Microsoft Ignite 2019 – Update – Microsoft Threat Protection best practices

Posted by

This small article focuses on Microsoft Threat Protection. During one of the Ignite session, the focus was on tips, tricks and best-practices. Here goes:

Office ATP

  • Review phish messages;
  • Use admin submission (new feature);
  • Enable ATP Safe Link with link detonation, wait for the URL scanning;
  • Regularly review investigations;
  • Prioritize URL verdict change playbook.

Azure ATP

  • Run the AATP sizing tool;
  • Run the Advanced Auditing Policy Tool;
  • Deploy .Net Framework 4.7 during maintenance window;
  • Configure the proxy with the single URL <AATPInstanceName>;
  • NIC teaming – requires NPCAP.
  • Enable Microsoft CAS/Azure ATP integration;
  • Enable AAD Conditional Access for console access;
  • Use the Azure ATP Security Alert lab (
  • Review Identity Security Posture Assessments.

Microsoft Defender ATP

  • Enable EDR and look at alerts;
  • Access endpoint protection;
  • Automate your SOC with auto incident response – start with semi-automated.

Cloud App Security

  • Connect Office 365 and your 3rd party apps;
  • Enable Microsoft Defender ATP;
  • Discover, classify and protect sensitive data in cloud applications;
  • Use build-in detections.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s