The Advanced Threat Analytics Feature in Microsoft Defender for Endpoints

Microsoft Advanced Threat Analytics

AAdvanced Threat Analytics is an on-premises platform that helps users protect against various advanced cyber attacks and insider threats.

Threat Analytics Dashboard access from Navigation Bar > Threat Analytics

Microsoft Threat Analytics provides threat itelligence solutions and able to assits security teams to be ready while facing emerging threats. For example:

• Active threat actors and their campaigns
• Popular and new attack techniques
• Critical vulnerabilities
• Common attack surfaces
• Prevalent malware

Advanced Threat Analytics use network parsing engine to capture and parse network traffic of multiple protocols for authentication, authorization, and information gathering. Advanced Threat Protection can recieve events and logs from:

• SIEM Integration
• Windows Event Forwarding (WEF)
• Directly from the Windows Event Collector (for the Lightweight Gateway)

Analytics Threat Analytics Architecture

Advaced Threat Analytics capabilities.

• Reconnaissance, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist. Typically, this is where attackers build plans for their next phases of attack.
• Lateral movement cycle, during which an attacker invests time and effort in spreading their attack surface inside your network.
• Domain dominance (persistence), during which an attacker captures the information that allows them to resume their campaign using various sets of entry points, credentials, and techniques.

Highlighted Kill-Chain Advanced Threat Analytics Detections

Advanced Threat Analytics provides detections:

reconnaissance, credential compromise, lateral movement, privilege escalation, domain, dominance.