다음을 통해 공유

Microsoft Advanced Threat Analytics: How to configure

  • 아티클

Introduction

How can we make sure that your infrastructure is secure, today most of the attacks in organizations go undetected for months.

With the Microsoft Advanced Threat Analytics (ATA) helps identify violations and threats using behavioral analysis and provides a clear, actionable report on a schedule of simple attack.

Microsoft Advanced Threat Analytics is a product of cyber-security in place that detects advanced attacks using user and entity behavior analysis (UEBA). ATA combines machine learning, real-time detection based on the attacker's TTP (tactics, techniques, and procedures) and security issues to help reduce the attack surface.

How Advanced Threat Analytics (ATA) works

https://2.bp.blogspot.com/-ZOqI7U4oI98/Vlm2tWBP3CI/AAAAAAAAWG0/uPuEWDaOsi4/s640/ATA.PNG

Step 1: Analyze

The ATA uses a comprehensive technology package to analyze the entire Active Directory. It can also collect relevant events of SIEM and other resources.

Step 2: Understanding the routine

The ATA starts automatically to learning the behavior of users, devices, and profiling features and creates a map entity interaction.

Step 3: Detecting

The ATA identifies abnormal behaviors and raises red flags when necessary.

Step 4:

The ATA reports on suspicious activities on a timeline of the simple attack, providing information about users and help the recommendations for the next steps.

ATA's topology

The deployment process is simple, quick and simple, but I still think it's important to understand the ATA and ATA Gateway topology and functions of the Centre. In the diagram below, you can see that each Gateway is to analyze the network traffic (DPI) of a different switch through port mirroring, receive events of SIEM via Syslog listener or directly from the domain controllers through the Windows event Forwarding (WEF), then the Gateway sends relevant data to the Centre for detection.

https://2.bp.blogspot.com/-F6KSAQYcX4Q/VlupOyu7PsI/AAAAAAAAWNo/HsWF9RVyWpo/s400/072215_0148_MicrosoftAd2.png

https://4.bp.blogspot.com/-d_SgnmUgdh0/VlupZqrt4MI/AAAAAAAAWNw/fiUI_5SmShA/s400/072215_0148_MicrosoftAd3.png

Reference 

Microsoft ATA.

Configuring the Microsoft ATA Advanced Threat Analytics

Download the software at the Microsoft Advanced Threat Analytics, after downloading run the EXE.

https://4.bp.blogspot.com/-_8K9r1V3xEk/VlvK4Hq6jYI/AAAAAAAAWOQ/_TaC-5xmzKY/s400/1.jpg

Choose the Language of your choice and click Next.

https://1.bp.blogspot.com/-kiuiAraF-UA/VlvLPJTiwII/AAAAAAAAWOY/s_70Cwt-3ls/s400/2.jpg

Accept the license terms and click Next

 

https://2.bp.blogspot.com/--rKlBz--0WM/VlvLvItTKDI/AAAAAAAAWOg/3mCA_0huPUE/s400/3.jpg

Now let's configure some parameters before continuing the installation:

  1. choose the installation location.
  2. Select the IP and port.
  3. Select to automatically configure the certificate.

Then click Next.

https://4.bp.blogspot.com/-NYsHJ08KYgg/VlvNRVuXXwI/AAAAAAAAWOs/00ASFG6mW_Q/s400/4.jpg

 

Wait for the end of the installation.

https://3.bp.blogspot.com/-SxUBm-ipJ48/VlvNx5T1p0I/AAAAAAAAWO8/Z0vx5gUqzA0/s400/5.jpg

 

After installation, click Launch

 

https://2.bp.blogspot.com/-9L_6h5F0JyQ/VlvNqJGnOdI/AAAAAAAAWO4/xDcLqEJEDY8/s400/7.jpg 

As in the configuration to automatically create the certificate, he warns that the certificate is not working properly. Click Continue to this Website

 

https://1.bp.blogspot.com/-1BpjY2LO7UE/VlvUewZQkDI/AAAAAAAAWQ8/WEDDNdLNfEU/s400/20.jpg

 

Ready this ATA Panel, log in with your administrator user to your server.

