ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 3

In my previous posts we discussed the per-requisites and the installation of ATA in this post we will discuss the configuration.

Logon to your console navigate to ATA Gateways.

You should then see the gateway recently installed. You will then have a section for port mirrored domain controllers of which you will need to add one at a time all the DC’s that make up the organization. Then select the 2nd NIC which should be your port mirrored NIC to capture the traffic.

Once the initial sync has run which depending on the network can be quite quick you can then go and configure some further settings under the detection tab.


Explanations of these settings are below:

  • Short-term lease subnets are subnets in which the IP address assignment changes very rapidly – within seconds or minutes. For example, IP addresses used for your VPNs and Wi-Fi IP addresses. They must be entered with the slash notation format eg
  • Honeytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious. In general, they don’t necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity.
  • The last two areas DNS Reconnaissance and Pass-The-Ticket exclusions are for IP’s that you want to exclude from ATA monitoring which may flag up any issues.

Click save and wait for the settings to replicate.

Next if you want ATA to send out mail alerts go to the Alerts tab and config the settings as required. ATA also fully works with Office 365 as long as you have a licensed account.

Finally you may want to ensure the product is licensed pop down to licensing and enter your product key.

Then wait for 30 days for ATA to get a good over view of your environment and look out for alerts! Now just to be clear this doesn’t mean ATA will wait 30 days before it finds anything suspicious it will alert instantly if anything is discovered.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.