במאמר זה אנחנו נדבר על Azure ATP, שהוא מוצר אבטחת מידע של מיקרוסופט אשר מאפשר זיהוי וניטור מתקפות על גבי השרתים הפיזיים שלנו, ודיווח אל ה-Tenant שלנו בזמן אמת.
Azure ATP שם דגשים חשובים על הדברים הבאים:
• Monitor users, entity behavior, and activities with learning-based analytics
• Protect user identities and credentials stored in Active Directory
• Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
• Provide clear incident information on a simple timeline for fast triage
Azure ATP Architecture
Azure ATP מכיל את הרכיבים הבאים:
• Azure ATP portal - מאפשר יצירת Instance וחיבורו ל-CASB ול-OMS שמציג את המידע הקיים ברשת.
The Azure ATP portal allows creation of your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment
• Azure ATP sensor - מותקן כ-Agent על שרתי ה-DC בארגון שמנטר את פעולות השרתים, ללא תלות בשרת מקומי.
Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
• Azure ATP cloud service - מידע על שירות ה-Azure ATP מבחינה גיאוגרפית.
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure’s ATP cloud service is connected to Microsoft's intelligent security graph.
למידע נוסף לחצו כאן
Azure ATP Prerequisites
Azure ATP מצריך רישוי לכל משתמש - הרישויים הבאים שבהם ניתן להפעיל את Azure ATP:
Enterprise Mobility + Security 5 – EMS E5
M365 E5
דרישות התקנת Sensor
Azure ATP sensor requirements
This section lists the requirements for the Azure ATP sensor.
General
Note
Make sure KB4487044 is installed when using Server 2019. Azure ATP Sensors already installed on 2019 servers without this update will be automatically stopped.
The Azure ATP sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Windows Server Core but not Windows Nano Server (Windows Server 2019 (including Windows Core but not Windows Nano Server).
The domain controller can be a read-only domain controller (RODC).
For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.
During installation, the .Net Framework 4.7 is installed and might require a reboot of the domain controller, if a restart is already pending.
Note
A minimum of 5 GB of disk space is required and 10 GB is recommended. This includes space needed for the Azure ATP binaries, Azure ATP logs, and performance logs.
Server specifications
The Azure ATP sensor requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the Azure ATP sensor to High Performance. Azure ATP sensors can be deployed on domain controllers of various loads and sizes, depending on the amount of network traffic to and from the domain controllers, and the amount of resources installed.
Note
When running as a virtual machine, dynamic memory or any other memory ballooning feature is not supported.
For more information about the Azure ATP sensor hardware requirements, see Azure ATP capacity planning.
Time synchronization
The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.
Network adapters
The Azure ATP sensor monitors the local traffic on all of the domain controller's network adapters.
After deployment, use the Azure ATP portal to modify which network adapters are monitored.
The sensor is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.
Ports
The following table lists the minimum ports that the Azure ATP sensor requires:
למידע נוסף, לחצו כאן.
לפני הטמעת Azure ATP, יש צורך ב-Sizing Tool אשר מנתח ונותן המלצות לקראת הטמעת המוצר. להורדה, לחצו כאן.
Plan capacity for Azure ATP
1. Run the Azure ATP Sizing Tool, TriSizingTool.exe, from the zip file you downloaded.
2. When the tool finishes running, open the Excel file results.
3. In the Excel file, locate and click on the Azure ATP Summary sheet. The other sheet isn't needed since it's for Azure ATA planning
4. Locate the Busy Packets/sec field in the Azure ATP sensor table in the results Excel file and make a note of it
5. Choose your sensor type. Use the information in the Choosing the right sensor type section to determine which sensor or sensors you would like to use. Keep your Busy Packets/sec in mind when choosing the sensor type
6. Match your Busy Packets/sec field to the PACKETS PER SECOND field in the Azure ATP sensor table section of this article. Use the fields to determine the memory and CPU that will be used by the sensor
להגדרת Traffic עבור DC’s, לחצו כאן.
• ניתן להגדיר גם Windows Event Forwarding אשר מעביר את הלוגים אל Event Viewer
• למידע אודות Event ID's לחצו כאן.
• Azure ATP יודע לעבוד אל מול Sentinel וגם מול שאר שירותי Azure AD כגון: Security Center, Azure AD וגם עבור Azure Information Protection.
