Advanced Threat Protection Part 4: Azure ATP

00:00

Welcome back to the M S ST 65 Security Administration course.

00:05

I'm your instructor, Jim Daniels,

00:08

and we're on module three Industry 65 Threat Protection

00:12

Lesson two.

00:13

Advanced Threat Protection Part four. As you're a TV

00:18

in this lesson, we're going to go over how azure 80 p. Advanced threat protection

00:23

helps identify, detect and investigate threats.

00:27

We'll also look at some of the configuration and management aspects of azure A teepee,

00:33

as your 80 p is a cloud based security solution that leverages your on premises Active directory to identify,

00:40

detect and investigate advanced threat

00:43

compromise identities and malicious insider actions directed at your organization.

00:50

As your 80 p detects multiple suspicious activities focusing on several phases of a cyberattack kill chain.

00:57

Some of these include lateral movement,

01:00

this one an attacker, invest time and effort

01:03

to spread increased their attacks service inside your network.

01:07

Reconnaissance

01:08

is when an attacker gathers information on how your environments built.

01:12

They're building their plan for their next phase of attack.

01:17

If you learn about your target,

01:19

you can plan your tax better. That's what reconnaissance is.

01:23

Domain dominance. Persistence

01:26

is where an attacker captures the information,

01:29

allowing them to resume their campaign using various sets of entry points, credentials and techniques.

01:36

This is pretty much the

01:38

embraced,

01:41

hopefully doesn't get to this. This is where, as your 80 p life will give you an alert and early detection if this will be your fate,

01:52

this lot describes how the full of azure 80 peace and network and invent capturing works

01:57

and how it drills down to describe the functionality. The main components.

02:01

The Azure 80 p portal azure 80 p sensor in the azure 80 p Cloud Service.

02:09

The azure 80 p sensor is a stone directly on your domain controller

02:15

and accesses the required events low directly from the demand controller is at the source of the logs

02:23

after the logs and network traffic or parsed by the sensor

02:27

as you're a teepee. Sins only the parsed information

02:30

to the azure 18 p. Cloud service.

02:34

Only a small percentage of all of the logs were sent

02:38

to configure azure. A teepee.

02:40

Enter your azure a TV portal.

02:44

80 p the 80 p dot after dot com

02:49

What do you really remember? All right, anyway,

02:53

as they advanced right protection. That's the euro.

02:57

Enter the after a TV portal as something in this screenshot.

03:00

Create your workspace. Provide a user name and password. You connect to your 80 forced.

03:07

Download the

03:08

sensor set up package,

03:10

install the sensor and configure the sensor settings.

03:14

I will say that

03:15

as you're a TV is not a free service.

03:20

It is a resource within azar,

03:23

so you will have your normal costs for your workspace

03:27

and you will have your normal costs for ingestion.

03:31

There's calculators is available to help you with that cost. Just one before disclosure. This is not one of those features, like GOP, as launch percent included with your MSV 65. Sweet or Subscription.

03:45

Here's an example of a suspected identity theft or past the tickets.

03:53

We have a graph that shows the different steps and different evidence.

03:57

It's time stand.

03:59

We have the users and the workstations. All that in play are blurred out in this example.

04:04

And as an event,

04:06

as administrators, we can have the option to re mediate so we can market as close.

04:13

We can suppress it

04:15

or we can close and exclude

04:16

Closing. Exclude is more for false positives

04:20

that you don't want to be notified about in the future. You can also download the details, So then you can send them up to personal question. You can send them to ah Sisa, consenting to whoever you need to.

04:33

I talked a little bit about how you can

04:36

mark each of them

04:39

open.

04:40

All suspicious activities appear in the list. If they're open, they're here.

04:45

Close

04:46

suppress is ignored.

04:47

Reopened. Once his clothes is suppressed

04:50

in, actually reopen it again.

04:53

Delete.

04:54

That's when it is dilated, and you will not be able to restore it.

04:59

Quiz the components of Azure 80 p. R. The azure 80 p portal

05:04

as your 80 p sensor

05:06

and the azure 80 p proxy relay.

05:10

True

05:11

or false? One of the components

05:16

you said. True, you're wrong.

05:20

The answer is false. As your 80 p proxy relay

05:25

does not exist,

05:27

the Azure 80 p clown service is the correct third component.

05:32

So to recap, today's very short lesson as your advanced right protection is a cloud based security solution that leverages your one premises active directory to identify, detect and investigate advance stress, compromise identities and malicious insider actions directed at your organization.

05:53

As part of the remediation and work Flynn

05:56

as you're a teepee, events could be more disclosed. You can suppress them,

06:00

reopen them or even deleting from the senseless.

06:04

Thank you for joining me for this lesson. Okecie for the next one.