Microsoft announced yesterday that its new Advanced Threat Analytics (ATA), which will be part of the Enterprise Mobility (EMS) suite, will be launched in August. ATA was previously Aorato, which Microsoft purchased late last year. ATA provides the following simplified architecture and has 2 major components:


ATA Center

  • Manages ATA Gateway configuration settings
  • Receives data from ATA Gateways
  • Detects suspicious activities and behavioral machine learning engines
  • Supports multiple ATA Gateways
  • Runs the ATA Management console
  • Optional: The ATA Center can be configured to send emails or send events to your Security Information and Event Management (SIEM) system when a suspicious activity is detected.

ATA Gateway

  • Captures and inspects domain controller network traffic via port mirroring
  • Receive events from SIEM or Syslog server
  • Retrieves data about users and computers from the domain
  • Performs resolution of network entities (users and computers)
  • Transfers relevant data to the ATA Center
  • Monitors multiple domain controllers from a single ATA Gateway


The roles should typically be deployed on 2 different machines, however for this preview, we’ll install both on the same.

  • Each ATA deployment can monitor 1 domain and up to 10 DCs.
  • If you try to monitor other domains, you can corrupt the database!


NOTE: Port mirroring only works across devices sharing the same physical or virtual switch. Therefore, you will need a Gateway server on every Hyper-V/VMware host where a DC that you want to monitor will reside.

The Preview is limited today and won’t show Pass the Hash (PtH) attacks and many others, however with the General Availability, there will be some additional functionality released:

  • Support for Windows Event Forwarding (WEF) to get events directly from servers/workstations to the ATA gateway
  • Pass-The-Hash detection enhancements against corporate resources by combining DPI and logs analysis
  • Enhancements for the support of non-domain joined devices (and non-Windows) for detection and visibility
  • Performance improvements to support more traffic and events with ATA Gateway
  • Performance improvements to support more ATA Gateways per Center
  • Automatic name resolution process to match between computer names and IP’s – this unique capability will save precious time in the investigation process and provide a strong evidence for the security analyst
  • Improving our inputs from the user to automatically adjust the detection process
  • Automatic detection for NAT devices
  • Automatic failover in case the Domain Controller is not reachable
  • System health monitoring and notifications providing the overall health state of the deployment as well as specific issues related to configuration, connectivity
  • Visibility into sites and locations where entities operate
  • Multi-domain support
  • Support for Single Label Domains (SLT)



  • DCs must run Server 2008 and later
  • User account and password with read-only access to the domain will be monitored
  • Configure port mirroring within Hyper-V/VMware environment



ATA Center

  • To monitor 2 lightly loaded domain controllers:
    • 8 Cores
    • 32 GB of RAM
    • 100 GB of free space for the ATA Center program
    • 1 TB of free disk space for the ATA database
  • To monitor up to 10 domain controllers with varying loads
    • 16 Cores
    • 72 GB of RAM
    • 100 GB of free space for the ATA Center program
    • 10 TB of free disk space
  • Database
    • Lightly loaded domain controller requires – 500GB
    • Average loaded domain controller requires 1,000 GB
    • Heavily loaded domain controller requires – 5,000 GB

       ATA Gateway

  • To monitor 2 lightly loaded domain controllers:
    • 8 Cores
    • 16 GB of RAM
    • 100 GB of free disk space
  • To monitor 1 heavily loaded and 2 lightly loaded domain controllers or 2 heavily loaded domain controllers:
    • 16 Cores
    • 32 GB of RAM
    • 100 GB of free disk space



In addition to collecting and analyzing network traffic to and from the domain controllers, ATA can receive data from your SIEM. Events forwarded from your SIEM provides ATA with additional information that is not available via the domain controller network traffic. For ATA to be able to consume data from Syslog server, you need to configure the following:

  • Configure one of your ATA Gateway servers to listen to and accept events forwarded from the SIEM/Sylog server.
  • Configure your SIEM/Syslog server to forward specific events to the ATA Gateway.

The preview version of ATA is able to collect and analyze Windows Event ID 4776. Windows Event ID 4776 provides data regarding NTLM authentications.


NOTE: Do not forward all Syslog data to ATA Gateway and the Preview version only supports UDP traffic from the SIEM/Syslog server.


The following SIEMS/Syslog servers are supported:

  • HP Arcsight
  • Splunk
  • RSA Security Analytics
  • Snare


First, let’s grab the latest version of the Preview here

NOTE: The Preview licenses is only good through 7/29/15

Make sure that KB2919355 has been installed on your ATA server!


First, let’s configure port mirroring in our Hyper-V environment for our DC and for our ATA Gateway

We first need to enabled NDIS on the Hyper-V virtual switch so we can capture the traffic


Let’s go to the advanced properties of the NIC on the DC and enable mirroring mode and set it to Source


Then, let’s add a secondary NIC to our ATA Gateway and set it to destinat

NOTE: Make sure you set the VLAN ID the same as the VLAN tag on the DC NIC you’re capturing from otherwise you won’t get any tagged traffic.


Big thanks to Tom Lilly for the troubleshooting help here!


Let’s confirm we’re pulling traffic in on the NIC


Now, let’s head over to our ATA server and start the install




If you’re deploying the ATA Center and Gateway on the same server, make sure to change the port from 443 to 444.

In this case, for our lab, we’re also using self-signed certificates.


Based on the sizing chart above, set your database size about, we went conservative in our lab.





Once the installation is done, let’s launch the console



Login with an account that has local administrator permissions


Let’s first add in our domain account, which will need read only access to the domain that will be monitored


Optional: User should have read only permissions on the Deleted Objects container. This will allow ATA to detect bulk deletion of objects in the domain. For information about configuring read only permissions on the Deleted Objects container, see Changing permissions on a deleted object container section in the View or Set Permissions on a Directory Object topic.



Once the credentials are validated, you can then download the ATA Gateway installer


Let’s install that on our ATA Gateway server (in this case the same server)





Once the setup is complete, let’s add the FQDN for the DCs that we’re monitoring as well as the network adapter (Ethernet 2) that we’re mirroring the port traffic to.




Let’s confirm that the account permissions are correct by searching for any network user or computer objects




NOTE: The ATA Center requires a minimum of 21 days of data for user behavioral analytics


However, there are some default rules which we can trigger to make sure that it works as it should. For instance we can use a DNS reconnaissance attack.


Let’s login to another computer and try a DNS zone transfer





Once e-mail alerting is setup, we’ll also get e-mail notifications

We can also setup a Honeytoken user. This user account should have no network activities and will alert on any access requests and will alert if an attacker tries to use this account


To configure the HoneyToken user you will need the SID of the user account, not the user name, which you can get with:

get-aduser <username> | select SID

Let’s add the SID


And you’ll see information flow in when that user account starts to login to servers or access resources



Let’s check back in 21 days after we’ve gathered a baseline of behavioral data!

Leave a Reply

Your email address will not be published. Required fields are marked *