Skip to content

Microsoft ATA-Recovery and Migration

10/24/2018

We have already talked about Microsoft ATA (Advanced Threat Analytics) at https://msincic.wordpress.com/2018/02/26/microsoft-advanced-thread-analytics-ata/

Now there was a major upgrade with version 9 that made the ATA lighter in demand for features and display of the reports.

However, during the migration it is possible that connection losses to MongoDB occur and it is necessary to do the backup and restore.

The same process may be required when switching ATA servers.

Important: The Windows Security Log data is sent to Machine Learning to generate the incidents and alerts, but are hosted locally. So if you lose the server you will no longer have the reports and incidents already registered.

Performing ATA Backup

To back up the ATA configuration, use the copy of the SystemProfile_yyyymmddhhmm.json file located in the ATA installation folder in a Backup subdirectory along with the last 300 copies of the data.

This SystemProfile file is the MongoDB database in JSON format, eliminating the need to back up from Atlas or other MongoDB specific administration tool. This is very good, since it is not common to know MongoDB administration.

To work, you must have the certificate copy used for JSON file encryption, which is generated during installation (Self-signed).

The certificate copy only needs to be done once, open the MMC console with the Certificates snap-in, and find the ATA Central certificate certificate in the People certificates area on Local Machine .

With these steps we have the backup of the server configurations that are the JSON and the certificate. But what about ATA data?

To back up the ATA it is necessary, as already mentioned, to know the MongoDB tools and maybe you should think about whether you need them once they have been solved.

If you need to keep alerts and incidents, follow the document at https://docs.mongodb.com/manual/core/backups/ on how to back up the database.

Performing ATA Restore

The restore part of ATA in a new server or configuration of a new version is a bit more complicated than the backup that is quite simple.

You must first import the certificate exported in the previous step into the same tree that you did in the previous step.

You then need to reinstall the new ATA server with the same name and the previous IP, and at the time it requests the certificate, disable the Create Self-signed option to choose the original certificate.

In sequence we need to stop the Centro ATA service so that we can open MongoDB and import the JSON file with the following commands:

  • mongo.exe ATA
  • db.SystemProfile.remove ({})
  • mongoimport.exe –db ATA –collection SystemProfile –file "<JSON File> –upsert

Note: The first command opens the instance, the second removes the empty settings, and the third one imports the new configuration.

It is not necessary to re-create the Gateways because they are mapped automatically when you restore the settings.

If you have backed up the MongoDB database, follow the base restore procedure before restarting the ATA service.

Reference: https://docs.microsoft.com/en-us/advanced-threat-analytics/disaster-recovery

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: