Advanced Threat Analytics (ATA) to Microsoft Defender for Identity

Note

The final release of ATA is generally available. ATA will end Mainstream Support on January 12, 2021. Extended Support will continue until January 2026. For more information, read our blog.

Use this guide to move from an existing ATA installation to the (Microsoft Defender for Identity) service. The guide explains Defender for Identity prerequisites and requirements, and details how to plan and then complete your move. Validation steps and tips to take advantage of the latest threat protection and security solutions with Defender for Identity after installation are also included.

To learn more about the differences between ATA and Defender for Identity, see the Defender for Identity frequently asked questions.

In this guide you will:

  • Review and confirm Defender for Identity service prerequisites
  • Document your existing ATA configuration
  • Plan your move
  • Set up and configure your Defender for Identity service
  • Perform post move checks and verification
  • Decommission ATA after completing the move

Note

Moving to Defender for Identity from ATA is possible from any ATA version. However, as data cannot be moved from ATA to Defender for Identity, it is recommended to retain your ATA Center data and alerts required for ongoing investigations until all ATA alerts are closed or remediated.

Prerequisites

  • An Azure Active Directory tenant with at least one global/security administrator is required to create a Defender for Identity instance. Each Defender for Identity instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

  • Defender for Identity requires .Net Framework 4.7 or later and may require a domain controller (restart) if your current .Net Framework version is not 4.7 or later.

  • Make sure your domain controllers meet all the Defender for Identity sensor requirements and your environment meets all Defender for Identity requirements.

  • Validate that all domain controllers you plan to use have sufficient internet access to the Defender for Identity service. Check and confirm your domain controllers meet the Defender for Identity proxy configuration requirements.

Note

This migration guide is designed for Defender for Identity sensors only.

Plan

Make sure to gather the following information before starting your move:

  1. Account details for your Directory Services account.
  2. Syslog notification settings.
  3. Email notification details.
  4. ATA roles group membership
  5. VPN integration
  6. Alert exclusions
  7. Account details for HoneyToken accounts.
  8. Complete list of all entities (computers, groups, users) you wish to manually tag as Sensitive entities.
  9. Report scheduling details (list of reports and scheduled timing).

Note

Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.

Move

Complete your move to Defender for Identity in two easy steps:

Step 1: Create and install Defender for Identity instance and sensors

  1. Create your new Defender for Identity instance

  2. Uninstall the ATA Lightweight Gateway on all domain controllers.

  3. Install the Defender for Identity Sensor on all domain controllers:

Step 2: Configure and validate Defender for Identity instance

Note

Certain tasks in the following list cannot be completed before installing Defender for Identity sensors and then completing an initial sync, such as selecting entities for manual Sensitive tagging. Allow up to 2 hours for the initial sync to be completed.

Configuration

Sign in to the Defender for Identity portal and complete the following configuration tasks.

Step Action Status
1 Set delayed updates on a selection of domain controllers - [ ]
2 Directory Services account details - [ ]
3 Configure Syslog notifications - [ ]
4 Integrate VPN information - [ ]
5 Configure WDATP integration - [ ]
6 Set HoneyTokens accounts - [ ]
7 Tag Sensitive entities - [ ]
8 Create Security alert exclusions - [ ]
9 Email notification toggles - [ ]
10 Schedule report settings (list of reports and scheduled timing) - [ ]
11 Configure Role based permissions - [ ]
12 SIEM notification configuration (IP address) - [ ]

Validation

Within the Defender for Identity portal:

After the move

This section of the guide explains the actions that can be performed after completing your move.

Note

Import of existing security alerts from ATA to Defender for Identity are not supported. Make sure to record or remediate all existing ATA alerts before decommissioning the ATA Center.

  • Decommission the ATA Center

    • To reference the ATA Center data after the move, we recommend keeping the center data online for a period of time. After decommissioning the ATA Center, the number of resources can typically be reduced, especially if the resources are a Virtual Machine.
  • Back up Mongo DB

Mission accomplished

Congratulations! Your move from ATA to Defender for Identity is complete.

Next steps

Learn more about Defender for Identity features, functionality, and security alerts.

Join the Community

Do you have more questions, or an interest in discussing Defender for Identity and related security with others? Join the Defender for Identity Community today!