https://1.bp.blogspot.com/-cbR6tXThd-o/VlvPQQ1LfDI/AAAAAAAAWPQ/LdWm1Oy9ld8/s400/9.jpg

After log in ATA, ATA configuration we Center.

https://4.bp.blogspot.com/-CGnPGPXigAs/VlvQF024UKI/AAAAAAAAWPc/FxtZ9pCJRxQ/s400/10.jpg

Now let's add the following information, user/password, and your dominio.com.br, and then click Save

https://4.bp.blogspot.com/-Othyv2gXNlU/VlvQ9JML8eI/AAAAAAAAWPk/W_6vYs2RLh0/s400/11.jpg

Ready your Gateway has been configured, now let's Download the Gateway.

https://2.bp.blogspot.com/-wQuSWMj4tis/VlvRdpZ5oxI/AAAAAAAAWPs/x1Xy_GGxEnw/s400/12.jpg

Extract the Gateway and run.

https://4.bp.blogspot.com/-9fu3tH6t0p4/VlvRuxFV2II/AAAAAAAAWP4/fstCbIwFyXs/s1600/13.jpg

https://2.bp.blogspot.com/-zfDkKN03hf4/VlvRu-9AcbI/AAAAAAAAWP0/M8Y64dMURKQ/s1600/14.jpg

Choose the Language of your choice and click Next.

https://4.bp.blogspot.com/-frAYaKC_rgw/VlvSMa03yaI/AAAAAAAAWQE/Wmz6DniFrkw/s400/15.jpg

Now let's configure some parameters before continuing the installation:

  1. choose the installation location.
  2. Select to automatically configure the certificate.
  3. place the service user.

Then click on Install.

 

https://1.bp.blogspot.com/-GN-27tDgIfs/VlvTTJ_wZVI/AAAAAAAAWQY/qGTCuZMJbh8/s400/16.jpg

 

Wait for the installation.

https://3.bp.blogspot.com/-_4fkmqIwV-c/VlvTfq32PsI/AAAAAAAAWQg/EmMd-N6x3d0/s400/17.jpg

During installation, the synchronization is as pending.

https://4.bp.blogspot.com/-Y2XZnVl9QAE/VlvT9dQk95I/AAAAAAAAWQo/zrKVDg3ZhPI/s400/18.jpg

After installation, click Launch

 

https://3.bp.blogspot.com/-Dr08gJTXbag/VlvULrnbItI/AAAAAAAAWQw/QiwtQ0ZEQbY/s320/19.jpg

As in the configuration to automatically create the certificate, he warns that the certificate is not working properly. Click Continue to this Website

 

https://3.bp.blogspot.com/-1BpjY2LO7UE/VlvUewZQkDI/AAAAAAAAWQ4/6ctX9WBD-wI/s400/20.jpg

 

Log in with the user service.

https://1.bp.blogspot.com/-cbR6tXThd-o/VlvPQQ1LfDI/AAAAAAAAWPU/TbAGN5bIiG0/s400/9.jpg

Now let's configure some parameters before continuing the installation:

  1. Add the description of your server.
  2. Add your Domain Controller.
  3. Select the certificate.
  4. Select the network card.

Then click Save 

https://1.bp.blogspot.com/-aUJVdQj47P4/VlvWODMGelI/AAAAAAAAWRE/LdyHSYVb91A/s400/22.jpg

https://3.bp.blogspot.com/-DfA4dmkpPSM/VlvWOHGLiSI/AAAAAAAAWRI/hJFi8qrkaYQ/s400/23.jpg

Wait until he finishes synchronization.

https://1.bp.blogspot.com/-pjdOtESjZWI/VlvWdfy6MXI/AAAAAAAAWRU/u9T5zBiXZFc/s400/24.jpg

The environment is already configured, I'm going to do some research with my server.

https://2.bp.blogspot.com/-b6o-3dYUr5M/Vlva3SXlEhI/AAAAAAAAWRg/cyU7MJkiTRA/s400/25.jpg

The ATA is already worked in your organization.

Credits

This document was originally published as http://www.micheljatoba.com.br/2015/11/como-configurar-microsoft-advanced.html and has been reproduced here to allow the community to correct any inaccuracies or provide other improvements until you update the original version of this topic.