What's new in Azure ATP?



What’s new in Azure ATP?

  • Announcements:
    This week at RSA we made two very important Azure ATP announcements and hosted a theater show.
    • We introduced the unified SecOps portal– enabling investigation of identities in hybrid environments.  In less than 24 hours, the announcement generated dozens of new requests from customers interested in joining the preview program. We’ll qualify each of these customers and add them to our program soon. Learn more about the unified experience here.


    • Always wanted to play CSI Microsoft? Now you can…with the new User Investigation Priority that identifies and surfaces the top users to investigate. Built on behavior analytics, activity scoring, alert scoring and blast radius, customers now have an easy and straightforward method to identify and remediate their riskiest users.  Excitement is building around our UEBA capabilities and promises, with many organizations anticipating these features in action! Learn more about investigation priority here.



Azure ATP is pleased to announce the public release of our security alert lab (aka the playbook) documentation. The lab provides detailed set-by-step instructions on how to set up an Azure ATP test lab environment, and walks you through various scenarios for testing and detecting threats from each phase in a typical cyber-attack kill chain. Use with caution!

  • Feature enhancements:

    Suspected identity theft (pass-the-ticket)

This alert now features new evidence showing details of connections made by the remote desktop protocol (RDP).


Remote code execution over DNS alert
This alert now features new evidence showing if your domain controllers require updates.  

Suspected brute force attack (LDAP) alert
This alert now features new evidence showing attempt details of brute force attacks.   


  • Recent versions also include improvements and bug fixes for internal sensor infrastructure.


  • Happy birthday to Azure ATP!
    Earlier this month, Azure ATP celebrated its 1 year anniversary, protecting thousands of customers and millions of users.

Fun facts: We’ve released 45 updated versions of the service (that’s almost 1 every week) and our office dog to DevOps ratio now stands at 2-to-1.



I guess he should have joined our Unified SecOps Experience preview program.

If you have customers already using Azure ATP, MCAS, or Azure AD Identity Protection (or a combination of these) and want them to experience the power, help them join the expanding preview program here.


How to win the latest security race over NTLM relay Blog.


Access the Azure ATP demo environment at https://demos.microsoft.com/demos;searchKeyword=azure%20atp.


Have feature feedback? We’d especially like to hear your thoughts about new Azure ATP features, such as monitored domain controller coverage. Like it, love it, hate it? Want something else? Let us know! AatpFeedback@microsoft.com


Want to join the customer conversation? Join the conversation at Tech Community


Docs site Updates



1 Reply

Good stuff, the unified portal looks like the right idea.  Was too many different ways to get the same information before.@Ryan Heffernan