Advanced Threat Analytics (ATA) to Microsoft Defender for Identity

Note

The final release of ATA is generally available. ATA ended Mainstream Support on January 12, 2021. Extended Support will continue until January 2026. For more information, read our blog.

Use this guide to move from an existing ATA installation to the (Microsoft Defender for Identity) service. The guide explains Defender for Identity prerequisites and requirements, and details how to plan and then complete your move. Validation steps and tips to take advantage of the latest threat protection and security solutions with Defender for Identity after installation are also included.

To learn more about the differences between ATA and Defender for Identity, see the Defender for Identity frequently asked questions.

In this guide you will:

• Review and confirm Defender for Identity service prerequisites
• Document your existing ATA configuration
• Plan your move
• Set up and configure your Defender for Identity service
• Perform post move checks and verification
• Decommission ATA after completing the move

Note

Moving to Defender for Identity from ATA is possible from any ATA version. However, as data cannot be moved from ATA to Defender for Identity, it is recommended to retain your ATA Center data and alerts required for ongoing investigations until all ATA alerts are closed or remediated.

Prerequisites

• An Azure Active Directory tenant with at least one global/security administrator is required to create a Defender for Identity instance. Each Defender for Identity instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

• Defender for Identity requires .Net Framework 4.7 or later and may require a domain controller restart if your current .Net Framework version is not 4.7 or later.

• Make sure your domain controllers meet all the Defender for Identity sensor requirements and your environment meets all Defender for Identity requirements.

• Validate that all domain controllers you plan to use have sufficient internet access to the Defender for Identity service. Check and confirm your domain controllers meet the Defender for Identity proxy configuration requirements.

Note

This migration guide is designed for Defender for Identity sensors only.

Plan

Make sure to gather the following information before starting your move:

1. Account details for your Directory Services account.
2. Syslog notification settings.
3. Email notification details.
4. ATA roles group membership
5. VPN integration
6. Alert exclusions
   • Exclusions are not transferable from ATA to Defender for Identity, so details of each exclusion are required to replicate the exclusions in Defender for Identity.
7. Account details for honeytoken accounts.
   • If you don't already have dedicated honeytoken accounts, learn more about honeytokens in Defender for Identity and create new accounts to use for this purpose.
8. Complete list of all entities (computers, groups, users) you wish to manually tag as Sensitive entities.
   • Learn more about the importance of Sensitive entities in Defender for Identity.
9. Report scheduling details (list of reports and scheduled timing).

Note

Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.

Move

Complete your move to Defender for Identity in two easy steps:

Step 1: Create and install Defender for Identity instance and sensors

1. Create your new Defender for Identity instance

2. Uninstall the ATA Lightweight Gateway on all domain controllers.

3. Install the Defender for Identity Sensor on all domain controllers:

   • Download the Defender for Identity sensor files and retrieve the access key.
   • Install Defender for Identity sensors on your domain controllers.

Step 2: Configure and validate Defender for Identity instance

• Configure the Sensor

Note

Certain tasks in the following list cannot be completed before installing Defender for Identity sensors and then completing an initial sync, such as selecting entities for manual Sensitive tagging. Allow up to 2 hours for the initial sync to be completed.

Validation

In the Microsoft 365 Defender portal:

• Review any health alerts for signs of service issues.
• Review Defender for Identity Sensor error logs for any unusual errors.

After the move

This section of the guide explains the actions that can be performed after completing your move.

Note

Import of existing security alerts from ATA to Defender for Identity are not supported. Make sure to record or remediate all existing ATA alerts before decommissioning the ATA Center.

• Decommission the ATA Center

  • To reference the ATA Center data after the move, we recommend keeping the center data online for a period of time. After decommissioning the ATA Center, the number of resources can typically be reduced, especially if the resources are a Virtual Machine.

• Back up Mongo DB

  • If you wish to keep the ATA data indefinitely, back up Mongo DB.

Mission accomplished

Congratulations! Your move from ATA to Defender for Identity is complete.

Next steps

Learn more about Defender for Identity features, functionality, and security alerts.

Join the Community

Do you have more questions, or an interest in discussing Defender for Identity and related security with others? Join the Defender for Identity Community today!