Microsoft Advanced Threat Analytics

30 Conversations

Latest Activity

Custom List Message Item


I wanted to give some feedback to the ATA team, and also see what the community thinks at the same time.


In ATA v 1.6 there was a notes feature for each event. In v 1.7, to our surprise, this function has disappeared.


This was how we were documentin

... Read More
1 Reply

Hi Bill,

the feature is not back in 1.8.  Can you please email me directly ndicola AT microsoft dot com.

Since our upgrade to 1.8 a few weeks back, we've seen an intersting email blast issue.  When certain lightweight gateways become unresponsinve (seen also with Windows updates being applied), ATA sends thousands of health alerts per hour.


Anyone seen anyth

... Read More
2 Replies
Wow! Thankfully, I have not run into that issue just yet. I do get an alert when ATA loses connectivity to a gateway, but just the one.

The General Data Protection Regulation (GDPR) strengthens the right of individuals in the European Union (EU) to control their personal data and requires organizations to bolster their privacy and data protection measures. Enterprise Mobility + Security (

... Read More
0 Reply

I just Ran a small test on our network and this is what came out after 30 minutes.

It seems ATA Lightweight Gateway is out of the question,


Read More
2 Replies


Thats not 100% correct.  Looks like mosts of yours can be LWGW just need a few additional resources.  is it possible to add those recommended CPU and memory to the

... Read More

We are pleased to announce the general availability of Microsoft Advanced Threat Analytics (ATA) v1.8. This is a key release for our customers with several new features and improvements.


Cyberattacks continue to get more sophisticated, and so in turn, w

... Read More
3 Replies

My ATA server is running on server 2016 core, so I can't exactly launch the update gui and force it to check for updates from microsoft.  I'm not seeing this update avail

... Read More

Since we first implemented ATA a few months ago, it's periodically had an alert about one computer or another with a broken trust relationship.  However, when I follow up on that alert I can find no sign of a problem with the computer.  I don't see anythi

... Read More
0 Reply


My name is Michael Dubinsky and I lead the product and security research teams for Microsoft ATA.


I'm super excited to start the TechCommunity for ATA. Working together with each and everyone of our customers, partners and the entire community is wh

... Read More
2 Replies
THis is Zeyad from INC tech - Kuwait After we configure ATA , we get only the below alert "Gateway not receiving network traffic The Gateway INC-ATA is not receiving mirr... Read More

Check out this new video from Yoann Mallet, which will help you choose the right gateway type with Advanced Threat Analytics (ATA). This is the most important decision to be made when deploying ATA. The video contains guidance on how to make that decision

... Read More
0 Reply

I posted this in Yammer as well, and do apologize if you've found it in both places.

Have a bit of a licensing conundrum with Advanced Threat Analytics, and I hope someone can help. I have reviewed the Licensing Datasheet, the setup guide, and did quite a

... Read More
4 Replies

Hi Steven,

For ATA, each human user must have a license.  Service accounts are not considered human.  Just license the people that actually exist in the organization.


... Read More
I asked a similar question a few months ago, you may find this thread helpful https://techcommunity.microsoft.com/t5/Microsoft-Advanced-Threat/Licensing/m-p/44696 Read More
My understanding is that ATA is not a per-user licensed model application. It's the exception to the EMS license. So in other words, when you buy EMS (per user licensed m... Read More

Hello ;


Recently we have configured ATA , i got the below alerts every 2 weeks


Gateway not recieving network traffic


Kindly your advice



1 Reply

Hi Zeyad,

Is this a standalone or lightweight Gateway? 


this monitoring alert (MA) lets you know that a GW has stopped seeing any traffic.  this can occur if port mirro

... Read More

My client is going to be moving their data center to Azure and this is expected take a long period of time. Will they be able to use ATA when they have some DCs on-premises and others in Azure?

2 Replies

Install the Light Weight Gateway on the Domain Controllers in Azure, also you can even deploy the ATA Center on Azure as well make use of Virtual Machine with 2 Nic Adapt

... Read More

Yes.  The client can install the LWGW on DCs in Azure.  ATA Center is supported in Azure as well.

The rise of ransomware and its media presence in recent months has highlighted, perhaps now more than ever, the importance of robust security systems to detect and respond to devious and evolving threats. We know extortion via ransomware is an effective s

... Read More
0 Reply




I am seeing a lot of "Suspicious Activity" in ATA relating to "Reconnaissance using directory services enumeration" from clients and servers.

