Microsoft Advanced Threat Analytics (ATA) is a new threat analytics product from Microsoft that primarily runs in the background and automatically analyzes, learns, and determines normal behavior on the network, alerting you to possible security issues such as:
- Unusual user behavior: ATA uses behavioral analysis and self-learning to detect suspicious activity and behavior anomalies in landing, as well as access to unusual resources, unusual working hours, unknown threats, password sharing and lateral motion.
- Malicious attack: ATA detects known malicious attacks, including the transmission of tickets, forgery, detection, remote execution and so on.
- Known security issues and risks: ATA identifies known security issues, such as corrupted trusts, weak protocols, and known protocol vulnerabilities.
Microsoft Advanced Threat Analytics (ATA) is an on-premises product that automates the analysis, learning, and identification of normal and unhealthy entities (users, devices, and resources) through Active Directory and security information and event management systems. Help IT security professionals protect their businesses from targeted, advanced attacks. ATA also helps identify known malicious attacks, security issues, and risks through collaboration across geographies and on a global scale by security researchers. When suspicious activity is detected, it provides clear information about the threat in a simple, convenient feed.
Microsoft's ATA structure is very simple, with 2 main parts: an ATA center and an ATA gateway.
ATA Center:
- Managing ATA Gateway configuration settings
- Receiving data from the ATA gateway
- Detect suspicious activity and behavior
- Support for multiple ATA gateways
- Running the ATA Management Console
- Optional: The ATA Center can be configured to send e-mail when suspicious activity is detected, to send events to your security information and event Management (SIEM) system.
ATA Gateway:
- Capturing and checking network traffic for a domain controller through port mirroring
- Receive events from a Siem or Syslog server
- Retrieving user and computer data from a domain
- Network monitoring capabilities (user and computer)
- Transfer related data to ATA Center
- Monitor multiple domains control to an ATA gateway
The deployment architecture for ATA is also very simple, no need to change the existing environment and install the agent, only need to mirror the domain traffic to our ATA gateway, and then our ATA Gateway will transfer data to our ATA Center for Analysis and processing show, of course, do not need any advanced permissions, An ordinary domain account allows for advanced security analysis of identity access.
This architecture is ideal for deploying multiple ATA gateways at different branch offices, and then analyzing and alerting for identity threats at one of the ATA centers at Headquarters is cool.
650) this.width=650; "title=" image "style=" border-left-0px; border-right-width:0px; Background-image:none; border-bottom-width:0px; padding-top:0px; padding-left:0px; margin:0px; padding-right:0px; border-top-width:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M00/77/05/ Wkiol1zhkojjv6pbaafvtjeivdg504.png "width=" 746 "height=" 420 "/>
ATA is primarily targeted at identity threat analysis, so it is primarily for enterprise AD systems to complete their own behavioral learning to behavioral analysis and to the threat behavior of warning notifications, such as:
Find out what accounts have been impacted by brute force attacks in my business environment:
650) this.width=650; "title=" 2222 "style=" border-left-0px; border-right-width:0px; Background-image:none; border-bottom-width:0px; padding-top:0px; padding-left:0px; padding-right:0px; border-top-width:0px "border=" 0 "alt=" 2222 "src=" http://s3.51cto.com/wyfs02/M01/77/05/ Wkiol1zhkoydqwzhaadc3lcikhe474.png "width=" 731 "height=" 364 "/>
Analyze user or computer behavior, activity status, and last accessed computer resources and computers in the domain that were last logged in
650) this.width=650; "title=" Untitled Picture "style=" border-top:0px; border-right:0px; Background-image:none; border-bottom:0px; padding-top:0px; padding-left:0px; border-left:0px; padding-right:0px "border=" 0 "alt=" Untitled Picture "src=" http://s3.51cto.com/wyfs02/M01/77/05/ Wkiol1zhkzpgivfzaadgk3xxxve097.png "" 731 "height=" 367 "/>
650) this.width=650; "title=" 3333 "style=" border-left-0px; border-right-width:0px; Background-image:none; border-bottom-width:0px; padding-top:0px; padding-left:0px; padding-right:0px; border-top-width:0px "border=" 0 "alt=" 3333 "src=" http://s3.51cto.com/wyfs02/M00/77/06/ Wkiom1zhkjdhypf9aadyteqtjys975.png "width=" 735 "height=" 366 "/>
At the same time, you can find that the computer or user in the enterprise has a password leak or is being used as a broiler account to initiate an attack on all actions to alert.
650) this.width=650; "title=" image "style=" border-left-0px; border-right-width:0px; Background-image:none; border-bottom-width:0px; padding-top:0px; padding-left:0px; padding-right:0px; border-top-width:0px "border=" 0 "alt=" image "src=" http://s3.51cto.com/wyfs02/M02/77/05/ Wkiol1zhkpvgmc4waac3arw87xa812.png "width=" 741 "height=" 355 "/>
The only drawback of this good thing is not in our country to provide, and no Chinese, this is the most regrettable, of course, the most technical enthusiasts, to share the product and the results of the trial to share it is very meaningful.
Thank you very much for the introduction of Mr. Wang (http://wzde2012.blog.51cto.com/) and the guidance let me have a great interest in this product and tested a.
Thank you.
This article is from the "Zjunsen Microsoft Virtualization" blog, so be sure to keep this source http://rdsrv.blog.51cto.com/2996778/1719522
Advanced Threat Analytics 2016