection and Response (EDR). With this integration, you can take advantage of the following features:

  • Automated Onboarding: the integration automatically activates the Microsoft Defender ATP sensor for Windows servers monitored by Security Center (except for systems Windows Server 2019, for which it is necessary to make specific configurations). Windows Server systems monitored by Azure Security Center will also be present in the Microsoft Defender ATP console.
  • Windows Defender ATP alerts will also appear in the Azure Security Center console, in order to keep all reports in a single centralized console. However, to perform a detailed analysis of the reports, please log on to the Microsoft Defender ATP console, which provides more information such as incident charts. From the same console, you can also view the timeline of all detected behaviors for a specific system, for a historical period of up to six months.

Enabling integration between ASC and MDATP

To enable this integration, you must use Azure Security Center (ASC) standard tier, which includes the license to activate MDATP on server systems.

  • For virtual machines in Azure you need to have the ASC standard tier at the subscription level:

Figure 1 – Activating ASC standard tier at subscription level for VMs in Azure

  • For virtual machines that don't reside in Azure, but on-premises or in other clouds, simply enable the ASC standard tier at the workspace level:

Figure 2 – Standard tier activation of ASC at the workspace level for non-Azure VMs

Furthermore, you must enable the following setting from Azure Security Center:

Figure 3 – Enabling integration between ASC and MDATP

To see the different ways to onboard servers, you can access this Microsoft's document.

When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is also automatically created (by default in Europe). If the Microsoft Defender ATP solution is used before using Azure Security Center, the data will be stored in the location specified when creating the tenant, even if you integrate with ASC later. The location where the data is stored cannot be changed post-deployment, but if you need to move your data to another geographic location, you should contact Microsoft Support.

Figure 4 – Data Storage retention

 

Threat Detection

In the presence of this integration, against a threat detection by MDATP, an alerts is also generated in the Azure Security Center, which becomes the centralized console for the collection of security reports.

Figure 5 – SecurityAlert present in the ASC workspace

Alert information can also be sent by email via Action Group:

Figure 6 - Report received by email from ASC in response to a detection of a threat

You can access the Microsoft Defender Security Center portal to investigate the alert in depth, where you will find the details.

Figure 7 – Alert details from the Microsoft Defender Security Center portal

Conclusions

Azure Security Center (ASC) and Microsoft Defender Advanced Threat Protection (MDATP) are two distinct solutions, but with important relationships, both as regards the aspects relating to licensing and for the operational management of the security of server systems. Thanks to this simple integration you can manage systems onboarding and also include MDATP reports in ASC, so you can effectively monitor your environment and respond to security threats on server systems.

Please follow and like us: