Skip to content

Microsoft Advanced Thread Analytics (ATA)


Many customers I visit have no idea what the ATA is, even though it has EMS (Enterprise Mobility + Security) licensing.

Understanding the ATA

To better understand what ATA is, we need to remember what behavioral security products are (

This type of product is not based on malicious code that is downloaded from a DAT with code information that will be executed (virus signature).

In behavioral security services you analyze trends, common uses and suspicious activities, for example a user who has never logged in to a server is now an administrator and accesses various machines.

Installing the ATA

The installation is very simple because online communication is performed directly with an Azure URL that receives and processes with Machine Learning the received security log data.

To install just run the installer which is very simple and intuitive. After installing the server, we can install the Gateway that is the Domain Controller server that will be analyzed collecting the security logs.

Once installed the administration is very simple and it is possible to advance in the settings informing for example the SID of a user to serve as an invasion diagnosis, an IP range of vulnerable machines (in DMZ for example) and other resources.

Once installed the maintenance of it is automatic both the server and the gateways that are monitored.

Checking AD Security Issues

After a few days it is already possible to see in the panel some alerts, for example below the warning that some computers are using vulnerable encryption level:





This other example is a case of remote execution of commands and scripts by a remote server. Of course in this case I will close the warning, since it is an expected attitude because I have the Honolulu project on the same machine that runs WMI commands:



See that in both cases I can know what happened, who was the user and on what server / desktop the suspicious activity occurred.

In addition, the detection history helps us understand if this is a real call or just a specific activity.

Receiving Alerts and Reports

ATA allows you to configure the receipt of alerts and reports with the data.

I can run standalone reports:


Or schedule to receive by email every day, as well as alerts:


How to get the ATA

That is the question that many ask, but it is important to remember that as an online product, it can be purchased by anyone who has Microsoft 365 with Security (new EMS, the old EMS or else purchased individually.

Remembering that as it is a product linked to the O365, the acquisition is per user, even if standalone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: