Due to the changing nature of Cyber Security threats for the last couple of years and the focus on compromising User credentials and identity with different type of attacks as Pass the Hash the need for a new proactive security tool as Microsoft Advanced Threat Analytics (ATA) was a must to be added to any corporate arsenal of tools to detect such type of attacks.
Microsoft Advanced Threat Analytics tool analyze data from three data sources (Active Directory Database, Active Directory Traffic and SIEM solutions) and learn about the entities in your organization and their behavior and then start to detect suspicious events.
Microsoft ATA targets three categories of Risks
- Security Issues and Risks (Broken Trust, Weak Protocols and known Protocol vulnerabilities)
- Malicious Attacks (Pass the Hash, Pass the Ticket, BruteForce……..etc)
- Abnormal Behavior (Suspicious activities, Password sharing, lateral movement…….etc)
- Capture Data from DCs via Port Mirroring
- Listen to Multiple DCs from Multiple Domains
- Receive Event from SIEM
- Retrieve data from entities in domain
- Perform name resolution of network entities
- Transfer Relevant data to ATA Center
- Manage ATA Gateway Configuration Setting
- Receive data from ATA Gateway and store in DB
- Detect Suspicious activity and abnormal behavior (Machine Learning)
- Provide Web Management Interface
- Support Multiple Gateways
- Configure Port Mirroring from DCs (Domain Controllers) to ATA Gateway.
- Create domain User (Read only)
- KB2919355/KB2919442 installed on the Gateway machine or VM
- ATA Center has 2 static IP addresses
- Optional – Deploy Certificates from your internal PKI. For demo only you can use self signed certificates.
- ATA Gateway has 2 NICs (Network Cards)
- ATA Gateway Account either Local admin account on the ATA Gateway server or member of the ATA built-in Group
You can check part 2 from the following link
http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata_19.html
I found this article very helpful and it provide complete information on advanced threat analytics. Thanks for sharing.
Hello,
How do I get the ATA to send the logs to Splunk? Is it via syslog? How to configure?
Thank you.
Syslog (recommended) or Windows Event log forwarding
https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Advanced-Threat-Analytics-Event-Log-Collection/ba-p/249996