ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 3

In my previous posts we discussed the per-requisites and the installation of ATA in this post we will discuss the configuration.

Logon to your console navigate to ATA Gateways.

You should then see the gateway recently installed. You will then have a section for port mirrored domain controllers of which you will need to add one at a time all the DC’s that make up the organization. Then select the 2nd NIC which should be your port mirrored NIC to capture the traffic.

Once the initial sync has run which depending on the network can be quite quick you can then go and configure some further settings under the detection tab.


Explanations of these settings are below:

  • Short-term lease subnets are subnets in which the IP address assignment changes very rapidly – within seconds or minutes. For example, IP addresses used for your VPNs and Wi-Fi IP addresses. They must be entered with the slash notation format eg
  • Honeytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens can exist in almost any form, from a dead, fake account to a database entry that would only be selected by malicious queries, making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious. In general, they don’t necessarily prevent any tampering with the data, but instead give the administrator a further measure of confidence in the data integrity.
  • The last two areas DNS Reconnaissance and Pass-The-Ticket exclusions are for IP’s that you want to exclude from ATA monitoring which may flag up any issues.

Click save and wait for the settings to replicate.

Next if you want ATA to send out mail alerts go to the Alerts tab and config the settings as required. ATA also fully works with Office 365 as long as you have a licensed account.

Finally you may want to ensure the product is licensed pop down to licensing and enter your product key.

Then wait for 30 days for ATA to get a good over view of your environment and look out for alerts! Now just to be clear this doesn’t mean ATA will wait 30 days before it finds anything suspicious it will alert instantly if anything is discovered.

ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 2

In my previous blog post I discussed the requirements for ATA in this post I will discuss how to install ATA.

First of all we must start with the ATA Center before we install the collectors the wizard is quite straight forward and will get you to the configuration page very quickly as shown below:

ata config

For most parts you can accept the default settings. For the certificates you have two options which are:

  • Self Signed certificate – If so tick the box and away you go
  • Internal certificate from a CA – Now this can be changed later to a public certificate or a certificate with multiple SANS. But by default the wizard will only create the certificate with a single name which is the servers hostname by default.

Click install and the installation should complete. Then click Launch to launch the console you will notice certificate errors as by default ATA uses the console IP address to create the shortcut on the desktop.

At this stage if you want to change the certificate this is the best time to do so.

Create your certificate with the additional names required (it must contain the server name as one of them) the SAN could be something like (also ensure you create an internal DNS A record that will resolve to the correct IP address).

Insert the certificate into the store locally on the server, then in bindings on IIS to change the certificate to your new one. Note that if the certificate does NOT have its private key IIS will throw up and error so ensure this is imported at the same time.

Restart IIS fire up the console with your name e.g. and you should be able to log in with your admin account without any warnings.

If you wish at this stage to create extra admins these can either be members of the local administrators group or the Microsoft Advanced Threat Analytics Administrators Group. Now because these are local groups you might want to create an AD group and nest this within the ATA Admins group to make it easier to manage.

mata console

If you have any problems getting to the console first of all ensure the service is up and running or consult the error logs at %programfiles%\Microsoft Advanced Threat Analytics\Center\Logs\Microsoft.Tri.Center-Errors.log

The next step is to configure and install the collector(s) or the ATA Gateway role. Once logged into the console navigate to Configuration and enter your service account that you created in the readiness steps as shown below. Then click Save

sA account mata

Now we need to download the ATA gateway setup from the console, but first of all logon to the server that will be the Gateway server and open up the ATA console. Navigate to Configuration again and click “Download ATA Gateway Setup”

Before you extract the files and run the installer ensure you have the following hotfix installed KB2919355 which you can check via PowerShell whilst running the following command:

get-hotfix -id kb2919355

Run the wizard until you get to the following page:


Select your installation path, as before you have two options for the certificate self signed or from an internal CA. Then the username and password of the service account we created in Part 1

This completes the installation. In the next part we will discuss the configuration of ATA in part 3.

ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 1

As some of you may be aware Microsoft Advanced Threat Analytic’s has just been released so I took the time to go through the RTM version and below is a step by step guide to getting the platform in place.

Before we start there are some pre-requisites that should be observed and understood. There are technically three roles within ATA which are:

  • ATA Center – The brain behind ATA
  • ATA Console – The admin front end portal
  • ATA Gateway – The collector of information

It should be noted at this time it is only supported to install this on premise and NOT within Azure. This is simply because it currently has not been tested by Microsoft. The servers can be either domain or work group joined depending on the environment.

The main challenge is the networking elements for port mirroring so depending on your environment the following are the main considerations which are supported port mirroring options:

ATA Gateway Domain Controller Considerations
Virtual Virtual on same host The virtual switch needs to support port mirroring.
Moving one of the virtual machines to another host by itself may break the port mirroring.
Virtual Virtual on different hosts Make sure your virtual switch supports this scenario.
Virtual Physical Requires a dedicated network adapter otherwise ATA will see all of the traffic coming in and out of the host, even the traffic it sends to the ATA Center.
Physical Virtual Make sure your virtual switch supports this scenario – and port mirroring configuration on your physical switches based on the scenario:
If the virtual host is on the same physical switch, you will need to configure a switch level span.
If the virtual host is on a different switch, you will need to configure RSPAN or ERSPAN*.
Physical Physical on the same switch Physical switch must support SPAN/Port Mirroring.
Physical Physical on a different switch Requires physical switches to support RSPAN or ERSPAN*.

*ERSPAN is only supported when decapsulation is performed before the traffic is analyzed by ATA.

I will come back to the importance of port mirroring shortly.

For the ATA Center Sizing below is the guidance provided by Microsoft. Note the ATA Center includes both the Center and the Console roles of which cannot be split and this is local storage as the Database cannot be on another server.

Packets per second* CPU (cores**) Memory (GB) OS Storage (GB) Database storage per day (GB) Database storage per month (GB)
1,000 4 48 200 1.5 45
10,000 4 48 200 15 450
40,000 8 64 200 60 1,800
100,000 12 96 200 150 4,500
200,000 16 128 200 300 9,000

This server should also have a single NIC with two IP addresses, it is possible to configure the service with one IP address although this is not recommended.

The ATA Gateway has the following hardware. For this server it should be noted that two NIC’s are required and the second NIC should be attached to the same switch as the domain controllers that it is monitoring, following the guidance regarding port mirroring above.

Packets-per-second* CPU (cores**) Memory OS Storage (GB)
10,000 4 12 80
20,000 8 24 100
40,000 16 64 200

*Total daily average number of packets per-second from all domain controllers being monitored

**This includes physical cores, not hyper-threaded cores.

Once you have all of this you will also need to create a service account as a standard user as this will be used by the ATA center to gather information on AD users.

The final note is that both ATA servers cannot be out of time sync by more than 5 minutes of each other.

In part 2 I will go through the installation in more detail.