What Is Microsoft Advanced Threat Analytics?

OWA Undo Send in action

In today’s Ask the Admin, I’ll explain what Microsoft’s Advanced Threat Analytics (ATA) is and how it can help keep your systems secure.

Microsoft has been putting a lot of effort into security over the past few years, making it the cornerstone of its cloud platforms, particularly Azure and Office 365. As the reach of IT systems extends ever further, Microsoft understands that business won’t adopt its services and on-site server products unless they’re proven to be secure and dependable solutions, in a world where cyberattacks are becoming the norm rather than an exception – for all types and sizes of business.


Identity-driven security is at the center of Microsoft’s security solutions, helped along by Active Directory (AD), and Azure Active Directory (AAD), a cloud-based directory services platform. But despite the improved security that’s baked into Microsoft’s products, best practices are routinely ignored. And even when adopted, there’s no such thing as 100 percent secure.

So, any additional layers of defense are welcome, and that’s where Microsoft ATA comes in. Microsoft identified that 60 percent of all successful attacks rely on using compromised credentials and that there are several phases of a cyberattack that are common to all types of attack, regardless of the aim or size of business.

The first phase is reconnaissance, where an attacker gathers information about systems so that they can plan for the next stage. Lateral movement involves using credentials to move from one system to another, increasing the number of compromised devices to which the attacker has access. Once an attacker has sufficient coverage, the domain dominance phases is used to collect information so that access can be regained should the attacker be discovered.

Traditional security defenses, such as endpoint firewalls and antivirus, are not usually well placed to detect the kind of activity I described above. But ATA uses behavioral analytics and machine learning to detect unusual activity, such as anonymous logins and lateral movement. In addition, more static issues can also be detected, such as insecure protocols or broken trusts.

What Are the Benefits of Using Microsoft ATA?

Microsoft ATA can identify advanced persistent threats, as well as other malicious activity, better than traditional defenses because it is continuously learning about how users, devices, and network resources interact and it is able to detect when these patterns change.

Rather than constantly reporting and providing endless reams of information, ATA can identify anomalies quickly, helping you to focus on alerts that could indicate a problem. A timeline of events helps visualize any unusual activity in relation to other events and makes it more likely that you will identify a breach by reducing false positives.

How Does Microsoft ATA Work?

ATA collects information from different sources to build a picture of what’s happening on your network. The Windows event log is used as a source, but ATA also has a proprietary network parsing engine that captures network traffic and analyzes information from protocols such as Kerberos, DNS, RPC, NTML, and more. ATA monitors domain controllers using port mirroring, where a copy of all domain controller network packets are sent to an ATA Gateway, from where they can be analyzed. It’s also possible to install an ATA Lightweight Gateway directory on domain controllers as an alternative to port mirroring.

An ATA Center can monitor one AD forest and collects information from ATA Lightweight Gateways or ATA Gateways. The ATA Center is responsible for managing gateway configuration settings, running behavioral machine learning algorithms to detect suspicious activity, and can be used to send email alerts.

In this article, I explained what ATA is how it can help secure your systems. In a future post on Petri, I’ll walk you through setting up Microsoft ATA.