This small article focuses on Microsoft Threat Protection. During one of the Ignite session, the focus was on tips, tricks and best-practices. Here goes:
- Review phish messages;
- Use admin submission (new feature);
- Enable ATP Safe Link with link detonation, wait for the URL scanning;
- Regularly review investigations;
- Prioritize URL verdict change playbook.
- Run the AATP sizing tool;
- Run the Advanced Auditing Policy Tool;
- Deploy .Net Framework 4.7 during maintenance window;
- Configure the proxy with the single URL <AATPInstanceName>sensorapi.atp.azure.com;
- NIC teaming – requires NPCAP.
- Enable Microsoft CAS/Azure ATP integration;
- Enable AAD Conditional Access for console access;
- Use the Azure ATP Security Alert lab (https://aka.ms/aatpsaplaybook)
- Review Identity Security Posture Assessments.
Microsoft Defender ATP
- Enable EDR and look at alerts;
- Access endpoint protection;
- Automate your SOC with auto incident response – start with semi-automated.
Cloud App Security
- Connect Office 365 and your 3rd party apps;
- Enable Microsoft Defender ATP;
- Discover, classify and protect sensitive data in cloud applications;
- Use build-in detections.