Better Together and Integrations Everywhere with Microsoft Security

Microsoft has a broad set of security offerings including industry leading threat protection solutions. The biggest differentiation I see between Microsoft in this space and many of the other solutions out there is the intelligence provided to our solutions by the Intelligent Security Graph and the integration between email, endpoint and identity.

A few of the integrations we'll be reviewing in this article are between Office 365 Threat Intelligence, Windows Defender Advanced Threat Protection (ATP), Azure ATP, Intune, Azure Active Directory (AD), Cloud App Security, and Azure Security Center.

Threat Intelligence with Defender ATP

Office 365 Threat Intelligence is powered with data from the Microsoft Intelligent Security Graph. The graph acquires the latest threat signal from over 1 billion Windows devices, 450 billion monthly Azure logins, and 400 billion monthly email messages in Office 365. This unrivaled threat signal is what gives the broad visibility into a customer tenant that is crucial for admins and security analysts to have a complete view of the threats impacting their organization.

When Threat Intelligence and Defender ATP have the integration enabled, information about the users' devices will be present within Threat Explorer which will include the current number of open alerts on the user's device.

The integration between Office 365 Threat Intelligence and Windows Defender ATP provides administrators an easy way to pivot from email directly to the endpoint during an investigation.

Within Threat Explorer, on the upper right-hand side of the screen, select the link for WDATP Settings

The side panel will open up and provide information on this integration. As you can see, enabling this integration will provide two-way visibility between the two solutions. From Threat Explorer, the admins will be able to see device details and open alerts from the endpoint. From Defender ATP, the admins will be able to get insights into email data with filtered links back to Threat Explorer.

To enable the integration between Threat Intelligence to Defender ATP, set the option of Connect to Windows ATP to On

From the Defender ATP side, just verify if the integration is enabled in the Advanced Settings.

After the integration is completed, admins will be able to get insights into email data with filtered links back to Threat Explorer. For example, if a user saves an attachment from Outlook, you will have the option to get "More details on this email in O365" from the machine timeline in the Defender Security Center.

For more information on the integration between Threat Intelligence and Defender ATP, please visit: Integrate Office 365 Threat Intelligence with Windows Defender Advanced Threat Protection

Defender ATP with Intune and Conditional Access

With Azure Active Directory (Azure AD) conditional access, you can control how authorized users access your cloud apps. In a conditional access policy, you define the response ("do this") to the reason for triggering your policy ("when this happens").

With the integration of Defender ATP, you can extend the native capabilities of conditional access to include the ability to block high risk machines from accessing corporate applications and data.

Even if the user is logged onto a corporate managed machine from an internal network, the user can be blocked access to corporate email or applications if the machine is identified as high risk.

Within the Intune management console, you will see the setup option for Windows Defender ATP

The Windows Defender Security Center reports the devices as “high risk”, and includes a detailed report of suspicious activity. For example, Defender ATP detects that the device executed abnormal code, experienced a process privilege escalation, injected malicious code, and issued a suspicious remote shell. Using Intune, you can create a compliance policy that determines an acceptable level of risk. If a device exceeds this risk, then the device becomes non-compliant. When combined with Azure Active Directory (AD) Conditional Access, the user is blocked access from corporate resources.

In the Windows Defender ATP settings, set Require the device to be at or under the machine risk score to your preferred level: Clear, Low, Medium, or High

You will then need to create a conditional access policy to allow access when the device is compliant.

From the Defender ATP side, just verify if the integration is enabled in the Advanced Settings.

For more information on the integration between Defender ATP and Conditional Access, please visit: Enable Windows Defender ATP with conditional access in Intune

Defender ATP with Azure ATP

Azure Advanced Threat Protection enables you to integrate Azure ATP with Windows Defender ATP, for an even more complete threat protection solution. While Azure ATP monitors the traffic on your domain controllers, Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment.

After Azure ATP and Windows Defender ATP are fully integrated, in the Azure ATP portal, in the mini-profile pop-up and in the entity profile page, each entity that exists in Windows Defender ATP includes a badge to show that it is integrated with Windows Defender ATP.

Within the details of a computer, the current alerts for that machine within Defender ATP are present within the Azure ATP console.

By integrating Windows Defender ATP into Azure ATP, you can leverage the full power of both services to secure your environment and have full visibility across the cyber kill chain.

To enable the integration between Azure ATP and Defender ATP, you only have two simple settings to enable. From the Azure ATP side, within the configurations section, turn the option of Integration with Windows Defender ATP to ON.

From the Defender ATP side, just verify if the integration is enabled in the Advanced Settings.

For more information on the integration between Defender ATP and Azure ATP, please visit: Integrate Azure ATP with Windows Defender ATP

Cloud App Security with Azure Information Protection

Microsoft Cloud App Security lets you apply Azure Information Protection classification labels automatically, with or without protection, to files as a file policy governance action. You can also investigate files by filtering for the applied classification label within the Cloud App Security portal. Using classifications enables greater visibility and control of your sensitive data in the cloud. Integrating Azure Information Protection with Cloud App Security is as easy as selecting one single checkbox.

As an example of the integration, if an admin selects the options for a file in the file investigation section, they will see the option to Apply classification label

When selected, the label and protection option will open and present all of the current labels configured for the company within Azure Information Protection. The admin can manually apply any label to the document stored in any cloud service managed by Cloud App Security.

Also, there's the option to automatically apply the classification label based on a query and file policy. If Cloud App Security identifies sensitive data anywhere, the resulting governance actions can automatically apply the correct label and associated protections.

To enable the integration of Azure Information Protection with Cloud App Security, within the Settings section under Azure Information Protection, select the check box to Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.

To ignore classification labels set external to your organization, in the Cloud App Security portal, select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.

For more information on the integration between Cloud App Security and Azure Information Protection, please visit: Azure Information Protection integration

Azure Security Center with Cloud App Security and Defender ATP

Azure Security Center harnesses the power of Defender ATP to provide improved threat detection for Windows Servers to identify and notify of attackers’ tools and techniques, help understand threats, uncover more information about a breach, and explore the details in the interactive Investigation Path within Security Center blade.

Azure Security Center also integrates with Microsoft Cloud App Security to bring you alerts based on user and entity behavioral analytics (UEBA) for your Azure resources and users (Azure activity). These alerts detect anomalies in user behavior and are based on user and entity behavioral analytics and machine learning (ML) so that you can immediately run advanced threat detection across your subscriptions' activities.

To enable these integrations, select the option to enable when editing the security policy under Threat detection within the Settings.

For more information on the integration between Azure Security Center and Defender ATP or Cloud App Security, please visit:

Windows Defender Advanced Threat Protection with Azure Security Center

UEBA for Azure resources and users

Also, as a note, within the Security solutions section, you can very easily connect Azure Security Center to both Advanced Threat Analytics and Azure AD Identity Protection.