Managing Azure ATP activities

Now that we have deployed our Azure ATP instance, we can start managing and monitoring the service. It is important to review the Azure ATP portal regularly, in addition to creating alerts, to keep on top of all potential suspicious and malicious activities that may target your hybrid cloud identities.

There are a number of ways to manage and monitor the Azure ATP instance. Some of them are as follows:

  • Through the security alerts timeline in the Azure ATP portal
  • Through Azure ATP reports
  • Through the Azure ATP workspace health center

We will now look at each of these in greater detail, starting with the security alerts timeline.

The security alerts timeline in the Azure ATP portal

When you first launch the Azure ATP portal, it opens the security alerts timeline, as follows:

Figure 6.14 – The security alerts timeline

Important note

There are no alerts in my own timeline at the moment because the Azure ATP instance has just been generated on my tenant.

In the security alerts timeline, you can see any security alerts that have been detected in chronological order.

Security alerts contain events relating to the following information:

  • Compromised users, devices, and resources
  • Timeframes associated with suspicious activities
  • Alert severity
  • Alert status

You can share any security alerts via email with other users in your organization and you can also export a security alert to Excel. Some examples of the types of activities you could see in your timeline are as follows:

Figure 6.15 – Timeline activity types

You should review the security alerts timeline regularly in order to respond to and classify any recorded alerts. Microsoft has the following classifications for security alerts:

  • True Positive: This is a genuine malicious action detected by Azure ATP.
  • Benign True Positive: This is a non-malicious action detected by Azure ATP, such as a penetration test.
  • False Positive: This is a false alarm.

If you have a large number of security alerts to review on your timeline, you can filter the alerts by All, Open, Closed, or Suppressed. You can also filter further by High, Medium, or Low.

Azure ATP reports

The Azure ATP Reports section is the second option visible on the sidebar from the Azure ATP portal, as follows:

Figure 6.16 – Azure ATP reports

In Reports, you can generate and download reports relating to suspicious activities and system health. You can also schedule regular reports from the top-right corner of the screen, as follows:

Figure 6.17 – See scheduled reports

Important note

You can also access Scheduled reports from the Notifications and Reports section of the Configuration screen within Azure ATP.

When you choose to schedule a report, you will see the following options for the built-in reporting options of Azure ATP:

Figure 6.18 – Available scheduled reports

The reports available within Azure ATP are as follows:

  • Summary
  • Modifications to sensitive groups
  • Passwords exposed in cleartext
  • Lateral movements paths to sensitive accounts

When scheduling one of these reports, you have the following configuration options:

Figure 6.19 – Configuration options

You can choose to send a report on a daily, weekly, or monthly basis. You can also choose the time of day that the report will be sent and you can choose the recipients who should receive the report via email.

When you have configured your report schedule settings, they will be shown on the Scheduled reports page, as follows:

Figure 6.20 – Scheduled reports

If you choose to download one of the reports from the Azure ATP portal, the report is exported to Microsoft Excel, as in the following example, which shows the downloaded Summary report. There are two tabs available:

  • The Summary tab:

Figure 6.21 – The Summary tab

  • The Health issues tab:

Figure 6.22 – The Health issues tab

When using Azure ATP in your environment, reports are an excellent way for you to diligently and proactively assess activities within your Azure ATP instance. It is highly recommended that you schedule regular reports to be emailed to administrators.

The Azure ATP workspace health center

The Azure ATP workspace health center can be accessed from the Azure ATP portal by clicking on the heart icon, as follows:

Figure 6.23 – Azure ATP portal

The health center shows you the performance information that relates to your Azure ATP workspace and alerts you on any issues. Should there be any potential problems, the health center icon will display a red dot, as in the preceding screenshot, so you have a clear visual indication when there are health issues that require your attention.

In the following example (which shows the health center of the Azure ATP instance that we set up in the previous section of this chapter), we can see that there is already a reported issue that requires attention. When we set up the Azure ATP instance on this tenant, we purposely selected an AD user account whose password is soon to expire, knowing that this would generate an alert:

Figure 6.24 – The Azure ATP health center

There are three alert types in the Azure ATP health center, which are as follows:

  • Open: These are new or current alerts that require attention.
  • Closed: These are alerts that have been successfully and definitively resolved.
  • Suppressed: These are alerts that have been identified as safe to ignore, but that may reoccur.

Alerts provide you with a lot of detail as to what the issue is and also suggest corrective measures that can be taken. Any open issues that appear in your Azure ATP instance can be addressed by clicking on the ellipsis in the right-hand corner of the alert, as follows:

Figure 6.25 – Alert details

From the open alert, you can select from one of the available options, as follows:

  • Close: Select Close if you are certain that you have diligently addressed and resolved the issue described in the activity.
  • Suppress: Select Suppress if you are certain that the activity can safely be ignored at this time.

In the previous example, we closed the alert that was detected in the Azure ATP health center and it now shows in the Closed alerts section:

Figure 6.26 – Alert shown as closed

If we click on the ellipsis, we can reopen the alert if we need to, as follows:

Figure 6.27 – Re-opening an alert

If we chose to suppress the activity instead of closing it, the activity would move to the Suppressed alerts section. We would have the same option to re-open the alert from the Suppressed section as we did from the Closed section, if required.

Important note

If you close an activity and Azure ATP detects a reoccurrence within a short time frame, Azure ATP may automatically reopen the activity.

There are three levels of activity that detection can be assigned to depending on the severity of the issue. They are as follows:

  • A high-level alert: This is the most severe type of alert and requires urgent attention. High-level alerts can indicate activities that can lead to high-impact attacks, such as identity theft or elevation of privilege.
  • A medium-level alert: This can indicate that there has been an activity that could put identities at risk and result in a more serious attack.
  • A low-level alert: This can indicate that a malicious actor could be attempting to gain initial access to your environment.

The Azure ATP health center is an extremely useful tool for Microsoft 365 administrators and will enable you to diligently and proactively respond to any suspicious or malicious activities detected in your environment. We have shown you how it can be used to monitor alerts recorded by Azure ATP and how to understand the different levels of alerts and their varying severity. You have also learned how to change the status of alerts by closing or suppressing them.