ATA frequently asked questions

If you have an active Enterprise Agreement, you can download the software from the Microsoft Volume Licensing Center (VLSC).

If you acquired a license for Enterprise Mobility + Security (EMS) directly via the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model and you do not have access to ATA through the Microsoft Volume Licensing Center (VLSC), contact Microsoft Customer Support to obtain the process to activate Advanced Threat Analytics (ATA).

Look at the most recent error in the current error log (Where ATA is installed under the "Logs" folder).

You can simulate suspicious activities which is an end to end test by doing one of the following:

1. DNS reconnaissance by using Nslookup.exe
2. Remote execution by using psexec.exe

This needs to run remotely against the domain controller being monitored and not from the ATA Gateway.

For version upgrade information, see ATA upgrade path.

For the ATA version upgrade matrix, see ATA upgrade path.

The ATA detection mechanism is enhanced when a new version is installed on the ATA Center. You can upgrade the Center either by using Microsoft Update (MU) or by manually downloading the new version from Download Center or Volume License Site.

You can place the following code into a file and then execute it from a command prompt in the directory: \Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin as follows:

mongo.exe ATA filename

db.getCollectionNames().forEach(function(collection) {
    if (collection.substring(0,10)=="NtlmEvent_") {
        if (db[collection].count() > 0) {
            print ("Found "+db[collection].count()+" NTLM events") 
        }
    }
});

ATA relies on analyzing multiple network protocols, as well as events collected from the SIEM or via Windows Event Forwarding. Detections based on network protocols with encrypted traffic (for example, LDAPS and IPSEC) will not be analyzed.

Enabling Kerberos Armoring, also known as Flexible Authentication Secure Tunneling (FAST), is supported by ATA, with the exception of over-pass the hash detection which will not work.

The number of ATA Gateways depend on your network layout, volume of packets and volume of events captured by ATA. To determine the exact number, see ATA Lightweight Gateway Sizing.

For every one full day with an average of 1000 packets/sec you need 0.3 GB of storage. For more information about ATA Center sizing see, ATA Capacity Planning.

This happens when an account is a member of certain groups which we designate as sensitive (for example: "Domain Admins").

To understand why an account is sensitive you can review its group membership to understand which sensitive groups it belongs to (the group that it belongs to can also be sensitive due to another group, so the same process should be performed until you locate the highest level sensitive group).

In addition, you can manually tag a user, group or computer as sensitive. For more information, see Tag sensitive accounts.

Most virtual domain controllers can be covered by the ATA Lightweight Gateway, to determine whether the ATA Lightweight Gateway is appropriate for your environment, see ATA Capacity Planning.

If a virtual domain controller can't be covered by the ATA Lightweight Gateway, you can have either a virtual or physical ATA Gateway as described in Configure port mirroring.

The easiest way is to have a virtual ATA Gateway on every host where a virtual domain controller exists. If your virtual domain controllers move between hosts, you need to perform one of the following steps:

• When the virtual domain controller moves to another host, preconfigure the ATA Gateway in that host to receive the traffic from the recently moved virtual domain controller.
• Make sure that you affiliate the virtual ATA Gateway with the virtual domain controller so that if it is moved, the ATA Gateway moves with it.
• There are some virtual switches that can send traffic between hosts.

Refer to ATA disaster recovery

ATA detects known malicious attacks and techniques, security issues, and risks. For the full list of ATA detections, see What detections does ATA perform?.

We recommend fast storage (7200-RPM disks are not recommended) with low latency disk access (less than 10 ms). The RAID configuration should support heavy write loads (RAID-5/6 and their derivatives are not recommended).

The ATA Gateway needs a minimum of two network adapters:
1. A NIC to connect to the internal network and the ATA Center
2. A NIC that is used to capture the domain controller network traffic via port mirroring.
* This does not apply to the ATA Lightweight Gateway, which natively uses all of the network adapters that the domain controller uses.

ATA has a bi-directional integration with SIEMs as follows:

1. ATA can be configured to send a Syslog alert, to any SIEM server using the CEF format, when a suspicious activity is detected.
2. ATA can be configured to receive Syslog messages for Windows events from these SIEMs.

Yes, you can use the ATA Lightweight Gateway to monitor domain controllers that are in any IaaS solution.

Microsoft Advanced Threat Analytics is an on-premises product.

This solution is currently a standalone offering—it is not a part of Microsoft Entra ID or on-premises Active Directory.

With Microsoft Advanced Threat Analytics, there is no need to create rules, thresholds, or baselines and then fine-tune. ATA analyzes the behaviors among users, devices, and resources—as well as their relationship to one another—and can detect suspicious activity and known attacks fast. Three weeks after deployment, ATA starts to detect behavioral suspicious activities. On the other hand, ATA will start detecting known malicious attacks and security issues immediately after deployment.

Yes, even when ATA is installed after you have been breached, ATA can still detect suspicious activities of the hacker. ATA is not only looking at the user's behavior but also against the other users in the organization security map. During the initial analysis time, if the attacker's behavior is abnormal, then it is identified as an "outlier" and ATA keeps reporting on the abnormal behavior. Additionally ATA can detect the suspicious activity if the hacker attempts to steal another users credentials, such as Pass-the-Ticket, or attempts to perform a remote execution on one of the domain controllers.

In addition to analyzing Active Directory traffic using deep packet inspection technology, ATA can also collect relevant events from your Security Information and Event Management (SIEM) and create entity profiles based on information from Active Directory Domain Services. ATA can also collect events from the event logs if the organization configures Windows Event Log forwarding.

Also known as SPAN (Switched Port Analyzer), port mirroring is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.

No. ATA monitors all devices in the network performing authentication and authorization requests against Active Directory, including non-Windows and mobile devices.

Yes. Since computer accounts (as well as any other entities) can be used to perform malicious activities, ATA monitors all computer accounts behavior and all other entities in the environment.

Microsoft Advanced Threat Analytics supports multi-domain environments within the same forest boundary. Multiple forests require an ATA deployment for each forest.

Yes, you can view the overall health of the deployment as well as specific issues related to configuration, connectivity etc., and you are alerted as they occur.

See Also

• ATA prerequisites
• ATA capacity planning
• Configure event collection
• Configuring Windows event forwarding
• Check out the ATA forum!