Skip to content

Windows Defender ATP — The New Security Product


Part of the new features of Windows 10 is the ability to drill down on security and integration with features of Microsoft DCU (Digital Crime Unit), which is the Microsoft unit that works with the Defense Department to generate and identify attacks around the world (

Types of protection Available

In general the virus are based on what are DAT files with virus signatures and can identify programs that have activities or part of these codes considered dangerous. In this category are all current antivirus, which includes Windows Defender.

Already advanced protection systems rely on internal and external behavioral analysis, that is, they identify potential threats by behaviors like some products from Symantec and McAfee, which identifies machines by sending packets to other machines, with brute force logins, etc.

Already the behavioral protection systems with external analysis are very different products. They analyze behavior of machines in the environment and external communications. With this it is possible to identify:

  • A group of machines getting packages from a particular machine with suspicious content
  • Packages from countries where the phishing attack and the like are common
  • Packages from machines already identified as "zombie"

That is, based on the analysis of the own environment and behavior of hackers, it is possible to identify certain hacker is trying to break into a company to analyze that this hacker is sending packets to the target company’s network.

What is the ATA and the ATP

Microsoft products this product is the ATA (Advanced Thread Analysis) that works in Active Directory and user logins, and ATP (Advanced Thread Protection) that works with Machine Learning (data analysis) on the logs of the individual machines.

In practice the Windows Defender ATP works with the same log that Windows Defender, but online and on the basis of the analyses and data of the DCU. With this it is possible to identify threats that are not found in traditional DAT or based only on a single machine, which is how the traditional antivirus work.

The ATA is part of the EMS (Enterprise Mobility Suite), but can be purchased part:

The ATP is still in preview with on-demand access:

Overview of ATP

As I already have access to the ATP, let’s see how it works. To request such access, enter the page above and complete with your data. You can include machines for your environment, but the system generates some machines with viruses and problems to test automatically. Note on the screens below the user used is generated by Microsoft for testing.

To get access, the first step is to indicate retention time and company profile to produce threads by thread type:


In the sequel we generate the package or the script for distribution of the settings. Note that you can create the packages for distribution by GPO, SCCM, Intune or site which is what I use in my tests:


The next step is to download the package, in my case the Script Location:


The script contains a file CMD to be executed manually in machines that wish to Defend logging is sent to the ATP. This script creates a key in the registry to indicate my tenant and activate the ATP:


From now on its machines will send data to the ATP.

In the case of my test, I can use the data of the machine that Microsoft generates tests and view alerts and dashboard. The first screen is the Dashboard indicating the General behavior in the monitored environment:


In this case I have no alerts generated in the last 30 days, but I have the tenant creation to demonstrate how to use the alert management:


Each alert can be ignored, marked as resolved or deleted in any tenant or just for this particular machine:



This type of data analysis is essential for the security of the Corporation. Soon available as a service on Azure, the ATP is a new way to analyze and ensure your environment.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: