ATA disaster recovery

Applies to: Advanced Threat Analytics version 1.9

This article describes how to quickly recover your ATA Center and restore ATA functionality when the ATA Center functionality is lost but the ATA Gateways are still working.

Note

The process described does not recover previously detected suspicious activities but does return the ATA Center to full functionality. Additionally, the learning period needed for some behavioral detections will restart, but most of the detection that ATA offers is operational after the ATA Center is restored.

Back up your ATA Center configuration

1. The ATA Center configuration is backed up to a file every 4 hours. Locate the latest backup copy of the ATA Center configuration and save it on a separate computer. For a full explanation of how to locate these files, see Export and import the ATA configuration.

2. Export the ATA Center certificate.

   1. In the certificate manager, navigate to Certificates (Local Computer) -> Personal ->Certificates, and select ATA Center.
   2. Right-click ATA Center and select All Tasks followed by Export.
   3. Follow the instructions to export the certificate, making sure to export the private key as well.
   4. Back up the exported certificate file on a separate computer.

   Note

   If you cannot export the private key, you must create a new certificate and deploy it to ATA, as described in Change the ATA Center certificate, and then export it.

Recover your ATA Center

1. Create a new Windows Server machine using the same IP address and computer name as the previous ATA Center machine.
2. Import the certificate you backed up earlier, to the new server.
3. Follow the instructions to Deploy the ATA Center on the newly created Windows Server. There is no need to deploy the ATA Gateways again. When prompted for a certificate, provide the certificate you exported when backing up the ATA Center configuration.
4. Stop the ATA Center service.
5. Import the backed-up ATA Center configuration:
   1. Remove the default ATA Center System Profile document from the MongoDB:
      1. Go to C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin.
      2. Run mongo.exe ATA
      3. Run this command to remove the default system profile: db.SystemProfile.remove({})
      4. Leave the Mongo shell and return to the command prompt by entering: exit
   2. Run the command: mongoimport.exe --db ATA --collection SystemProfile --file "<SystemProfile.json backup file>" --upsert using the backup file from step 1.
      For a full explanation of how to locate and import backup files, see Export and import the ATA configuration.
   3. Start the ATA Center service.
   4. Open the ATA Console. You should see all the ATA Gateways linked under the Configuration/Gateways tab.
   5. Make sure to define a Directory services user and to choose a Domain controller synchronizer.

See Also

• ATA prerequisites
• ATA capacity planning
• Configure event collection
• Configuring Windows event forwarding
• Check out the ATA forum!