ThirdSpace ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
26 August 2020

Identify, analyse and remediate: What is Microsoft Threat Protection (MTP)?

  • Cyber security
  • Azure Sentinel
Mathew Richards

A ‘one-stop-shop’ for security incident management and remediation, here are the ins and outs of Microsoft Threat Protection.

Ever found yourself frustrated by the plethora of consoles required to manage Microsoft’s security technologies in the Cloud?

Well, I have some good news – Microsoft has listened!

There are many projects currently underway to significantly improve this challenge. If we look at the progress Microsoft has made with the security and compliance portals, we can start to see the fruits of their labour.

Add the Microsoft Threat Protection (MTP) portal to this and we really start to see things stepping up a gear.

To be clear, MTP is not just another portal that consolidates your security view. Whilst that is one of its functions, MTP is so much more than just another console.


Microsoft Threat Protection explained

MTP consolidates your view of security incidents across several technologies but also adds a whole host of deep correlation and automation capabilities.

This makes the life of a security analyst much more efficient and effective. Microsoft has been building the underlying foundations for MTP for quite some time now, bringing all of its security telemetry together in one place.

This foundation enables you to query a data set spanning multiple technologies.

I like to think of MTP as a collection of depth or specialist security tools – technologies that have a clearly defined focus within your environment.

MTP will help you run queries that can identify any or all of the following:

  • Machines infected with a specific payload.
  • Modified mailboxes.
  • Malicious activity and the identities involved.
  • Vulnerabilities caused by an exposed CVE.

How does MTP work?

MTP combines the telemetry and insights drawn from the following products:

  • Office 365 Advanced Threat Protection (Office 365 ATP)
  • Azure Advanced Threat Protection (Azure ATP)
  • Microsoft Defender Advanced Threat Protection (MDATP)
  • Microsoft Cloud App Security (MCAS)
  • Azure Identity Protection (AIdP)

MTP brings all these technologies together in one security operations console. Within the console, you can see how MTP correlates and provides insights from these technologies and apply relevant automated activities to address them.

Being able to mark an identity as compromised or perform actions against your endpoints allows you to apply a kind of ‘self-healing’ capability to affected entities.

These activities can then drive different behaviours when the user authenticates, be that blocking the user, enforcing MFA or directing the connection through a reverse proxy, for example.

MTP will continuously monitor activities across a wide range of entities, correlating signals to surface incidents that highlight suspicious activities.

Aligned closely to the MITRE ATT&CK framework, MTP clearly shows you where in the attack chain the activities contributing to the incident have occurred. These activities could highlight persistence, defence evasion or lateral movement.

As you can see below, a security incident raised by MTP shows you these tactics across the complete kill chain and provides supporting evidence.

With this visibility, you can quickly establish the magnitude of the issue and get a handle on it. You can see all the affected entities such as mailboxes, identities and devices with a view of their investigation priority.

You can also clearly see any investigations that have been triggered automatically through the automated incident response (AIR) engine. AIR can execute automated investigative activities to further understand the details and potentially mitigate the risk.

These can be fully automated or based on an approval workflow.

The insights provided by MTP will then flow into your overarching security incident and event management (SIEM) solution. Your SIEM can then perform further analysis and correlation across all the data consumed.

Webinar: Azure Sentinel Demo - See Microsoft’s security tool in action

See how Sentinel can help you identify and stop threats before they have the opportunity to cause damage. You'll learn:

  • What Sentinel does, how it works – and how you can harness the power of AI
  • How its unique features can help you revolutionise your security operations
Watch now

MTP and Azure Sentinel

As you would expect, MTP will have native integration with Azure Sentinel (Microsoft’s SIEM and SOAR offering) – easily enabled by a simple tick box!

No need to develop any custom data connectors here, you’ll be glad to hear. Using the insights of these depth/specialist tools within Sentinel provides valuable insights to identify the end-to-end attack chain.

This helps you see what’s affected and where to focus your attention to mitigate the risk. It’s all about visibility.

Without accurate, near-real-time visibility of activities across your entire environment, you are at risk of harbouring bad actors who will be waiting for the perfect moment to strike.

Future-proof security management

MTP delivers a far more efficient and effective way of managing threat incidents within your organisation and serves to enable your analysts to be able to quickly identify and remediate the threats discovered.

Driven by the native integration of multiple technologies and backed with sophisticated machine learning models, MTP should form an essential part of your overall security strategy.

Microsoft’s goal with MTP is to make it the ‘one-stop-shop’ for managing threat protection. Whilst there has been a significant amount of work already completed to make this a reality, there is still more for Microsoft to do.

Today, you can see and interact with the incidents that have been raised and get visibility into all the areas already discussed. On occasion, you will still need to enter the respective technology’s portal to gain a deeper understanding.

This is made easy for you from within MTP, but the eventual goal is to deliver everything you need from within the MTP portal itself.

Microsoft is engaged in an aggressive roadmap so expect to see many new capabilities being delivered across all the threat protection technologies over the coming months.

MTP licensing

MTP isn’t something that you need to install, it’s automatically enabled if you have one or more of the technologies that comprise MTP. You can access MTP if you have any of the following licenses or products:

  • Microsoft 365 E5 or A5
  • Microsoft 365 E5 Security or A5 Security
  • Windows 10 Enterprise E5 or A5
  • Enterprise Mobility + Security E5 or A5
  • Office 365 E5 or A5
  • Microsoft Defender ATP
  • Azure ATP
  • Microsoft Cloud App Security
  • Office 365 ATP

So, if you have any of the above, then you’re good to go. The MTP portal can be accessed here.



Now that you hopefully have a better understanding of what MTP and its constituent parts, you can appreciate how MTP might benefit your security team. Attacks are becoming far more sophisticated and there is a real need to stay one step ahead.

The investment and commitment that Microsoft has made to security is impressive and, if anything, they’re gathering pace and continue to innovate on the technologies they offer.

So, MTP is a worthwhile investment for managing your security as the threat landscape continues to evolve.

Key takeaways

  • MTP will become your ‘one-stop-shop’ for managing threat protection.
  • It draws on all of Microsoft’s security technologies and telemetry.
  • Security incidents are clearly surfaced and highlight affected areas.
  • MTP allows for quick and effective threat response and mitigation.
  • It’s designed to integrate seamlessly with Azure Sentinel for additional detail and control.

Next steps

You may also like...


Never trust, always verify: What is the Microsoft Zero Trust security model?


How and why to move to Azure Information Protection (AIP) unified labeling


The top 5 features of Office 365 Advanced Threat Protection (ATP)

Recent Blog Articles

View All
Mathew Richards
Head of Mobility & Security
Learn More

Need advice? Our experts are waiting...

Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.

Request Vision Call
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.