Azure Advanced Threat Protection

Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organisation.


Azure ATP enables SecOp analysts and security professionals struggling to detect advanced attacks in hybrid environments to:

  • Monitor users, entity behaviour and activities with learning-based analytics
  • Protect user identities and credentials stored in Active Directory
  • Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
  • Provide clear incident information on a simple timeline for fast triage

Azure ATP monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers, then analyses the data for attacks and threats.

Utilising profiling, deterministic detection, machine learning and behavioural algorithms, Azure ATP learns about your network, enables detection of anomalies, and warns you of suspicious activities.

Azure ATP monitors and analyses user activities and information across your network, such as permissions and group membership, creating a behavioural baseline for each user. Azure ATP then identifies anomalies with adaptive built-in intelligence, giving you insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organisation.

Azure ATP’s proprietary sensors monitor organisational domain controllers, providing a comprehensive view for all user activities from every device.






Installed directly on your domain controllers, the Azure ATP sensor accesses the event logs it requires directly from the domain controller. After the logs and network traffic are parsed by the sensor, Azure ATP sends only the parsed information to the Azure ATP cloud service (only a percentage of the logs are sent).


Azure ATP provides you invaluable insights on identity configurations and suggested security best practice. Through security reports and user profile analytics, Azure ATP helps dramatically reduce your organisational attack surface, making it harder to compromise user credentials and advance an attack.


Azure ATP’s visual lateral movement paths help you quickly understand exactly how an attacker can move laterally inside your organisation to compromise sensitive accounts and assists in preventing those risks in advance.


Azure ATP security reports help you identify users and devices that authenticate using clear-text passwords and provide additional insights to improve your organisational security posture and policies.

Case studies

Related resources