Microsoft Advanced Threat Analytics Setup – Part 2

In the last post we looked at setting up the ATA Center and preparing the ATA Gateway. Now before anything else can happen a few other things need to be done. The first one is to make sure that KB2919355 has been installed on the server that will act as the gateway. After this has been competed then the configuration requires some core network changes to make it work. To understand this let me explain what we are actually going to do.

Microsoft Advanced Threat Analytic’s components use a non-intrusive port mirroring configuration which copies all Active Directory-related traffic to the Microsoft ATA system, while remaining invisible to attackers. Microsoft Advanced Threat Analytics then analyzes all Active Directory related traffic and receive relevant events from a corporate System Information and Event Management (SIEM) solution to enrich the analytics. Once it has created a bench mark for each user, then it continues to learn and monitor looking for suspicious activities and events. What we end up with is single or multiple gateways that mirror the ports as needed.

If you are using something other than Hyper-V then you will need to read the documentation for that platform or configure your networking equipment to clone the port traffic for the Domain Controller and send it to the Gateway Server. For Hyper-V we can simply edit the settings for the Domain Controller and then the Gateway Server and modify these settings.

Domain Controller – Set as Source

ATA Gateway – Set to Destination

To test that the mirroring is working, we can use “Microsoft Network Monitor” version 3.4. Do not install this on the Domain Controller or the ATA Gateway Server. This needs to be on a different machine. Once we have it installed, we need to start a new “Capture“, by selecting the network adapter you have configured for mirroring above and then choosing “Create capture tab“.

In the “Display Filter” section type “KerberosV5 OR LDAP“, then click the “Start” option to begin monitoring.

As long as the port mirroring is working you should see Domain Controller traffic being forwarded to the ATA Gateway Server.

Once the port mirroring had been tested and shows as working, we can now extract the zip file we copied to the gateway server, and run the “Microsoft ATA Gateway Setup“.

Now we can follow the core wizard for the installation.

We are using the same certificate created for the ATA Center, and then the same account which has been added as a local administrator on the ATA Gateway server. In Production you would probably use different accounts.

If you have changed the IIS Bindings for the ATA Center then you may hit this error when installing.

To get passed this simple add none host headed bindings back to the ATA Center IIS web site.

If you then get the following error, you need to ensure the selected account is a member of the local Administrators or “Microsoft Advanced Threat Analytics” Administrator group on the ATA Center Server.

The wizard should continue as normal, possibly requiring a reboot.

After a reboot the installation should continue and complete successfully.

Launching the ATA Center either on the ATA Center Server or the ATA Gateway will ask us to login again and then present us with the new configuration. ON the ATA Gateway screen we should see the “Configuration required” option.

If the above message does not go away then you could have issues relating to the SSL certificate being used on the server. To resolve this you can simply uninstall the ATA Gateway and the ATA Center, then reconfigure the ATA Center installation to create self-signed certificates. Once these issues are resolved you should then see the configuration screen.

I have configured my lab environment with the following details.

Initially is should say “Not Synced” but once it catches up it should show the following message.

Now that we have both the ATA Center and ATA Gateway running we now need to leave them to run so it can create a profile of the users within Active Directory. In the next post we will look at some basic behaviors and triggers that will trigger alerts as well as understand more in detail how to navigate through the console.

Liam Cleary

I work as an Associate Director for Protiviti in Virginia. My main focus is to ensure that SharePoint can either natively or with minimal customization meet the business requirement securely. I am currently a SharePoint MVP focused on Architecture but also cross the boundary into Development and Security. I am often found at user groups, conferences speaking, offering advice, spending time in the community, teaching my kids how to code, raspberry PI programming, hacking the planet and sometimes building Lego robots.

You may also like...