Home  >  APT29  >  Results  >  Microsoft  >  Configuration

Microsoft Configuration

Product Versions

"Microsoft Threat Protection" suite with the following integration:

Protection scope Product/Server Configuration
Endpoint Microsoft Defender ATP for Windows 10 1903 (build 18362) Enabled
Server Microsoft Defender ATP for Server 2019 (build 17763) Enabled
Identity Microsoft Azure ATP (sensor version 2.97.7243) Enabled
Cloud Applications Microsoft Cloud App Security Enabled
Email Microsoft Office 365 ATP Not Enabled
Managed Detection and Response Microsoft Threat Experts Enabled


Microsoft Threat Protection (MTP) is a unified pre and post breach enterprise defense suite that natively integrates endpoint, identity and email products to stop sophisticated attacks. Microsoft Threat Protection combines the signals of Microsoft Defender ATP (endpoint), Azure ATP (Identity), Office 365 ATP (Email and collaboration) and Microsoft Cloud App security (Applications) to accurately detect and automatically respond to threats with behavioral analytics and reveals the root cause to speed up investigations. Tight integration across the products augmented with new cross product logic, unique to Microsoft Threat Protection ensures attacks can be quickly detected, that affected assets are automatically remediated and that security operations teams are empowered to investigate and take remediation actions in time, before the damage is done.

Stopping advanced sophisticated attacks requires the combined efforts of a pro-active prevention stack, wide behavioral based detection capabilities, comprehensive automatic self-healing capabilities for affected assets and superb visibility with a wide array of remediation action for security teams to provide the oversight and intervention required to stop attacks quickly. Siloed expert systems like endpoint detection and response (EDR), or email protection systems are great for providing perimeter-specific defenses, but they also leave the job of connecting the dots and coordinating defenses to human analysts, who are forced to pivot from console to console to verify and respond to threats separately for each perimeter.

Microsoft Threat Protection defines a new category for enterprise-wide protection, detection and response solutions that runs a fully integrated single defensive stack across endpoint, identity, email and cloud data to:

  • Protect at the source and coordinate the defense stack by sharing signals and actions
  • Narrate the story of the attack across product alerts, behaviors and context with Incidents
  • Automate response to compromise by self-healing assets through automated Remediation
  • Enable effective threat hunting across the endpoint, Office and identity

Microsoft Threat Protection provides security teams with a single portal view of the aggregated data of the Microsoft enterprise security suite helping security teams to gain superior visibility and alerting, speed up incident triage and incident response and help reduce the effect of attacks by automatically remediating affected assets - endpoints, user identities and mailboxes. Microsoft Threat Protection is built on top a full suite of cloud-native products and built in agent-less endpoint architecture which eliminates cost and complexity of deployment, maintaining and updating on premises infrastructure and can seamlessly scale to millions of users and endpoints.

Product Configuration

Additional OS and individual product configurations

Component Reason Configuration
MDATP: Next-generation protection configured in audit mode to allow Redteam
binaries/tools to execute (without blocking)
Audit-only (no block)
MDATP: Attack Surface Reduction configured in audit mode to allow Redteam
binaries/tools to execute (without blocking)
Audit-only (no block)
MDATP: Exploit protection Disabled upon request Disabled
Windows Defender Credential Guard Disabled upon request Disabled
Windows Defender Application Guard Disabled upon request Disabled
Application control Disabled upon request Disabled