Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
End of mainstream support for Advanced Threat Analytics January 2021
Published Jul 22 2020 12:57 PM 94.1K Views

A single compromised user or malicious insider can compromise an entire organization – which is why we’re always looking for the best way to protect identity environments.

Since its release in 2015, Microsoft Advanced Threat Analytics (ATA) has protected organizations from identity-based attacks in on-premises environments, receiving multiple updates that introduced new functionality and improvements to existing features.

As the nature and requirements of security changed, so did the frequency and severity of cyber-attacks. We saw a dramatic increase in the sophistication and velocity of attacks and realized that the current IT security tools provided were limited in the protection they could offer to on-premises environments.

To help customers combat these attacks, in March 2018 we introduced Azure Advanced Threat Protection (Azure ATP), which shifted to a lightweight sensor connected to cloud service model. This allows us to rapidly update detections and provide customers with an easier deployment path.

We are now reaching the end of mainstream support for ATA and are guiding our customers to shift to Azure ATP as their on-premises identity threat protection solution.

Our commitment to security means we will continue to provide critical security updates affecting ATA, with Extended Support continuing until January 2026. Mainstream support ends on January 12, 2021. The final update in mainstream support will be ATA v1.9.3. We will communicate further details about this release in the coming weeks.

To help you get started, we have compiled some information and resources:

Preventing threats – Assess your security posture through full visibility into on-premises Active Directory configuration, users, and service accounts that could become compromised due to security misconfigurations or failure to follow best practices. Identity Security Posture assessments powered by Azure ATP alert you to known bad practices within your environment, like dormant accounts within sensitive groups or risky lateral movement paths. This proactivity ensures you are remediating potentially harmful configurations before they become an additional attack vector.

Detecting threats – Detect on-premises, advanced attacks in real time, leveraging unique approaches to Network Traffic Analytics & User and Entity Behavior Analytics, as well as entity enrichments such as device name resolution, event log inspection, and Event Tracing for Windows events. Azure ATP detections can identify attackers’ activities through the kill chain — starting with network and user mapping (reconnaissance) and continuing with attempts to compromise identities and move laterally inside the organization to gain domain dominance. Potential threats are grouped together using cloud-powered analytics.

Investigating threats – Review alerts and user activities to understand the attack methods and potential damage. Additionally, you can hunt through user activities and define custom alerts based on user events. And, with Azure ATP’s Investigation Priority Score, you can pinpoint the riskiest users to investigate, based on their alerts and suspicious activities.

Remediating threats – Azure ATP’s integration with other products in Microsoft’s security portfolio helps you mitigate the impact of compromised users by raising a user’s AAD User Risk level and enforcing organizational risk policies such as blocking access—or allowing access, but requiring a password change using Azure AD self-service password reset.

We also know that the real test of any security solution is real-world results. Recently we submitted Azure ATP for MITRE ATT&CK APT 29 evaluation. MITRE evaluates cybersecurity products using an open methodology based on the ATT&CK knowledge base. The latest evaluation centered around a nation-state threat actor Advanced Persistent Threat (APT) 29. Azure ATP detected account compromise at the domain level, lateral movement, and the more sophisticated pass-the-ticket (Golden Ticket) attack. Check out this blog for more details on how Azure ATP performed in the evaluation.

Acknowledgement from independent experts like MITRE is a great milestone for Azure ATP, but we also have large customers who rely on it to help protect their environments. Ansell, a global personal protective equipment leader, made the move from ATA to Azure ATP and is pleased with their new, enhanced capabilities:


George Michalitsianos, Senior Director of IT Security and Infrastructure at Ansell, states “We valued Advanced Threat Analytics for the ability to recognize and even help proactively stop an attack, and now that we have the same capability in Azure ATP, we’re in an even better position. We can use new features and capabilities as soon as they’re delivered.”

Find out more about Ansell’s cloud security journey here.

So what do we recommend you do right now? The best way to experience all that Azure ATP has to offer is to try it for yourself. Resources to assist in migrating can be found here. And, for personalized help with the transition, contact us at

Version history
Last update:
‎May 11 2021 03:14 PM
Updated by: