✕ סגור 
צור קשר
תודה על ההתעניינות .

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form

Azure ATP

עידן נפתלי
|
קלה
|
August 4, 2019

במאמר זה אנחנו נדבר על Azure ATP, שהוא מוצר אבטחת מידע של מיקרוסופט אשר מאפשר זיהוי וניטור מתקפות על גבי השרתים הפיזיים שלנו, ודיווח אל ה-Tenant שלנו בזמן אמת.

Azure ATP שם דגשים חשובים על הדברים הבאים:  

• Monitor users, entity behavior, and activities with learning-based analytics

• Protect user identities and credentials stored in Active Directory

• Identify and investigate suspicious user activities and advanced attacks throughout the kill chain

• Provide clear incident information on a simple timeline for fast triage

Azure ATP Architecture

Azure ATP מכיל את הרכיבים הבאים:

• Azure ATP portal - מאפשר יצירת Instance וחיבורו ל-CASB ול-OMS שמציג את המידע הקיים ברשת.

The Azure ATP portal allows creation of your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment

• Azure ATP sensor - מותקן כ-Agent על שרתי ה-DC בארגון שמנטר את פעולות השרתים, ללא תלות בשרת מקומי.

Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.

• Azure ATP cloud service - מידע על שירות ה-Azure ATP מבחינה גיאוגרפית.

Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure’s ATP cloud service is connected to Microsoft's intelligent security graph.

למידע נוסף לחצו כאן

Azure ATP Prerequisites

Azure ATP מצריך רישוי לכל משתמש - הרישויים הבאים שבהם ניתן להפעיל את Azure ATP:

Enterprise Mobility + Security 5 – EMS E5

M365 E5

דרישות התקנת Sensor  

Azure ATP sensor requirements

This section lists the requirements for the Azure ATP sensor.

General

Note

Make sure KB4487044 is installed when using Server 2019. Azure ATP Sensors already installed on 2019 servers without this update will be automatically stopped.

The Azure ATP sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Windows Server Core but not Windows Nano Server (Windows Server 2019 (including Windows Core but not Windows Nano Server).

The domain controller can be a read-only domain controller (RODC).

For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.

During installation, the .Net Framework 4.7 is installed and might require a reboot of the domain controller, if a restart is already pending.

Note

A minimum of 5 GB of disk space is required and 10 GB is recommended. This includes space needed for the Azure ATP binaries, Azure ATP logs, and performance logs.

Server specifications

The Azure ATP sensor requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the Azure ATP sensor to High Performance. Azure ATP sensors can be deployed on domain controllers of various loads and sizes, depending on the amount of network traffic to and from the domain controllers, and the amount of resources installed.

Note

When running as a virtual machine, dynamic memory or any other memory ballooning feature is not supported.

For more information about the Azure ATP sensor hardware requirements, see Azure ATP capacity planning.

Time synchronization

The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.

Network adapters

The Azure ATP sensor monitors the local traffic on all of the domain controller's network adapters.

After deployment, use the Azure ATP portal to modify which network adapters are monitored.

The sensor is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.

Ports

The following table lists the minimum ports that the Azure ATP sensor requires:

למידע נוסף, לחצו כאן.

לפני הטמעת Azure ATP, יש צורך ב-Sizing Tool אשר מנתח ונותן המלצות לקראת הטמעת המוצר. להורדה, לחצו כאן.

Plan capacity for Azure ATP

1. Run the Azure ATP Sizing Tool, TriSizingTool.exe, from the zip file you downloaded.

2. When the tool finishes running, open the Excel file results.

3. In the Excel file, locate and click on the Azure ATP Summary sheet. The other sheet isn't needed since it's for Azure ATA planning

4. Locate the Busy Packets/sec field in the Azure ATP sensor table in the results Excel file and make a note of it

5. Choose your sensor type. Use the information in the Choosing the right sensor type section to determine which sensor or sensors you would like to use. Keep your Busy Packets/sec in mind when choosing the sensor type

6. Match your Busy Packets/sec field to the PACKETS PER SECOND field in the Azure ATP sensor table section of this article. Use the fields to determine the memory and CPU that will be used by the sensor

להגדרת Traffic עבור DC’s, לחצו כאן.

• ניתן להגדיר גם Windows Event Forwarding אשר מעביר את הלוגים אל Event Viewer  

• למידע אודות Event ID's לחצו כאן.

• Azure ATP יודע לעבוד אל מול Sentinel וגם מול שאר שירותי Azure AD כגון: Security Center, Azure AD וגם עבור Azure Information Protection.

מאת : עידן נפתלי | יועץ וארכיטקט תשתיות מחשוב , פתרונות ענן ואבטחת מידע וסייבר | U-BTech Solutions

במאמר זה אנחנו נדבר על Azure ATP, שהוא מוצר אבטחת מידע של מיקרוסופט אשר מאפשר זיהוי וניטור מתקפות על גבי השרתים הפיזיים שלנו, ודיווח אל ה-Tenant שלנו בזמן אמת.

