Port Mirroring for Advanced Threat Analytics
The main data source used by ATA is deep packet inspection of the network traffic to and from your domain controllers. For ATA to see the network traffic, port mirroring needs to be configured. Port mirroring copies the traffic on one port, known as the source port, to another port, known as the destination port. ATA works with most solutions that can mirror traffic - if the traffic can be port mirrored to ATA, it can be used to analyze threats to your system https://technet.microsoft.com/en-us/library/mt429376.aspx.
One of the most common questions for Advanced Threat Analytics is on how to mirror ports.
I will give some references to different sites that will provide information on how to create mirrored ports.
Switches that support mirroring https://www.miarec.com/knowledge/switches-port-mirroring
Most of these links points for other vendors webpages and they are the ones that can give support on their products.
To verify that the port-mirroring is working (https://technet.microsoft.com/en-us/library/dn707710.aspx), remember to use Network monitor on the ATA Gateway.