מאת : עידן נפתלי | יועץ וארכיטקט תשתיות מחשוב , פתרונות ענן ואבטחת מידע וסייבר | U-BTech Solutions
במאמר זה אנחנו נדבר על Azure ATP, שהוא מוצר אבטחת מידע של מיקרוסופט אשר מאפשר זיהוי וניטור מתקפות על גבי השרתים הפיזיים שלנו, ודיווח אל ה-Tenant שלנו בזמן אמת.
Azure ATP שם דגשים חשובים על הדברים הבאים:
• Monitor users, entity behavior, and activities with learning-based analytics
• Protect user identities and credentials stored in Active Directory
• Identify and investigate suspicious user activities and advanced attacks throughout the kill chain
• Provide clear incident information on a simple timeline for fast triage
Azure ATP Architecture
Azure ATP מכיל את הרכיבים הבאים:
• Azure ATP portal - מאפשר יצירת Instance וחיבורו ל-CASB ול-OMS שמציג את המידע הקיים ברשת.
The Azure ATP portal allows creation of your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment
• Azure ATP sensor - מותקן כ-Agent על שרתי ה-DC בארגון שמנטר את פעולות השרתים, ללא תלות בשרת מקומי.
Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.
• Azure ATP cloud service - מידע על שירות ה-Azure ATP מבחינה גיאוגרפית.
Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure’s ATP cloud service is connected to Microsoft's intelligent security graph.
למידע נוסף לחצו כאן
Azure ATP Prerequisites
Azure ATP מצריך רישוי לכל משתמש - הרישויים הבאים שבהם ניתן להפעיל את Azure ATP:
Enterprise Mobility + Security 5 – EMS E5
M365 E5
דרישות התקנת Sensor
Azure ATP sensor requirements
This section lists the requirements for the Azure ATP sensor.
General
Note
Make sure KB4487044 is installed when using Server 2019. Azure ATP Sensors already installed on 2019 servers without this update will be automatically stopped.
The Azure ATP sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Windows Server Core but not Windows Nano Server (Windows Server 2019 (including Windows Core but not Windows Nano Server).
The domain controller can be a read-only domain controller (RODC).
For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.
During installation, the .Net Framework 4.7 is installed and might require a reboot of the domain controller, if a restart is already pending.
Note
A minimum of 5 GB of disk space is required and 10 GB is recommended. This includes space needed for the Azure ATP binaries, Azure ATP logs, and performance logs.
Server specifications
The Azure ATP sensor requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the Azure ATP sensor to High Performance. Azure ATP sensors can be deployed on domain controllers of various loads and sizes, depending on the amount of network traffic to and from the domain controllers, and the amount of resources installed.
Note
When running as a virtual machine, dynamic memory or any other memory ballooning feature is not supported.
For more information about the Azure ATP sensor hardware requirements, see Azure ATP capacity planning.
Time synchronization
The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.
Network adapters
The Azure ATP sensor monitors the local traffic on all of the domain controller's network adapters.
After deployment, use the Azure ATP portal to modify which network adapters are monitored.
The sensor is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.
Ports
The following table lists the minimum ports that the Azure ATP sensor requires:
למידע נוסף, לחצו כאן.
לפני הטמעת Azure ATP, יש צורך ב-Sizing Tool אשר מנתח ונותן המלצות לקראת הטמעת המוצר. להורדה, לחצו כאן.
Plan capacity for Azure ATP
1. Run the Azure ATP Sizing Tool, TriSizingTool.exe, from the zip file you downloaded.
2. When the tool finishes running, open the Excel file results.
3. In the Excel file, locate and click on the Azure ATP Summary sheet. The other sheet isn't needed since it's for Azure ATA planning
4. Locate the Busy Packets/sec field in the Azure ATP sensor table in the results Excel file and make a note of it
5. Choose your sensor type. Use the information in the Choosing the right sensor type section to determine which sensor or sensors you would like to use. Keep your Busy Packets/sec in mind when choosing the sensor type
6. Match your Busy Packets/sec field to the PACKETS PER SECOND field in the Azure ATP sensor table section of this article. Use the fields to determine the memory and CPU that will be used by the sensor
להגדרת Traffic עבור DC’s, לחצו כאן.
• ניתן להגדיר גם Windows Event Forwarding אשר מעביר את הלוגים אל Event Viewer
• למידע אודות Event ID's לחצו כאן.
• Azure ATP יודע לעבוד אל מול Sentinel וגם מול שאר שירותי Azure AD כגון: Security Center, Azure AD וגם עבור Azure Information Protection.
מאת : עידן נפתלי | יועץ וארכיטקט תשתיות מחשוב , פתרונות ענן ואבטחת מידע וסייבר | U-BTech Solutions