Deploy Azure Advanced Threat Protection (ATP)

In this post I will take you through the steps to deploy Azure ATP in your on-premise Active Directory to detect and investigate threats in your environment. For a detailed description of Azure ATP and it’s capabilities, refer to the references section at the end of this post.


Getting started

Access the Azure ATP portal at https://portal.atp.azure.com/. If this is the first time that you access the portal you will be required to activate your Azure ATP instance. Select create and wait for completion.


Create Azure ATP instance

You will be presented with the next screen which provides the steps to complete your Azure ATP deployment. In the first step, Azure ATP needs to connect to the Active Directory Forest. This is accomplished by providing Azure ATP with a username and password from the Active Directory forest.



The account required to connect to Active Directory only requires access to read all objects in the domains. Any Active Directory account has these permissions by default, there is no need to assign any additional access rights.

You can provide a normal username and password such as a service account created for this or you can use the recommended option and provide a Group Managed Service Account (gMSA) instead. A gMSA doesn’t require you to provide a password as the password is managed automatically. Refer to my previous post if you require more information on creating and managing a gMSA.

I’ve created a gMSA in the root domain of my Active Directory forest for my Azure ATP deployment. All the sensors that will be deployed need to able use this gMSA account. It is highly recommended to deploy the sensors to all your Active Directory Domain Controllers in the forest.

I’ve created a domain local security group in the root domain and added the Domain Controllers built-in security group from all my domains to this group. This security group was specified in the PrincipalsAllowedToRetrieveManagedPassword  attribute when creating my gMSA account, which ensures that all Domain Controllers in the forest will be able to retrieve the password for the account.


Domain local security group containing Domain Controllers from all domains as members

gMSA configuration

I now provide the gMSA account details on the Azure ATP portal and select save. I don’t have any other untrusted forests or domains that I want to add.



With the Active Directory credentials provided, I can now download the sensor setup file and install on my Domain Controllers.




The download is a ZIP file that contains the setup file and a configuration file which contains the relevant information for the sensor (Domain Controller) to connect to the Azure ATP cloud service.

I’ve extracted the ZIP file to a folder and can now run the setup



I will select next to begin the installation process



The installation has detected that it is running on a Domain Controller and selected sensor as the installation type. I will not be covering the standalone sensor, which is a dedicated server, in this post.



The access key is obtained from the Azure ATP portal on the same page where the package was downloaded from. The access key can also be regenerated from the portal without affecting the existing installations. It is only used during installation of a new sensor.



Wait for installation to complete.



Installation successful. Select finish to close the window.



I’ve also completed the installation on my Domain Controller in the child domain, and can now view the sensor health in the Azure ATP portal. Both sensors are running and healthy.



Azure ATP prerequisites

Please review all prerequisites before deploying Azure ATP. The sensors need to communicate with the Azure ATP cloud service thus outbound internet access is required. Detailed information can be found in the Azure ATP documentation.

Azure ATP also has a sizing tool to assist with ensuring the sensors have the appropriate CPU and Memory resources to run without any issues. The Azure ATP service will not impact Active Directory services when resources are low. The sensor will stop to ensure normal server functions are not impacted. The image below shows an alert which was generated when the Domain Controller was running low on memory. Adequate resources are required to ensure the sensor is always active, a stopped service may result in missed detections.



Additional resources

I would recommend exploring the Azure ATP readiness guide for additional resources. It contains a list of resources, including videos demonstrating Azure ATP capabilities and investigation steps, which will help you get started with Azure ATP.

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-resources


Reference

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/

Author