ATA frequently asked questions

Applies to: Advanced Threat Analytics version 1.9

This article provides a list of frequently asked questions about ATA and provides insight and answers.

Where can I get a license for Advanced Threat Analytics (ATA)?

If you have an active Enterprise Agreement, you can download the software from the Microsoft Volume Licensing Center (VLSC).

If you acquired a license for Enterprise Mobility + Security (EMS) directly via the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model and you do not have access to ATA through the Microsoft Volume Licensing Center (VLSC), contact Microsoft Customer Support to obtain the process to activate Advanced Threat Analytics (ATA).

What should I do if the ATA Gateway won't start?

Look at the most recent error in the current error log (Where ATA is installed under the "Logs" folder).

How can I test ATA?

You can simulate suspicious activities which is an end to end test by doing one of the following:

  1. DNS reconnaissance by using Nslookup.exe
  2. Remote execution by using psexec.exe

This needs to run remotely against the domain controller being monitored and not from the ATA Gateway.

Which ATA build corresponds to each version?

For version upgrade information, see ATA upgrade path.

What version should I use to upgrade my current ATA deployment to the latest version?

For the ATA version upgrade matrix, see ATA upgrade path.

How does the ATA Center update its latest signatures?

The ATA detection mechanism is enhanced when a new version is installed on the ATA Center. You can upgrade the Center either by using Microsoft Update (MU) or by manually downloading the new version from Download Center or Volume License Site.

How do I verify Windows Event Forwarding?

You can place the following code into a file and then execute it from a command prompt in the directory: \Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin as follows:

mongo.exe ATA filename

db.getCollectionNames().forEach(function(collection) {
    if (collection.substring(0,10)=="NtlmEvent_") {
        if (db[collection].count() > 0) {
            print ("Found "+db[collection].count()+" NTLM events") 
        }
    }
});

Does ATA work with encrypted traffic?

ATA relies on analyzing multiple network protocols, as well as events collected from the SIEM or via Windows Event Forwarding. Detections based on network protocols with encrypted traffic (for example, LDAPS and IPSEC) will not be analyzed.

Does ATA work with Kerberos Armoring?

Enabling Kerberos Armoring, also known as Flexible Authentication Secure Tunneling (FAST), is supported by ATA, with the exception of over-pass the hash detection which will not work.

How many ATA Gateways do I need?

The number of ATA Gateways depend on your network layout, volume of packets and volume of events captured by ATA. To determine the exact number, see ATA Lightweight Gateway Sizing.

How much storage do I need for ATA?

For every one full day with an average of 1000 packets/sec you need 0.3 GB of storage. For more information about ATA Center sizing see, ATA Capacity Planning.

Why are certain accounts considered sensitive?

This happens when an account is a member of certain groups which we designate as sensitive (for example: "Domain Admins").

To understand why an account is sensitive you can review its group membership to understand which sensitive groups it belongs to (the group that it belongs to can also be sensitive due to another group, so the same process should be performed until you locate the highest level sensitive group).

In addition, you can manually tag a user, group or computer as sensitive. For more information, see Tag sensitive accounts.

How do I monitor a virtual domain controller using ATA?

Most virtual domain controllers can be covered by the ATA Lightweight Gateway, to determine whether the ATA Lightweight Gateway is appropriate for your environment, see ATA Capacity Planning.

If a virtual domain controller can't be covered by the ATA Lightweight Gateway, you can have either a virtual or physical ATA Gateway as described in Configure port mirroring.

The easiest way is to have a virtual ATA Gateway on every host where a virtual domain controller exists. If your virtual domain controllers move between hosts, you need to perform one of the following steps:

  • When the virtual domain controller moves to another host, preconfigure the ATA Gateway in that host to receive the traffic from the recently moved virtual domain controller.
  • Make sure that you affiliate the virtual ATA Gateway with the virtual domain controller so that if it is moved, the ATA Gateway moves with it.
  • There are some virtual switches that can send traffic between hosts.

How do I back up ATA?

What can ATA detect?

ATA detects known malicious attacks and techniques, security issues, and risks. For the full list of ATA detections, see What detections does ATA perform?.

What kind of storage do I need for ATA?

We recommend fast storage (7200-RPM disks are not recommended) with low latency disk access (less than 10 ms). The RAID configuration should support heavy write loads (RAID-5/6 and their derivatives are not recommended).

How many NICs does the ATA Gateway require?

The ATA Gateway needs a minimum of two network adapters:
1. A NIC to connect to the internal network and the ATA Center
2. A NIC that is used to capture the domain controller network traffic via port mirroring.
* This does not apply to the ATA Lightweight Gateway, which natively uses all of the network adapters that the domain controller uses.

What kind of integration does ATA have with SIEMs?

ATA has a bi-directional integration with SIEMs as follows:

  1. ATA can be configured to send a Syslog alert, to any SIEM server using the CEF format, when a suspicious activity is detected.
  2. ATA can be configured to receive Syslog messages for Windows events from these SIEMs.

Can ATA monitor domain controllers virtualized on your IaaS solution?

Yes, you can use the ATA Lightweight Gateway to monitor domain controllers that are in any IaaS solution.

Is this an on-premises or in-cloud offering?

Microsoft Advanced Threat Analytics is an on-premises product.

Is this going to be a part of Microsoft Entra ID or on-premises Active Directory?

This solution is currently a standalone offering—it is not a part of Microsoft Entra ID or on-premises Active Directory.

Do you have to write your own rules and create a threshold/baseline?

With Microsoft Advanced Threat Analytics, there is no need to create rules, thresholds, or baselines and then fine-tune. ATA analyzes the behaviors among users, devices, and resources—as well as their relationship to one another—and can detect suspicious activity and known attacks fast. Three weeks after deployment, ATA starts to detect behavioral suspicious activities. On the other hand, ATA will start detecting known malicious attacks and security issues immediately after deployment.

If you are already breached, can Microsoft Advanced Threat Analytics identify abnormal behavior?

Yes, even when ATA is installed after you have been breached, ATA can still detect suspicious activities of the hacker. ATA is not only looking at the user's behavior but also against the other users in the organization security map. During the initial analysis time, if the attacker's behavior is abnormal, then it is identified as an "outlier" and ATA keeps reporting on the abnormal behavior. Additionally ATA can detect the suspicious activity if the hacker attempts to steal another users credentials, such as Pass-the-Ticket, or attempts to perform a remote execution on one of the domain controllers.

Does this only leverage traffic from Active Directory?

In addition to analyzing Active Directory traffic using deep packet inspection technology, ATA can also collect relevant events from your Security Information and Event Management (SIEM) and create entity profiles based on information from Active Directory Domain Services. ATA can also collect events from the event logs if the organization configures Windows Event Log forwarding.

What is port mirroring?

Also known as SPAN (Switched Port Analyzer), port mirroring is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.

Does ATA monitor only domain-joined devices?

No. ATA monitors all devices in the network performing authentication and authorization requests against Active Directory, including non-Windows and mobile devices.

Does ATA monitor computer accounts as well as user accounts?

Yes. Since computer accounts (as well as any other entities) can be used to perform malicious activities, ATA monitors all computer accounts behavior and all other entities in the environment.

Can ATA support multi-domain and multi-forest?

Microsoft Advanced Threat Analytics supports multi-domain environments within the same forest boundary. Multiple forests require an ATA deployment for each forest.

Can you see the overall health of the deployment?

Yes, you can view the overall health of the deployment as well as specific issues related to configuration, connectivity etc., and you are alerted as they occur.