Difference Between Microsoft ATA and Microsoft ATP

Edited by Diffzy | Updated on: April 30, 2023


Difference Between Microsoft ATA and Microsoft ATP

Why read @ Diffzy

Our articles are well-researched

We make unbiased comparisons

Our content is free to access

We are a one-stop platform for finding differences and comparisons

We compare similar terms in both tabular forms as well as in points


What does on think when they hear the word Microsoft? People might think of technology or computers. Technology in turn involves a number of cyber-attacks and violence which might be threatening to one’s personal information. Microsoft is an essential digital application that is used by nearly every company, student, etc. however, with the increasing digital involvement of people security comes into question. There have been numerous cases of security breaches that have been harmful to the activities of the companies. Hence, observing such problems Microsoft ATA and ATP focus on the detection of cybercrimes.

Microsoft ATA vs. Microsoft ATP

To novices ATP and ATA would sound familiar; however, they are considerably different. ATA provides cyber-attack and network solutions based on actual claims, whereas ATP provides a combination of solutions that are not only on-premises. Microsoft ATA defends the company or organization from retaliatory storms by leveraging on-premises entry, records, experience, and machine behavior. Abnormal behavior, such as suspect logins, can be detected in ATA network traffic. The ATA remainder is information regarding suspicious activity. Azure ATP is another name for Microsoft ATP. It covers similar types of cyclones with comparable facts and statistics. ATP Cloud receives all tested test information and definitions. ATP provides the same functionality as ATA but needs fewer statement-based concerns. The table below clearly illustrates the differences between Microsoft ATA and ATP.

Difference Between Microsoft ATA vs ATP in Tabular Form

Basis Microsoft ATA    Microsoft ATP    
Objective Microsoft ATA performs evidence detection, observation, and inquiry.
Microsoft ATP performs on-premise warning diagnostic in conjunction with cloud investigation and announcement.
Denotation It provides remedies to safeguard businesses based on-premise establishments. It is an updated type of ATA that is answerable to the Azure cloud and does not require any on-premise servers.
Spot       Microsoft ATA has an on-premises installation.


Microsoft ATP may be installed in a hybrid model.
Authority     ATA authority is constantly shifting under Microsoft. ATP authorization is granted to enterprise and suite E5 by Microsoft.


What is Microsoft ATA?

Azure ATP is the cloud-based version of Advanced Threat Analytics (ATA). ATA is a product that is installed on the customer's facility. Installing an ATA server in your environment is the first step in implementing ATA. Azure ATP is a cloud-based service that does not require any additional on-premises servers. One can start using Azure ATP right away if you have Enterprise Mobility plus Security E5 licenses or sign up for a trial. Microsoft ATA collects data from several sources in order to detect anomalies in business networks and construct a secure network. It also looks through journals, logs, and registers and is based on previous device experience. It also employs audit procedures to detect suspicious logins, spiteful storms, and other strange activities.

The Microsoft Advanced Threat Analytics architecture is divided into two parts. The ATA Gateway analyses user activity data of the network and sends it to the ATA Centre using deep packet inspection technologies. The ATA Centre gets activity data from the ATA Gateway through a secure connection and creates an "Organizational Security Graph." This data effectively includes activity profiles for every user and leverages this to alert on anomalous user behavior. The ATA Gateway parses network activity including DNS Servers and creates a user activity profile for each user in Active Directory, which includes the machines the user regularly logs onto and the resources the user uses. Using this activity profile, ATA can determine when a user's activity deviates from the benchmark. ATA is specifically interested in user authentication traffic to the Domain Controllers which includes the initial logon to the system as well as requests to access resources that are sent to the DCS as well ATA also requires a standard user account in Active Directory to enumerate users, groups, and computers.

It doesn't matter if a user has the right to access a resource. When the user requests access, ATA logs that the user is attempting to access it. If this is not part of the normal activity profile for the user it is flagged as suspicious. There are three levels of criticality in ATA, Low, Medium, and High, based on the potential impact of the identified activity. The ATA Centre is installed first, and then the ATA Gateway installation files are created, tying the ATA Gateway install to the ATA Centre. This guarantees that ATA Gateways understand how to safely connect with the ATA Centre. The ATA Centre has an online portal where you may see activity streams and suspicious actions. The diagram below depicts a user accessing computers and resources that are not part of that person's "normal" activities. The system learns where users log in and how they generally access resources over time - no rules/policies are necessary, and no agents are required. No part of the system is amalgamated to Active Directory and is efficiently imperceptible since it can't be seen on any system or the network. Only a standard user account is required for ATA to gather information about the Active Directory environment.

What is Microsoft ATP?

Microsoft ATP assists in locating and analyzing contemporary storms and insider warnings on-premise. It operates in several regions with hybrid solutions, not only on-premise, and prevents intruders from gaining access to your system. It creates an image of the users of the business after learning about them via various events and behaviors. When some abnormal conduct is detected, the workplace portal informs you whether it is an attack or not. It assists you in detecting any hostile acts in your surroundings. ATP protects you from storms that might cause harm to your business, whether they are known or unknown to one.

ATP is divided into three parts:-

Azure ATP, windows defender ATP, and office 365 ATP

  1. Microsoft Defender for Office 365 protects your emails, files, and programs against unexpected storms, links, and suspicious attachments. It allows you to predict who will be the next target in the organization and what sort of vengeful storm you will face.

  2. Microsoft Security Essentials Advanced Threat Protection (ATP) is a Microsoft security software program that is aimed to assist business-class organizations in detecting and responding to security threats. ATP is a background detection system that provides a proactive and effective investigative reaction.

