Forum Discussion

Karsten Hentrup's avatar
Karsten Hentrup
Copper Contributor
Apr 12, 2018

Observe Azure AD with Azure ATP

Hi @ll, is it now possible to observe Azure Active Directory with Azure ATP? And what about if I only have an Azure AD and no on-premises AD anymore? Greets, Karsten...
Raf Cox's avatar
Raf Cox
Copper Contributor
In my opinion, Azure ATP is really focused on typical AD attack scenario's, such as pass-the-hash/ticket, skeleton-key, golden-ticket, etc ... If you are looking for a good tool to monitor Azure AD, I would recommend looking at Cloud-app Security ... (feel free to correct me if I'm wrong ;-)
Paul_Brock's avatar
Paul_Brock
Brass Contributor
Apr 17, 2018

Raf,

Cloud app security is a little different. That product monitors firewall logs to see what apps your users are going to and how much data is being shared by those apps. Once you get a baseline you can then fine tune policies about what apps they should be going to and look for anomalies. That being said the number of Azure/Office related security products are many and they way they do or don't interact is confusing at best to me. Specifically what I would like to know is if our Azure AD has had a mass query done against if from a unfamiliar location. Our Azure AD should not be queried by anyone in Russia for example or anyone that is VPN'ing to the US from Russia. More importantly with the power of the cloud this should be detected and stopped without me having to detect it after the fact and do something about it. We are still in the wild west out here but the Iron Horse is coming across the prairie and I'm hoping that more good guys are coming than bandits.   

Resources