Microsoft Advanced Threat Analytics (ATA) - Part 3

Posted by Ahmed Nabil | 1 comments»
In part 1 of this series Microsoft ATA was introduced in details with different roles and installation checklist. In Part 2 Microsoft ATA center and Gateway components were installed and configured in details. For more information please check below links.

ATA Part 1 http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata.html

ATA Part 2 http://itcalls.blogspot.com.eg/2016/04/microsoft-advanced-threat-analytics-ata_19.html


In this final Part, I will simulate a malicious activity and how ATA will detect it. I will conclude my blog series with couple of Frequently asked questions on the ATA Product.

Now its time for some action, I will simulate a simple DNS reconnaissance and DNS zone transfer using NSLOOKUP tool from a another machine in my lab which is not even a domain joined machine. Normally a proper secure environment would deny such zone transfer however we will see how the ATA detected this threat in details.

DNS Reconnaissance/Zone Transfer Simulation


  1. Launch Nslookup on another Lab machine (Not ATA Center or Gateway or even the DC)                         
  2. Run Nslookup -ls as per below screen shot.                                                                                                                                                                                                                                                            
                                                                                                                                                                    
  3. The query is refused however we will check whether ATA detected this attempt or not.                                           
  4. Open the ATA Center and in the threats you will find the attack detected with all details as per below screen shot                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
  5. ATA detected the malicious DNS activity coming from which machine and targeting Domain controller in details.

That is the main purpose of ATA and how it fits as a Proactive solution monitoring your network for any suspicious activity. ATA can be configured to send emails to the administrator whenever a threat is detected.

Microsoft ATA Frequently asked Questions:

  1. What DB is used with ATA? MonjoDB is used and not SQL DB                                                                    
  2. Can I have Multiple Gateways? Yes you can have Multiple gateways, Some clients are installing two gateways in the same site as a kind of high availability. The Gateway Installation package will be installed on all gateways (Same Package)                                                                                            
  3. Do ATA need always to be on 2 box machine setup? No you can install both Center and Gateway on one machine however this is not recommended.                                                                                      
  4. What is the current Integration status with SIEM? ATA currently can get only event 4776 from SIEM however its limited to few SIEM solutions as Splunk, RSA and ArcSight. Product group promised that more will be added in the next version

Hopefully you will find this 3 part blog posts beneficial and i would encourage everyone to start playing and testing ATA in their environment.