Forum Discussion
What is going on with ATA?
Hi ATA team,
Don't get me wrong I still see the value in ATA, but the value I see it in it is diminishing day by day.
There are number of things which are really starting to concern me with this product.
- No updates for almost a year, possibly longer (I cant find the date 1.9 was released, and 1.9.1 I don't think added any new features)
- Completely failed during red team exercise (Missed both enumeration and lateral movement), despite feeding back the problems, nothing came from it. So at the point it should deliver value, it provided zero. Which makes me question why do we pay for it?
- Large known gaps in detections, like zero detection for any enumeration via ldap. Given tools like bloodhound do all their work over ldap this is not good.
- The integration with 3rd Party SIEMs is basic at best. Alerts via feeds to SIEMs are not stand-alone (ie contain all the information you need), forcing you back to the portal, this simply does work when your SOC is provided by an MSP with lots of clients. If I cant integrate it with our SOC well, I don't get the value from the product I should.
- I have had support tickets open for over a year, for agents not starting. To the point we have just given up trying to get the agent to run on some of our domain controllers.
I have tired reaching out to the product team multiple times with issues, but nothing ever seems to get resolved. It appears to me that all resource goes towards AzureATP, leaving us ATA customers getting the short end of the stick.
So what is going on with ATA?
Regards
James
7 Replies
Hi James,
Thanks for the feedback, and I appreciate the ongoing offline discussion regarding your concerns. ATA V1.9 was released in April 2018 and contained a significant number of new features and performance improvements. ATA continues to be a fully supported product - ATA V1.9.1 was released in July 2018, and we are currently working on ATA V1.9.2.
Any customers experiencing problems with ATA are encouraged to reach out to our support organization where they can assist in the most timely manner. For other concerns customers are welcome to contact the ATA Product Group directly through our feedback email aatpfeedback@microsoft.comRegards,
Astrid
Hi Lucas,
ATA is not dead -- it is still a fully supported product. Azure ATP does have additional functionality and I'd be happy to talk to you about which product would best meet your needs.
Regards,
Astrid
For me it's endless false positives for pass-the-hash when Citrix is being used that really devalues the product for my Company. It's still not been addressed more than two years after dumps were provided to the team! Recently raised it again as a Premier call, so will see what transpires.
Unfortunately the answer was nothing! If you are thinking of using ATA but also have a large Citrix capability you may want to reconsider, alternatively be ready for a great deal of false positives for pass-the-hash! Response to my Premier call below. 'Risk of missing genuine alerts' is ironic - it's for that reason I raised the issue in the first place, as we are highly likely to miss genuine PTH amongst all the false positives. Very unimpressed.
I have discussed this with the ATA Product Group, and unfortunately this will not be included in the next version of ATA.
There were several reasons which went in to the decision: technical challenges; risk of missing genuine alerts; but primarily this features had very few requests for immediate implementation. User feedback is one of the main ways that we prioritise new feature requests. Your feedback has been added to the list, and this is something we may see in future versions, but as of now this is not going to make it in to at least the next release.
Sorry it is not more positive news.
