Welcome back to our second article on the current Microsoft security stack. In the first article we talked about the new Microsoft Security offerings as a whole and we went a little bit deeper into explaining some topics. Just as a reminder, below you can find the overview again on which offerings Microsoft currently has in its security assets.

In our previous article we talked about the assets in the following areas:

  • Data
  • Cloud & Datacenter

This article will focus on the assets in the application stack.

Cloud App Security

Centers around three components:

  • Cloud Discovery: Discover all cloud use in your organization, including Shadow IT reporting and control and risk assessment.
  • Data Protection: Monitor and control your data in the cloud by gaining visibility, enforcing DLP policies, alerting, and investigation.
  • Threat Protection: Detect anomalous use and security incidents. Use behavioral analytics and advanced investigation tools to mitigate risk and set policies and alerts to achieve maximum control over network cloud traffic.

Cloud App security provides:

  • Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.
  • Sanctioning and un-sanctioning apps in your cloud.
  • Using easy-to-deploy app connectors that take advantage of provider APIs for visibility and governance of apps that you connect to.
  • Using proxy protection to get real-time visibility and control over access and activities performed within your cloud apps.
  • Giving you continuous control by setting and continually fine-tuning policies.

Advanced Threat Protection


  • Detect and identify suspicious user and device activity with learning-based analytics
  • Leverage threat intelligence across the cloud and on-premises environments
  • Protect user identities and credentials stored in Active Directory
  • Provide clear attack information on a simple timeline for fast triaging
  • Monitor multiple entry points through integration with Windows Defender Advanced Threat Protection

Basically what happens is that the anatomy of an attack has been identified. Meaning that allot of the attacks that currently take place in modern IT networks follow the same pattern. It has been depicted in the image below.

Microsoft’s ATP solution provides insight in the steps within the anatomy of this attack pattern. For example it detects abnormal behavior with admin accounts. To do so it leverages an lightweight agent installed on a DC or standalone server that is port mirrored with a dc. These agents and/or stand alone servers communicate with the Azure ATP service, where information is processed using the machine learning and intelligence of the Microsoft Azure Cloud platform.

That will be all for this part 2 of this series of articles on the Microsoft Security Stack. We hope this has been informative for you and if there are any questions or you want to know more, please don’t hesitate to contact us.