  3. Microsoft Windows Defender (version 1) ATP has been renamed Microsoft Defender Endpoint and now works in tandem with Azure ATP to detect and defend unique content. Its major focus, however, is on the final points, or resources that are spent.

  4. 4. ATP is a warning and response function that has been upgraded in Windows Defender. Many anti-malware solutions have ATP functionality.

Capabilities and responsibilities

  1. Threat and Vulnerability Management - a real-time software catalog is done on endpoints. This data is used to discover, prioritize, and mitigate security flaws caused by installed apps and missing updates.

  2. Next-Generation Protection - ATP continuously scans for and blocks dangers. To detect new and emerging risks, machine learning and the Security Graph are utilized.

  3. Automated Investigation and Remediation - Network endpoints can create an astonishing quantity of security alarms if left unchecked. Windows Defender ATP examines the alarms and eliminates the "noise" signals using an Automated Investigations function. This permits security personnel to concentrate on more important alarms.

  4. Secure Score - to assess the existing security setup, ATP employs a security score. Prescriptive advice is provided to assist security professionals in improving their security scores.

  5. Microsoft Threat Experts - Microsoft Threat Experts is a managed hunting service that uses artificial intelligence to identify and prioritize assaults.

  6. Reducing the Attack Area - By separating computer hardware and application administration, the system's whole attack area is decreased. Applications are no longer automatically trusted, and only trusted applications are permitted to run.

  7. Endpoint Detection and Response - ATP categorizes assaults as incidents. This form of integration facilitates security experts' ability to prioritize, investigate, and respond to risks.

The role ATP plays:-

  1. The first step is scouting. This is the stage at which an attacker gets data about your surroundings. Azure ATP identifies abnormal network activity and attacks on your domain controllers. Attempts to move domains from your DNS servers or to check the list of Group List members are instances of questionable activities that retired attackers may engage in.

  2. The third phase is the persistence phase, also known as "domain domination" by Microsoft. This is the point at which an attacker has amassed adequate data to take control of your surroundings. They can get access to your network for future assaults, for example, by creating administrator accounts or installing remote access tools on the server. Each of those phases, as per Microsoft, is comparable and predictable. Intelligent attackers can infiltrate a workstation or a server while going fully undiscovered by typical antivirus software. However, owing to their reconnaissance, lateral migration, and persistent activity, they can be discovered.

  3. The lateral movement phase comes next. This is the stage at which an attacker attempts to propagate via the network, obtaining access to other hosts or other sets of login credentials.

  4. By eliminating misunderstandings, a comprehensive logbook of events may help you foresee future mistakes or actions concerning other events and make it more likely that you will be able to get some rest.

  5. The ATA scans the control networks via port mirroring and delivers a copy of the networks to the ATA input for testing. A discreet ATA installation in the local controls can be used instead of building a whole mirror. ATA can detect anomalies in real-time, allowing you to focus on alerts that signal a possible problem.

  6. ATA can predict long-term warnings, vengeful actions, and so forth. Because it has an in-depth understanding of how devices, systems, and networks function and interact with one another, and if any changes occur between the system and networks, it can locate the fault in the system.

Main Differences Between Microsoft ATA and ATP in Points

  1. The primary goal of Microsoft ATA is to detect mistakes or odd behavior on-premise through announcement and analysis, whereas the primary goal of Microsoft ATP is to detect faults on-premise through cloud research and announcement.

  2. Microsoft ATA is installed on-premises, whereas Microsoft ATP is installed in a hybrid environment.

  3. Microsoft ATA safeguards organizations from potentially harmful activity on corporate networks or servers, whereas Microsoft ATP is a revamped version of Microsoft ATA that reacts to the Azure cloud.

  4. Authority varies in the case of Microsoft ATA, but authority in the case of Microsoft ATP concentrates on business and E5 suite.

  5. The full form of ATA is "advanced threat statistics," whereas the full form of ATP is "advanced threat protection."

  6. Under Microsoft, ATA authority keeps on fluctuating, whereas, under Microsoft, ATP authority is given to enterprise and suite E5.

  7. Microsoft ATA does on evidence warning observation, investigation, but Microsoft ATP does on-premise warning diagnosis with cloud investigation and announcement.

  8. Microsoft ATA offers cures to safeguard the firms based on the evidence establishment. But Microsoft ATP is the reviewed genre of ATA accountable to azure cloud having no more servers on-premise.


Finally, we can say that we understand the core functions of both programs, which helps to clarify the differences between them. Microsoft ATA and ATP defend Digital firms and organizations against malicious assaults and damages that might jeopardize the company's brand and status. ATP sensors can be put on a wide range of ATA servers. Following an examination of both ATA and ATP, it is possible to conclude that Microsoft ATP currently has more functions. ATA and ATP help us create new defenses and can arrange for any necessary treatment. Because ATP gives access to historical data for at least six months, it is simple to search it up. The Azure cloud's power provides you with modern, linked storm defense. When tools are constantly monitored, errors may be recognized and eliminated much more quickly. Overall, Microsoft is ATP and ATA are vast areas which requires substantial amount of knowledge, the aforementioned article thus gives clear explanation while simultaneously telling the difference between the two.


Cite this article

Use the citation below to add this article to your bibliography:



MLA Style Citation

"Difference Between Microsoft ATA and Microsoft ATP." Diffzy.com, 2024. Sun. 19 May. 2024. <https://www.diffzy.com/article/difference-between-microsoft-ata-and-microsoft-atp-39>.

Edited by

Share this article