Introducing Microsoft Advanced Threat Analytics v1.8!

First published on CloudBlogs on Jul 26, 2017
We are pleased to announce the general availability of Microsoft Advanced Threat Analytics (ATA) v1.8. This is a key release for our customers with several new features and improvements. Cyberattacks continue to get more sophisticated, and so in turn, we must continue to tune our products and detections. As a leading solution in the user and entity behavioral analytics (UEBA) market, targeting identity-based attacks, we continue to innovate to help our customers identify attackers before they cause damage. ATA focuses on detecting and investigating tactics, techniques, and procedures (TTPs) that are commonly used by attackers in their campaigns, and on abnormal behavior of entities (users, devices, resources) that indicate insider threats. Additionally, with each ATA release, we continue to enhance our engine to improve detections for known and unknown attacks, as well as discovering net new types of attacks. Finally, we are also making improvements in the product infrastructure, security, and user experience. In v1.8 we are delivering the following:

New & updated detections

Abnormal modification of sensitive groups As part of the privilege escalation phase of an attack, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in a group with elevated privileges (i.e. a sensitive group). Suspicious authentication failures (Behavioral brute force) Attackers often attempt to use brute force on credentials to compromise accounts. ATA now raises an alert when abnormal failed authentication behavior is detected. Remote execution attempt – WMI exec Attackers can attempt to control your network by running code remotely on your domain controller. ATA has added a detection for remote execution leveraging WMI methods to run code remotely.

Improved triage of suspicious activities

ATA v1.8 will empower sec ops to triage suspicious activities by:
  • Excluding entities from raising future suspicious activities, to prevent ATA from alerting when it detects benign true positives (such as an admin running remote code or using nslookup).
  • Suppressing recurring suspicious activities from alerting.
  • Deleting suspicious activities from the attack time line.

New reports to help you investigate

The summary report was added to enable you to see all the summarized data from ATA, including suspicious activities, health issues and more. You can even define a customized report that is automatically generated on a recurring basis. The sensitive groups report was improved to enable you to see all the changes made in sensitive groups over a certain period.


Center performance enhancements The ATA Center can now handle more than 1M packets per second. Local events reading for ATA Lightweight Gateway The ATA Lightweight Gateway can now read events locally, without the need to configure event forwarding.

Product Security

Single sign-on for ATA management Silent installation scripts for the ATA Gateway and ATA Lightweight Gateway now use the logged-on user’s context, without the need to provide credentials. Auditing Logs Auditing logs for the ATA Center and Gateways were added and all actions are now logged in the event viewer.

Upgrade today

Upgrade to v1.8 today and take advantage of these new features, detections, and enhancements. The latest ATA update 1.8.1 is now live through Microsoft Update. Non-Microsoft Update customers can manually update to the latest version. You can use Microsoft Update to automatically download ATA v1.8.1 and seamlessly upgrade the ATA Center. After upgrading the ATA Center, you can configure the automatic upgrades of all ATA Gateways in your environment. We know how much pain cybersecurity attacks cause you. As a team, our goal is to continue to innovate and help you protect your organization from these advanced attacks. Microsoft Advanced Threat Analytics is an on-premises product and is part of the Enterprise Mobility + Security suite and the Enterprise CAL Suite. Start a trial or deploy it now by downloading a 90-day evaluation version . Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site !