ATA readiness roadmap

Applies to: Advanced Threat Analytics version 1.9

This article provides you a readiness roadmap that will assist you to get started with Advanced Threat Analytics.

Understanding ATA

Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyberattacks and insider threats. Use the following resources to learn more about ATA:

Deployment decisions

ATA is composed of the ATA Center, which you can install on a server, and ATA Gateways, which you can install on separate computers or by using the Lightweight Gateway directly on your domain controllers. Before you get up and running, it's important to make the following deployment decisions:

Configuration Decision
Hardware type Physical, virtual, Azure VM
Workgroup or Domain Workgroup, domain
Gateway sizing Full Gateway, Lightweight Gateway
Certificates PKI, self-signed

If you are using physical servers, you should plan capacity. You can get help from the sizing tool to allocate space for ATA:

ATA sizing tool - The sizing tool automates the collection of the amount of traffic ATA needs. It automatically provides supportability and resource recommendations for both the ATA Center and ATA Lightweight Gateways.

ATA capacity planning

Deploy ATA

These resources will help you download and install the ATA Center, connect to Active Directory, download the ATA Gateway package, set up event collection, and optionally integrate with your VPN and set up honeytoken accounts and exclusions.

Download ATA

ATA POC playbook - Guide to all the steps necessary to do a successful POC deployment of ATA.

ATA settings

The basic necessary settings in ATA are configured as part of the installation wizard. However, there are a number of other settings that you can configure to fine-tune ATA that makes detections more accurate for your environment, such as SIEM integration and audit settings.

Audit settings – Audit your domain controller health before and after an ATA deployment.

ATA general documentation

Work with ATA

After ATA is up and running, you can view suspicious activities that are detected in the Attack timeline. This is the default landing page you are taken to when you log in to the ATA Console. By default, all open suspicious activities are shown on the attack time line. You can also see the severity assigned to each activity. Investigate each suspicious activity by drilling down into the entities (computers, devices, users) to open their profile pages that provide more information. These resources will help you work with ATA's suspicious activities:

ATA suspicious activity playbook - This article walks you through credential theft attack techniques using readily available research tools on the internet. At each point of the attack, you can see how ATA helps you gain visibility into these threats.

ATA suspicious activity guide

Security best practices

ATA best practices - Best practices for securing ATA.

ATA frequently asked questions - This article provides a list of frequently asked questions about ATA and provides insight and answers.

Community resources

ATA blog ATA community