I have a love/hate relationship with Microsoft Threat Protection (MTP). I absolutely love the concept, the platform and the pieces that make up MTP. It gives you a single-pane view of everything from the users’ systems all the way to Azure cloud assets. Microsoft Threat Protection consists of Microsoft Defender Advanced Threat Protection (ATP), Microsoft Office 365 ATP, Microsoft Cloud App Security and Azure ATP.
What I hate about MTP are the licensing requirements. Each piece requires a minimum of a certain license. You might need to scope the reports to only gather information from those users that are licensed for the features. Review the Microsoft 365 licensing guidance before proceeding. For example, to license the workstations for what used to be called Windows ATP, now called Microsoft Defender ATP, you need a Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5 (M365 E5, which includes Windows 10 Enterprise E5), or Microsoft 365 A5 (M365 A5) license.
Microsoft Defender ATP
Licensing Microsoft Defender ATP opens up several features that provide additional information and guidance when a security incident occurs. Once you onboard machines into the console, you can go back in time and review what went on with a system. This can be helpful in capturing and gathering log files if a system has been attacked by ransomware and any log files or evidentiary information that is now on an encrypted hard drive kept captive by an attacker. Microsoft Defender ATP now can be used to protect Macintosh computers as well.