In part 1 of this blog series we discussed the new Microsoft Advanced Threat Analytics Tool (ATA) and how it can fit in your security platform with its different components.
For more information, please check Part 1 from this series
In part 2 I will move on with installing and configuring the ATA including the Center and Gateway installation.
MY Lab environment is mainly 4 VMs on Hyper-V Host
- Domain Controller
- Client machine
- ATA Center (1 Network Card with 2 IPs) – Workgroup machine not domain joined
- ATA Gateway (2 Network Cards, one connected to the network and another one for capturing data) – Workgroup machine not domain joined
Port Mirroring Configuration
Port mirroring configuration on Hyper-V is quite simple. On the domain controller NIC options – Advanced features – Port Mirroring
Change the mode to be Source as shown below (this indicates that this NIC will be the source of the traffic – DC traffic)
The Same to be done on the ATA Gateway on the Capture NIC (this is the second NIC on the Gateway that is on our network however its not configured / No IP address) but this time the Mirroring mode is Destination.
ATA Center Installation
The first component to start with is the ATA center, you can get a trial version for the ATA software from Microsoft TechNet Evaluation Center https://www.microsoft.com/en-us/evalcenter/evaluate-microsoft-advanced-threat-analytics
Microsoft ATA is available for all Enterprise Volume license customers (ECAL) as well as customers with Enterprise Mobility and Cloud suite, for more information please check the following link
The installation is straight forward, after launching the software and picking your language, click Next and approve the User License Agreement
On the next window you will get couple of options as where to install your files and database (Of course in Production environment its recommended to have your DB on separate Disk), the 2 Center IPs and whether you will use certificates from your internal PKI environment or use Self Signed Certificates.
The Center communication IP is the listening IP on the Center Server responsible for getting the data from the ATA Gateway. The Management IP is the IP used by Users/Admins to open and administer the ATA Web IIS Interface.
You may use the same IP for both the Communication and Management on the Center however in this case you will need to change the port on the communication IP address because the management interface is using 443 by default. I will Pick the default settings using self signed certificates for the sake of the demo.
Click Next for the installation progress and then Finish when done then Launch the Web interface (Management IP). You can log on the center either by using Local admin accounts on the ATA center or accounts member in the Microsoft ATA Administrator group created on the ATA Center.
After Logging with my ATA center Local admin account (administrator), Open the Gateway TAB (as shown below). You will need to enter a domain user credentials (Check Part 1 in the pre-requisites for a Read only Domain User Account), this user doesn’t need any admin rights, its a normal user that can read the objects in AD.
Download the ATA Gateway installation from the bottom. This Gateway installation can be used on any gateway whether you are using one gateway or several gateway machines.
ATA Gateway Installation
After downloading the Gateway Installation, copy it to the Gateway machine and install the software. You will receive the below message if you didn’t install the two KBs mentioned earlier in Part 1.
Click Install to install some pre-requisites
Then product / Gateway files get installed.
Finally we are done and you can launch to continue configuring the ATA Gateway. This will open the ATA web/Management on the Center (reminder all configuration and changes are done on the center)
When you open the Gateway settings it will mention that configuration is required. We will need to pick the domain controller (Mirrored to our Gateway) which in our case is one Domain controller.
The second configuration is to choose which NIC with port Mirroring configured on it where the traffic is sent to this NIC (I named it capture for simplicity which is the recommended naming)
That’s all what need to be done for the ATA installation for both the Center and Gateway.
In the next part of this series I will start simulating couple of different attacks and how they are detected by Microsoft ATA as well as some common FAQ.
Hope this post was beneficial and see you on the final post in this series.