First published on CloudBlogs on Nov 04, 2016
Advanced Threat Analytics (ATA) detects a variety of suspicious activities (SA) in different phases of the attack-kill-chain. The information appears in the ATA console in a clear and efficient social network-type timeline that helps the security admin filter out noise to identify actual suspicious activities. ATA only raises alerts once it has aggregated suspicious activities by comparing the entity’s behavior to its own past behavior, as well as to the profiles of other entities in its interaction path. For a complete list of detections and their descriptions, see ATA Detections. ATA provides rich information on the entities involved in the suspicious activity as well as remediation steps for investigating the alert. We will explore both these topics in this blog. SA Alert Components The admin can share details on each alert raised via email for further investigation, export the details to Excel, or even add organization-specific notes. Alerts are classified as high, medium or low depending on the impact it can have in the enterprise.
Advanced Threat Analytics (ATA) detects a variety of suspicious activities (SA) in different phases of the attack-kill-chain. The information appears in the ATA console in a clear and efficient social network-type timeline that helps the security admin filter out noise to identify actual suspicious activities. ATA only raises alerts once it has aggregated suspicious activities by comparing the entity’s behavior to its own past behavior, as well as to the profiles of other entities in its interaction path. For a complete list of detections and their descriptions, see ATA Detections. ATA provides rich information on the entities involved in the suspicious activity as well as remediation steps for investigating the alert. We will explore both these topics in this blog. SA Alert Components The admin can share details on each alert raised via email for further investigation, export the details to Excel, or even add organization-specific notes. Alerts are classified as high, medium or low depending on the impact it can have in the enterprise.
- OS details
- Recent network activity
- SPNs
- Group memberships
- Date of last password change
- How can I interact with ATA alerts programmatically?
There are multiple ways to address this. ATA logs all alerts to the Windows event log. To get a list of all suspicious activities generated today, we can use the PowerShell command below:
Get-winevent -Filterhashtable @{logname=’Microsoft ATA’; StartTime=(Get-Date).date.adddays(-7); EndTime=(get-date).date} | where-object {$_.ProviderName -eq ‘Suspicious Activity’} | fl
We can also pull a list of suspicious activities from the mongo database by running the command below from the mongoDB\bin folder on the ATA Center server:
Var mydate= Date();
Mongo ATA db.SuspiciousActivity.find({StartTime: myDate})
2. How can we get a list of suspicious activities by user?
The below script will search for the id of a user alias and find all the related suspicious activities:
Mongo ATA
Var usrn = db.UniqueEntity.find({SamName: “UserAlias”}, {DisplayName: 1, _id: 1})
Db.SuspiciousActivity.find({SourceAccountId: usrn}, {StartTime: 1, TitleKey: 1, Status: 1})
3. How can I bulk resolve some alerts?
The below script will find all alerts for Pass-the-Ticket and set status to resolved. You can run the script by placing it in a file and running mongo.exe ATA <file name> from the mongo\bin directory.
var SAType="PassTheTicketSuspiciousActivity";
SAs=db.SuspiciousActivity.find ({_t: SAType});
SAs.forEach(function(o) {
print ("Resolving SA with ID: "+o._id+" ...");
db.SuspiciousActivity.update( { _id: o._id } , {$set: {"Status" : "Resolved"} }) // Can be "Resolved", "Dismissed" or "Open"
});
For questions or feedback contact me directly: Shalini Pasupneti shpasupn@microsoft.com Senior Program Manager C+E Security CxP TeamPublished Sep 08, 2018
Version 1.0Advanced Threat Analytics Team
Copper Contributor
Joined September 05, 2018
Microsoft Security Blog
Follow this blog board to get notified when there's new activity