Skip to content

Microsoft Advanced Thread Analytics (ATA)

02/26/2018

Many customers I visit have no idea what the ATA is, even though it has EMS (Enterprise Mobility + Security) licensing. https://www.microsoft.com/en-us/cloud-platform/advanced-threat-analytics

Understanding the ATA

To better understand what ATA is, we need to remember what behavioral security products are (https://msincic.wordpress.com/2016/07/24/windows-defender-atp-the-new-security-product/).

This type of product is not based on malicious code that is downloaded from a DAT with code information that will be executed (virus signature).

In behavioral security services you analyze trends, common uses and suspicious activities, for example a user who has never logged in to a server is now an administrator and accesses various machines.

Installing the ATA

The installation is very simple because online communication is performed directly with an Azure URL that receives and processes with Machine Learning the received security log data.

To install just run the installer which is very simple and intuitive. After installing the server, we can install the Gateway that is the Domain Controller server that will be analyzed collecting the security logs.

Once installed the administration is very simple and it is possible to advance in the settings informing for example the SID of a user to serve as an invasion diagnosis, an IP range of vulnerable machines (in DMZ for example) and other resources.

Once installed the maintenance of it is automatic both the server and the gateways that are monitored.

Checking AD Security Issues

After a few days it is already possible to see in the panel some alerts, for example below the warning that some computers are using vulnerable encryption level:

capture20170807171826449

capture20170807171926453

capture20170807171951836

capture20170807172020133

This other example is a case of remote execution of commands and scripts by a remote server. Of course in this case I will close the warning, since it is an expected attitude because I have the Honolulu project on the same machine that runs WMI commands:

capture20180226144319686

capture20180226144405535

See that in both cases I can know what happened, who was the user and on what server / desktop the suspicious activity occurred.

In addition, the detection history helps us understand if this is a real call or just a specific activity.

Receiving Alerts and Reports

ATA allows you to configure the receipt of alerts and reports with the data.

I can run standalone reports:

capture20170807172144683

Or schedule to receive by email every day, as well as alerts:

capture20170807172207309

How to get the ATA

That is the question that many ask, but it is important to remember that as an online product, it can be purchased by anyone who has Microsoft 365 with Security (new EMS, the old EMS or else purchased individually.

Remembering that as it is a product linked to the O365, the acquisition is per user, even if standalone.

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: