Advanced Threat Analytics (ATA) to Microsoft Defender for Identity
This article describes how to migrate from an existing ATA installation to a Microsoft Defender for Identity sensor, and includes the following steps:
- Review and confirm Defender for Identity service prerequisites
- Document your existing ATA configuration
- Plan your migration
- Set up and configure your Defender for Identity service
- Perform post-migration checks and verifications
- Decommission ATA
This migration guide is designed for Defender for Identity sensors only, and not standalone sensors.
While you can migrate to Defender for Identity from any ATA version, your ATA data isn't migrated. Therefore, we recommend that you plan to retain your ATA Data Center and any alerts required for ongoing investigations until all ATA alerts are closed or remediated.
To migrate from ATA to Defender for Identity, you must have an environment and domain controllers that meet Defender for Identity sensor requirements. For more information, see Microsoft Defender for Identity prerequisites.
Make sure that all the domain controllers you plan to use have sufficient internet access to the Defender for Identity service. For more information, see Configure endpoint proxy and internet connectivity settings.
Plan your migration
Before starting the migration, gather all of the following information:
Account details for your Directory Services account.
Syslog notification settings.
Email notification details.
Alert exclusions. Exclusions are not transferable from ATA to Defender for Identity, so details of each exclusion are required to replicate the exclusions as Defender for Identity in Microsoft 365 Defender.
Account details for entity tags. If you don't already have dedicated entity tags, create new ones for use with Defender for Identity. For more information, see Defender for Identity entity tags in Microsoft 365 Defender.
A complete list of all entities, such as computers, groups, or users, that you want to manually tag as Sensitive entities. For more information, see Defender for Identity entity tags in Microsoft 365 Defender.
Report scheduling details, including a list of all reports and scheduled timing.
Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.
Move to Defender for Identity
Use the following steps to migrate to Defender for Identity:
Uninstall the ATA Lightweight Gateway on all domain controllers.
Install the Defender for Identity Sensor on all domain controllers:
Download the Defender for Identity sensor files and retrieve the access key.
After the migration is complete, allow two hours for the initial sync to be completed before moving on with validation tasks.
Validate your migration
In Microsoft 365 Defender, check the following areas to validate your migration:
- Review any health issues for signs of service issues.
- Review Defender for Identity sensor error logs for any unusual errors.
After completing your migration to Defender for Identity, do the following to clean up your legacy ATA resources:
Make sure that you've recorded or remediated all existing ATA alerts. Existing ATA security alerts aren't imported to Defender for Identity with the migration.
Do one or both of the following:
- Decommission the ATA Center. We recommend keeping ATA data online for a period of time.
- Back up Mongo DB if you want to keep the ATA data indefinitely. For more information, see Backing up the ATA database.
After migrating to Defender for Identity, learn more about investigating alerts in Microsoft 365 Defender. For more information, see: