Observe Azure AD with Azure ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-182114%22%20slang%3D%22en-US%22%3EObserve%20Azure%20AD%20with%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182114%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%40ll%2C%3C%2FP%3E%3CP%3Eis%20it%20now%20possible%20to%20observe%20Azure%20Active%20Directory%20with%20Azure%20ATP%3F%3CBR%20%2F%3EAnd%20what%20about%20if%20I%20only%20have%20an%20Azure%20AD%20and%20no%20on-premises%20AD%20anymore%3F%3C%2FP%3E%3CP%3EGreets%2C%3CBR%20%2F%3EKarsten...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183761%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Observe%20Azure%20AD%20with%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183761%22%20slang%3D%22en-US%22%3E%3CP%3ERaf%2C%3C%2FP%3E%3CP%3ECloud%20app%20security%20is%20a%20little%20different.%20That%20product%20monitors%20firewall%20logs%20to%20see%20what%20apps%20your%20users%20are%20going%20to%20and%20how%20much%20data%20is%20being%20shared%20by%20those%20apps.%20Once%20you%20get%20a%20baseline%20you%20can%20then%20fine%20tune%20policies%20about%20what%20apps%20they%20should%20be%20going%20to%20and%20look%20for%20anomalies.%20That%20being%20said%20the%20number%20of%20Azure%2FOffice%20related%20security%20products%20are%20many%20and%20they%20way%20they%20do%20or%20don't%20interact%20is%20confusing%20at%20best%20to%20me.%20Specifically%20what%20I%20would%20like%20to%20know%20is%20if%20our%20Azure%20AD%20has%20had%20a%20mass%20query%20done%20against%20if%20from%20a%20unfamiliar%20location.%20Our%20Azure%20AD%20should%26nbsp%3Bnot%20be%20queried%20by%20anyone%20in%20Russia%20for%20example%20or%20anyone%20that%20is%20VPN'ing%20to%20the%20US%20from%20Russia.%20More%20importantly%20with%20the%26nbsp%3Bpower%20of%20the%20cloud%20this%20should%20be%20detected%20and%20stopped%20without%20me%20having%20to%20detect%20it%20after%20the%20fact%20and%20do%20something%20about%20it.%26nbsp%3BWe%20are%20still%20in%20the%20wild%20west%20out%20here%20but%20the%20Iron%20Horse%20is%20coming%20across%20the%20prairie%20and%20I'm%20hoping%20that%20more%20good%20guys%20are%20coming%20than%20bandits.%20%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183551%22%20slang%3D%22en-US%22%3ERE%3A%20Observe%20Azure%20AD%20with%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183551%22%20slang%3D%22en-US%22%3EIn%20my%20opinion%2C%20Azure%20ATP%20is%20really%20focused%20on%20typical%20AD%20attack%20scenario's%2C%20such%20as%20pass-the-hash%2Fticket%2C%20skeleton-key%2C%20golden-ticket%2C%20etc%20...%20If%20you%20are%20looking%20for%20a%20good%20tool%20to%20monitor%20Azure%20AD%2C%20I%20would%20recommend%20looking%20at%20Cloud-app%20Security%20...%20(feel%20free%20to%20correct%20me%20if%20I'm%20wrong%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-183027%22%20slang%3D%22en-US%22%3ERe%3A%20Observe%20Azure%20AD%20with%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-183027%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Paul%20and%20Karsten%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20ATP%20currently%20only%20monitors%20the%20users%20in%20the%20on-premises%20Active%20Directory.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20something%20that%20is%20being%20looked%20into.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERemember%20you%20can%20always%20use%20your%20voice%2C%20by%20visiting%20the%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoftsecurity.uservoice.com%2Fforums%2F905791-azure-advanced-threat-protection-ata-in-the-cloud%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20ATP%20User%20Voice%20%3C%2FA%3Epage.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGershon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-182910%22%20slang%3D%22en-US%22%3ERe%3A%20Observe%20Azure%20AD%20with%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-182910%22%20slang%3D%22en-US%22%3E%3CP%3EI%20haven't%20heard%20that%20but%20I%20would%20vote%20for%20making%20it%20possible.%20%2B!%20for%20Azure%20ATP%20to%20monitor%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi @ll,

is it now possible to observe Azure Active Directory with Azure ATP?
And what about if I only have an Azure AD and no on-premises AD anymore?

Greets,
Karsten...

4 Replies
Highlighted

I haven't heard that but I would vote for making it possible. +! for Azure ATP to monitor Azure AD.

Highlighted

Hi Paul and Karsten, 

 

Azure ATP currently only monitors the users in the on-premises Active Directory. 

 

This is something that is being looked into. 

 

Remember you can always use your voice, by visiting the Azure ATP User Voice page. 

 

Best,

 

Gershon

Highlighted
In my opinion, Azure ATP is really focused on typical AD attack scenario's, such as pass-the-hash/ticket, skeleton-key, golden-ticket, etc ... If you are looking for a good tool to monitor Azure AD, I would recommend looking at Cloud-app Security ... (feel free to correct me if I'm wrong ;)
Highlighted

Raf,

Cloud app security is a little different. That product monitors firewall logs to see what apps your users are going to and how much data is being shared by those apps. Once you get a baseline you can then fine tune policies about what apps they should be going to and look for anomalies. That being said the number of Azure/Office related security products are many and they way they do or don't interact is confusing at best to me. Specifically what I would like to know is if our Azure AD has had a mass query done against if from a unfamiliar location. Our Azure AD should not be queried by anyone in Russia for example or anyone that is VPN'ing to the US from Russia. More importantly with the power of the cloud this should be detected and stopped without me having to detect it after the fact and do something about it. We are still in the wild west out here but the Iron Horse is coming across the prairie and I'm hoping that more good guys are coming than bandits.