I believe this was addressed in an earlier build of 1.7, am i safe to assume that these incidences are worthy

... Read More
6 Replies


As you mentioned this is a known issue with ATA 1.7.
In some cases this suspicious activity can be caused by legitimate security solutions running on endpoints and ser

... Read More
Best Response

How is everyone receiving release update notifications? The only thing I've heard from support is to subscribe to the blog or the Twitter feed. Would be nice to receive an email notification with release notes attached. 

3 Replies
Thanks, I have the mail notification setting, 'Notify When New software update is available,' turned on. Is that all there is to it?

Hi Michael,

The ATA console will alert you where there is an update.  you can also have ATA email you when it detects that update.

I am pleased to announce the 1st version of the ATA 1.7 SCOM Management Pack (v1.7.1.1). This 1st version covers ATA 1.7 and monitors the health of ATA. It is available in English today and we are working on localized versions to be released soon.


The M

... Read More
1 Reply

When can we expect this to be updated for ATA 1.8?

We have purchased EM+S E3 licenses for our users. We have setup a trial of Microsoft Advanced Threat Analytics that has just expired. Where do I go to retrieve the 25-character product key to license Microsoft ATA?

2 Replies

This is what I could find from Install Advanced Threat Analytics page


"If you acquired a license for Enterprise Mobility + Security (EMS) directly via the Office 365 port

... Read More
Best Response

■Verification environment






Windows Server 2016



I recieved the error "The LDAP server is unavaliable."


■Try and error

I checked the following web site.


Troubleshooting the ATA error log


... Read More
1 Reply
I solved this issue. I misconfigured the network of ATAGW.

There's a good article in Dark Reading today by Michael A. Davis:


"We've all seen them — you might even have one open right now: an Excel spreadsheet with red, greens, and yellows that tell you where your risk is. You probably follow the simple conventi

... Read More
1 Reply
In general, we need to understand the threat model within a domain. For example, in a company when we are assess threats for finance department, protecting Excel and fina... Read More

A bank in Poland previously discovered unknown malware running on several of its computers, exposing a wave of attacks that affected organizations from at least 31 countries.


What’s unique about this attack, is the usage of a piece of sophisticated mali

... Read More
1 Reply
If they are running entirely on memory, then after restart they will be wiped out. But for many devices , they normally won't restart regularly unless if there is update ... Read More

Hi there,

I have a quick question about Microsoft Advanced Threat Analytics (ATA), How we can integrate ATA with Cisco ASA( Adaptive Security Appliance) Firewall Logs? and if it's possible what will be the implementation requirements for any organization?


... Read More
1 Reply


ATA does not integrate with FW logs from any vendor. Today it only collects windows event logs from the DCs which can be captured using a supported SIEM or Windows Ev

... Read More

We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:


  1. nslookup ls -d <domain> (this failed)
  2. net user /domain (this failed)
  3. net group /d
... Read More
16 Replies

Are you running the runbook on a Server or on a client OS ?

I ran through the playbook today but I had a few issues. 
Step 9: Powersploit appears to have a bug with Powershell 5.0 that mean the Get-NetLocalGroup cmdlet doesn't work (obviously not the ATA playbook authors fault, just putting it out there)
Step 1

... Read More
1 Reply

We`re glad you liked the Playbook, and thanks for shouting out, Robert. I`m sure @Ophir Polotsky@Hadi Inja, @Michael Dubinsky@Benny Lakunishok, and @Ryan Heffernan wi

... Read More

I have several clients who have purchased thousands of EM+S licenses, but they did not purchase a license for everyon of their employees i.e., they did not purchase licenses for employees that seldom use a computer.


What is the appropriate way to use and

... Read More
7 Replies

Hi Dean,


As mentioned by Peter, the ATA product does not have flexability with regards to number of licensed seats. The licensing requirment is to have a valid license

... Read More

for all other user that have no EM+S you can purchase a

Standalone license - Open L&SA


Read More

@Hadi Inja may help with the licensing inquiry.

EMS+ is all about identity Security and NOT pc/computer centric. One licens pr user. 

Dean Gross wrote:

I have several clients who have purchased thousands of EM+S licenses

... Read More

ATA Attack Simulation playbook is now available to download here.



3 Replies

Great Playbook indeed, thanks for sharing @Ophir Polotsky! According to the ATA team they`ve written this playbook so it contains:


  1. A step-by-step guide to simulating d
... Read More
Thanks for share! :)
Thanks for sharing!