Azure ATP שם דגשים חשובים על הדברים הבאים:  

• Monitor users, entity behavior, and activities with learning-based analytics

• Protect user identities and credentials stored in Active Directory

• Identify and investigate suspicious user activities and advanced attacks throughout the kill chain

• Provide clear incident information on a simple timeline for fast triage

Azure ATP Architecture

Azure ATP מכיל את הרכיבים הבאים:

• Azure ATP portal - מאפשר יצירת Instance וחיבורו ל-CASB ול-OMS שמציג את המידע הקיים ברשת.

The Azure ATP portal allows creation of your Azure ATP instance, displays the data received from Azure ATP sensors, and enables you to monitor, manage, and investigate threats in your network environment

• Azure ATP sensor - מותקן כ-Agent על שרתי ה-DC בארגון שמנטר את פעולות השרתים, ללא תלות בשרת מקומי.

Azure ATP sensors are installed directly on your domain controllers. The sensor directly monitors domain controller traffic, without the need for a dedicated server, or configuration of port mirroring.

• Azure ATP cloud service - מידע על שירות ה-Azure ATP מבחינה גיאוגרפית.

Azure ATP cloud service runs on Azure infrastructure and is currently deployed in the US, Europe, and Asia. Azure’s ATP cloud service is connected to Microsoft's intelligent security graph.

למידע נוסף לחצו כאן

Azure ATP Prerequisites

Azure ATP מצריך רישוי לכל משתמש - הרישויים הבאים שבהם ניתן להפעיל את Azure ATP:

Enterprise Mobility + Security 5 – EMS E5

M365 E5

דרישות התקנת Sensor  

Azure ATP sensor requirements

This section lists the requirements for the Azure ATP sensor.

General

Note

Make sure KB4487044 is installed when using Server 2019. Azure ATP Sensors already installed on 2019 servers without this update will be automatically stopped.

The Azure ATP sensor supports installation on a domain controller running Windows Server 2008 R2 SP1 (not including Server Core), Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 (including Windows Server Core but not Windows Nano Server (Windows Server 2019 (including Windows Core but not Windows Nano Server).

The domain controller can be a read-only domain controller (RODC).

For your domain controllers to communicate with the cloud service, you must open port 443 in your firewalls and proxies to *.atp.azure.com.

During installation, the .Net Framework 4.7 is installed and might require a reboot of the domain controller, if a restart is already pending.

Note

A minimum of 5 GB of disk space is required and 10 GB is recommended. This includes space needed for the Azure ATP binaries, Azure ATP logs, and performance logs.

Server specifications

The Azure ATP sensor requires a minimum of 2 cores and 6 GB of RAM installed on the domain controller. For optimal performance, set the Power Option of the Azure ATP sensor to High Performance. Azure ATP sensors can be deployed on domain controllers of various loads and sizes, depending on the amount of network traffic to and from the domain controllers, and the amount of resources installed.

Note

When running as a virtual machine, dynamic memory or any other memory ballooning feature is not supported.

For more information about the Azure ATP sensor hardware requirements, see Azure ATP capacity planning.

Time synchronization

The servers and domain controllers onto which the sensor is installed must have time synchronized to within five minutes of each other.

Network adapters

The Azure ATP sensor monitors the local traffic on all of the domain controller's network adapters.

After deployment, use the Azure ATP portal to modify which network adapters are monitored.

The sensor is not supported on domain controllers running Windows 2008 R2 with Broadcom Network Adapter Teaming enabled.

Ports

The following table lists the minimum ports that the Azure ATP sensor requires:

למידע נוסף, לחצו כאן.

לפני הטמעת Azure ATP, יש צורך ב-Sizing Tool אשר מנתח ונותן המלצות לקראת הטמעת המוצר. להורדה, לחצו כאן.

Plan capacity for Azure ATP

1. Run the Azure ATP Sizing Tool, TriSizingTool.exe, from the zip file you downloaded.

2. When the tool finishes running, open the Excel file results.

3. In the Excel file, locate and click on the Azure ATP Summary sheet. The other sheet isn't needed since it's for Azure ATA planning

4. Locate the Busy Packets/sec field in the Azure ATP sensor table in the results Excel file and make a note of it

5. Choose your sensor type. Use the information in the Choosing the right sensor type section to determine which sensor or sensors you would like to use. Keep your Busy Packets/sec in mind when choosing the sensor type

6. Match your Busy Packets/sec field to the PACKETS PER SECOND field in the Azure ATP sensor table section of this article. Use the fields to determine the memory and CPU that will be used by the sensor

להגדרת Traffic עבור DC’s, לחצו כאן.

• ניתן להגדיר גם Windows Event Forwarding אשר מעביר את הלוגים אל Event Viewer  

• למידע אודות Event ID's לחצו כאן.

• Azure ATP יודע לעבוד אל מול Sentinel וגם מול שאר שירותי Azure AD כגון: Security Center, Azure AD וגם עבור Azure Information Protection.

מאת : עידן נפתלי | יועץ וארכיטקט תשתיות מחשוב , פתרונות ענן ואבטחת מידע וסייבר | U-BTech Solutions

עידן נפתלי
http://www.israelclouds.com/blog/office-365-atp
http://www.israelclouds.com/blog/office-365-atp

בלוגים אחרונים

בואו נעבוד ביחד
support@israelclouds.com
צרו קשר