Introducing Microsoft Advanced Threat Analytics v1.8!
First published on CloudBlogs on Jul 26, 2017
We are pleased to announce the general availability of Microsoft Advanced Threat Analytics (ATA) v1.8. This is a key release for our customers with several new features and improvements.
Cyberattacks continue to get more sophisticated, and so in turn, we must continue to tune our products and detections. As a leading solution in the user and entity behavioral analytics (UEBA) market, targeting identity-based attacks, we continue to innovate to help our customers identify attackers before they cause damage.
ATA focuses on detecting and investigating tactics, techniques, and procedures (TTPs) that are commonly used by attackers in their campaigns, and on abnormal behavior of entities (users, devices, resources) that indicate insider threats. Additionally, with each ATA release, we continue to enhance our engine to improve detections for known and unknown attacks, as well as discovering net new types of attacks. Finally, we are also making improvements in the product infrastructure, security, and user experience. In v1.8 we are delivering the following:
New & updated detections
Abnormal modification of sensitive groups
As part of the privilege escalation phase of an attack, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in a group with elevated privileges (i.e. a sensitive group).
Suspicious authentication failures (Behavioral brute force)
Attackers often attempt to use brute force on credentials to compromise accounts. ATA now raises an alert when abnormal failed authentication behavior is detected.
Remote execution attempt – WMI exec
Attackers can attempt to control your network by running code remotely on your domain controller. ATA has added a detection for remote execution leveraging WMI methods to run code remotely.
Improved triage of suspicious activities
ATA v1.8 will empower sec ops to triage suspicious activities by:
entities from raising future suspicious activities, to prevent ATA from alerting when it detects benign true positives (such as an admin running remote code or using nslookup).
recurring suspicious activities from alerting.
suspicious activities from the attack time line.
New reports to help you investigate
was added to enable you to see all the summarized data from ATA, including suspicious activities, health issues and more. You can even define a customized report that is automatically generated on a recurring basis.
sensitive groups report
was improved to enable you to see all the changes made in sensitive groups over a certain period.
Center performance enhancements
The ATA Center can now handle more than 1M packets per second.
Local events reading for ATA Lightweight Gateway
The ATA Lightweight Gateway can now read events locally, without the need to configure event forwarding.
Single sign-on for ATA management
Silent installation scripts for the ATA Gateway and ATA Lightweight Gateway now use the logged-on user’s context, without the need to provide credentials.
Auditing logs for the ATA Center and Gateways were added and all actions are now logged in the event viewer.
Upgrade to v1.8 today and take advantage of these new features, detections, and enhancements. The latest ATA update 1.8.1 is now live through Microsoft Update. Non-Microsoft Update customers can manually update to the latest version. You can use Microsoft Update to automatically download ATA v1.8.1 and seamlessly upgrade the ATA Center. After upgrading the ATA Center, you can configure the automatic upgrades of all ATA Gateways in your environment.
We know how much pain cybersecurity attacks cause you. As a team, our goal is to continue to innovate and help you protect your organization from these advanced attacks.
Microsoft Advanced Threat Analytics is an on-premises product and is part of the Enterprise Mobility + Security suite and the Enterprise CAL Suite. Start a trial or deploy it now by
downloading a 90-day evaluation version
Ask your questions and join the discussion with our team on the
Microsoft Advanced Threat Analytics Tech Community site