Microsoft Advanced Threat Analytics (ATA) Overview


There are several methods for identifying unusual or anomalous user activity. Traditionally these methods have required certain events be logged to the Windows event logs on workstations, servers, and Domain Controllers (DCs) and these events need to be forwarded to a central collection system. The drawback to this approach is numerous: the data logged may not catch certain “known bad” behavior, the sheer number of events that require logging is numerous, and the log data requires large amounts of storage for processing and recall.

Microsoft announced a new product at the Microsoft Ignite conference in May 2015. Microsoft Advanced Threat Analytics (ATA) provides real-time analysis of user activity and identifies and flags any activity considered anomalous.

Microsoft Advanced Threat Analytics (ATA) is now generally available.
If your organization has Software Assurance with Enterprise CALs, ATA may be included. Contact your Microsoft rep for details.


Microsoft Advanced Threat Analytics (ATA)

In 2014, Microsoft purchased a company called Aorato and the technology acquired from this purchase is now a new product Microsoft Advanced Threat Analytics (ATA) which is currently in beta. Microsoft Advanced Threat Analytics is unique among most security products in that it is placed on the network with a feed of traffic destined for Domain Controllers forwarded to ATA Gateways (sensors). The ATA Gateway parses the network traffic involving the Domain Controllers and from this builds a user activity profile for every user in Active Directory, including the computers the user typically logs onto and resources the user accesses. From this activity profile, ATA can identify when user activity falls outside of the baseline.


How ATA Works

The Microsoft Advanced Threat Analytics architecture is comprised of two components. The ATA Gateway uses deep packet inspection technology to review user activity data off of the network and forwards relevant data to the ATA Center (about 3% of all network data reviewed). The ATA Center receives the activity data from the ATA Gateway over a secure connection and the ATA Center builds an “Organizational Security Graph” which is a map of entity (users, computers, resources, etc) interactions and represents the context of the related activities. This data effectively includes activity profiles for every user and leverages this to alert on anomalous user behavior. Note that only “known bad” activity is alerted on and only suspicious activity (outliers from normal) are flagged.

In order for ATA to be able to see all user authentication traffic to the Domain Controllers, an ATA Gateway has to be connected to a network device through which all traffic to the local Domain Controllers traverses and be configured so the ATA Gateway also receives that traffic. ATA is specifically interested in user authentication traffic to the Domain Controllers which includes the initial logon to the system as well as requests to access resources which are sent to the DCs as well (NTLM or Kerberos authentication). ATA also requires a standard user account in Active Directory in order to enumerate users, groups, and computers. Note that it doesn’t matter if a user actually has rights to access a resource. When the user requests access, ATA logs that the user is attempting to access it. If this is not part of the normal activity profile for the user it is flagged as suspicious. There are three levels of criticality in ATA, Low, Medium, and High, based on the potential impact of the identified activity.

The ATA Center is installed first and after installation completes, the ATA Gateway installation files are generated which ties the ATA Gateway install to the ATA Center. This ensures that ATA Gateways know how to communicate with the ATA Center securely.

The ATA Center hosts a web console for viewing activity feeds and anomalous activities. The following graphic provides an example of a user accessing computers and resources that are not part of “normal” activity for that user.


ATA Key Points

  • The system learns over time where users logon and how they typically access resources – there is no need to create rules/policies and no agents are required.
  • No part of the system is joined to Active Directory and is effectively invisible since it can’t be seen on any system or on the network. Only a standard user account is required for ATA to gather information about the Active Directory environment.
  • Known bad and suspicious activity is alerted on immediately based on what the system has identified as normal behavior for each user.
  • In 3 weeks, ATA builds user profiles to understand typical user behavior and continues to gain understanding of what “normal” activity is per user.


Notable Detection

ATA has detection rules for the following:

  • Credential theft & use: Pass the hash, Pass the ticket, Over-Pass the hash, etc
  • MS14-068 exploits
  • Golden Ticket usage
  • DNS Reconnaissance
  • Password brute forcing


Microsoft Advanced Threat Analytics is an ideal solution for identifying abnormal user activity since it identifies and profiles “normal” user behavior for each and every user account in Active Directory. ATA can identify and flag when a user or an administrator steps outside of their “lane” and is attempting to or actually accessing resources they haven’t before. This behavior anomaly detection is similar to how credit card fraud detection works. Furthermore, since ATA is watching network traffic and doesn’t parse event logs to gain insight into user activity, it can also alert on when a user account is performing reconnaissance type activity – much of which would never be logged or discovered. Furthermore, ATA can receive specific events from a SIEM tool in order to enhance its capability to detect anomalous behavior and can also send ATA data on suspicious activity to a SIEM tool.

From Microsoft:

ATA Overview

Microsoft Advanced Threat Analytics (ATA) is an on-premises product to help IT security professionals protect their enterprise from advanced targeted attacks by automatically analyzing, learning, and identifying normal and abnormal entity (user, devices, and resources) behavior. ATA also helps to identify known malicious attacks, security issues, and risks using world-class security researchers’ work regionally and globally. Leveraging behavioral analytics, this innovative technology is designed to help enterprises focus on what is important and to identify security breaches before they cause damage.


Microsoft Advanced Threat Analytics uses Machine Learning for analyzing entity behavior. Using deep packet inspection technology, ATA analyzes all Active Directory-related traffic. It can also collect relevant events from Security Information and Event Management system and other resources. After analysis, ATA builds an Organizational Security Graph, a living, continuously-updated view of all the people, devices, and resources within an organization and understand what normal behavior is. ATA can then look for any abnormalities in the entities’ behavior and raise red flags–but not before those abnormal activities have been contextually aggregated and verified.

One of the common complaints in IT security is the flood of security reports and false positives. With this in mind, Microsoft Advanced Threat Analytics is designed to help IT focus on what is important in a simple and fast way. After detection of suspicious activities, ATA provides clear and relevant threat information on a simple attack timeline with recommendations for investigation and remediation.

How it works:

“Microsoft Advanced Threat Analytics (ATA) provides a simple and fast way to understand what is happening within your network by identifying suspicious users and device activity with built-in intelligence and providing clear and relevant threat information on a simple attack timeline.

Microsoft Advanced Threat Analytics detects:

  • Abnormal behavior:
    • Behavioral Analytics leverages Machine Learning to uncover questionable activities and abnormal behavior.
  • Malicious attacks:
    • Diagnostic engine detects known attacks almost as instantly as they occur.
  • Security issues and risks:
    • Leveraging world-class security researchers’ work, ATA identifies known security issues and risks.

How it works

ATA leverages deep packet inspection technology, as well as information from additional data-sources (SIEM and Active Directory), to build an organizational security graph and detect advanced attacks in near real time.

The diagnostic engine continuously learns the behavior of organizational entities (users, devices, and resources) and adjusts itself to reflect the changes in your rapidly-evolving enterprise. As the attacker tactics get more sophisticated, Microsoft Advanced Threat Analytics helps you to keep up with continuously-learning behavioral analytics.

After detection, Microsoft Advanced Threat Analytics provides clear and relevant information on a simple attack timeline, so you can reduce the noise and focus on what is important fast. Attack timeline not only gives you the power of perspective on the “who, what, when, and how” of your enterprise, but also recommendations for investigation and remediation.

For more information about Microsoft Advanced Threat Analytics, see Microsoft Advanced Threat Analytics page.





(Visited 11,799 times, 1 visits today)


    • Brad on June 26, 2015 at 11:55 am

    I’m not sure how familiar you are with this, but do you know how they are detecting golden ticket usage? Is it as simple as looking for TGS requests without a matching TGT request?

Comments have been disabled.