Just yesterday, Microsoft announced the release of Advanced Threat Analytics (ATA) 1.5 here. Prior to this, the previously Microsoft-branded release was version 1.4.
With this release comes some new and improved capabilities, such as:
- Faster detection times.
- Improved support for small lab and PoC environments.
- Enhanced automatic algorithm for NAT (network address translation) devices.
- Enhanced name resolution process for non-domain joined devices.
- Added support for data and product migration
- Added ATA Gateway update status in the configuration page.
- Better UI responsiveness for suspicious activities with thousands of entities involved.
- Improved auto-resolution of monitoring alerts.
- Additional performance counters for enhanced troubleshooting.
- Fix for “Sometimes gateway service stuck on shutdown”.
- Fix for “Exception when parsing forwarded event messages from Splunk”.
Fix for “Center service fail to start”.
Some of these were much needed, especially some of the service issues.
Naturally as someone who demos out of this almost daily, I couldn’t resist upgrading 🙂
Let’s first grab the update files from here
First lets update the ATA Center, but we’ll want to backup the database first. We’re running a virtual ATA Center server, so we have already shut it down and checkpoint-ed the VM. If your ATA server is physical, then follow the procedure here.
Now let’s run the update from the ISO
In the Welcome page, select your language and click Next.
Read the End User License Agreement and if you accept the terms, click the checkbox and click Next.
Select whether you want to run the full (default) or partial migration.
In a production scenario, you will want to retain this data, of course.
NOTE: ATA will now go offline for the upgrade, very important in production, to schedule this during a maintenance window
Looks like we’re all set! The upgrade took about 10 minutes or so for our lab environment.
When I login, the first thing that comes up is the Gateway page and errors to update the agents
Let’s grab the ATA Gateway package and install it on each of the Gateway servers
We’ll complete this upgrade process on all Gateway servers
You should see the configuration sync status change
Your ATA upgrade is now complete! Don’t forget to delete your checkpoint to avoid ballooning if the upgrade was successful
I will say that the console seems much snappier and one of the few new noticeable settings is the New alert frequency settings
I can also tell that detection to notification speed has improved a great amount, especially for some of the larger scale attacks we regularly test with.