Continuing in our Super Security Showdown series, in the last article we reviewed the new Windows Defender Advanced Threat Protection. Let’s continue with Microsoft Advanced Threat Analytics.


Microsoft Advanced Threat Analytics (ATA)

Overview of Microsoft Advanced Threat Analytics (ATA)

The Advanced Threat Analytics (ATA) product is an on-premises solution that analyzes and identifies behaviour in your environment. It leverages machine learning, and deep packet inspection to analyze Active Directory network traffic.

The ATA Center supports installation on a server running Windows Server 2012 R2, and it also does support being installed in a Virtual Machine (VM).

The product requires that your Domain Controllers be running on Windows Server 2008 or later, which presumably means that your Forest Functional Level and Domain Functional Level will need to be at Windows Server 2008 or higher. It also supports being installed on a non-domain (aka Workgroup) server.

Microsoft Advanced Threat Analytics (ATA) Diagram
Microsoft Advanced Threat Analytics (ATA) Diagram

Now comes the caveats.

The ATA Center requires a minimum of 21 days of data for user behavioral analytics. So it will take some time before you can leverage the full functionality of the product.

Depending on estimated load (Packets per second), your hardware requirements can become quite high; up to 16 CPU cores, 128 GB of RAM, and even potentially 9 TB/month of storage! Also of note is that:

If your free space reaches a minimum of either 20% or 100 GB, the oldest 24 hours of data will be deleted. This will continue to occur until either only two days of data or either 5% or 50 GB of free space remains at which point data collection will stop working.

So if you are considering this product, you will definitely want to review the Capacity Planning documentation, which also includes a section on Domain Controller traffic estimation.


Microsoft Advanced Threat Analytics (ATA) Requirements

That’s enough of an overview, what are the requirements?

Requirements: Up to 16 CPU cores, 128 GB of RAM, and 9 TB/month of storage

Pro’s: ATA monitors all devices in the network performing authentication and authorization requests against Active Directory, including non-Windows and mobile devices. It will also support multi-domain with the same forest boundary

Con’s: It takes 3 weeks after deployment before ATA starts to detect behavioral suspicious activities.

ATA requires port mirroring with the domain controllers to be able to perform deep packet inspection on the traffic to and from the domain controllers looking for known attacks.


Microsoft Advanced Threat Analytics (ATA) Reference Material:


So that’s the Microsoft Advanced Threat Analytics. In the next article we will explore Azure Security Center.