Deploy Microsoft Advanced Threat Analytics

Q. How do I deploy Microsoft Advanced Threat Analytics?

A. The deployment is very simple and can be performed in about 15 minutes. Typically it runs as a virtual machine and it will need to be placed on the same Hyper-V host as a domain controller (if using Hyper-V) to allow the port mirroring from the DC(s) to the ATA instance. This enables the ATA instance to see all the DC traffic and perform the deep packet inspection without adding any overhead to the actual DC. Two certificates are used. One is used for the actual ATA center communications and it can be a self-signed certificate. The other is used to enable the SSL connection to the ATA management website and can also be self-signed but you will more than likely want this certificate to be from your enterprise CA so it is trusted from machines in your network.

ATA requires Windows Server 2012 R2 and the OS can be a member of a domain or workgroup. Full detail on requirements can be found at https://technet.microsoft.com/en-US/library/dn707709.aspx?f=255&MSPPError=-2147217396 which also outlines sizing for the database and hardware based on number of domain controllers and authentication load.

There are two components to ATA:

Both can run on the same OS instance in a test environment (but should be avoided in production) which is why the Center Communication IP Address is set to 127.0.0.2 (which is loopback along with any address from 127.0.0.0/8, its not just 127.0.0.1). In a normal deployment you would have at least 2 IP addresses for ATA which would enable additional gateways to connect to a single Center instance but for testing or single deployments the loopback is OK but if you use a single IP you need to change the port for the Center Communication from 443 to something else, for example 444. Also in a production environment the database disk should be separate from the installation path to ensure sufficient IO. There is only one configuration screen which enables sizing for the database to be selected and the IP/certificates to be chosen. The install will then complete with no other user input.

Once the installation is complete a web browser will open to the configuration portal, e.g. https://savdalata01.savilltech.net/configuration. If you get a certificate error it is because that by default it uses the IP address. To resolve, just change the URL to use the server name that matches your certificate for the management website. You now need to complete the configuration. The user who installed ATA will be able to access the management portal as will members of the local administrators group and the Microsoft Advanced Threat Analytics Administrators local group on the ATA Center server.

The first configuration is to configure the account that the gateway instances (which there are none of yet) will use to communicate with the Active Directory to gather information. You should create a dedicated account for use by ATA and it only needs to be a Domain User, no other rights are required.

Once the domain credential is saved, the Download Gateway Setup button will be available for you to click to download the Gateway software. Note that the configuration of the ATA Center is basically done now. The Gateway can be installed on the Center instance OS or on a different OS instance and the downloaded Gateway software can be used on multiple gateway servers. Once the Gateway software is downloaded, open the zip file and copy the content to a location that is available to all the OS instances that will be gateway servers. Launch the Gateway setup executable and walk through the basic installation and once again a self-signed certificate can be used along with specifying a user account that must have local administrator rights. The certificate is used for mutual authentication between the ATA Center and the ATA Gateway. Gateways should also have 2 NICs, one for capturing data and one for management although this is not a mandatory requirement. It is a good idea to rename the NICs in the OS to match the purpose.

Once the gateway is installed complete the configuration for the gateway must be completed which consists of adding the domain controllers that the gateway will monitor and the network adapter that will receive the mirrored data from the domain controllers. Click Save once the data is entered.

You now need to setup the port mirroring so the gateway gets the traffic needed. In Hyper-V, for the source VM (the DC) under the settings of the network adapter open, Advanced Features and in the Port mirroring set the Mirroring mode to Source. For the ATA VM set the Mirroring mode to Destination.

After a few minutes data should start to flow which will be viewable by clicking the Bell icon (notifications) in the top right corner of the web console.

Clicking the timeline icon (the second icon from the left in the picture above) will show the timeline view which will shown any suspicious activity. Take some time to look around the various configuration options which enables additional configurations including email alerting.

For more information on deployment see https://technet.microsoft.com/en-US/library/dn707704.aspx.