Advanced Threat Analytics (ATA) to Microsoft Defender for Identity
Use this guide to move from an existing ATA installation to the (Microsoft Defender for Identity) service. The guide explains Defender for Identity prerequisites and requirements, and details how to plan and then complete your move. Validation steps and tips to take advantage of the latest threat protection and security solutions with Defender for Identity after installation are also included.
To learn more about the differences between ATA and Defender for Identity, see the Defender for Identity frequently asked questions.
In this guide you will:
- Review and confirm Defender for Identity service prerequisites
- Document your existing ATA configuration
- Plan your move
- Set up and configure your Defender for Identity service
- Perform post move checks and verification
- Decommission ATA after completing the move
Moving to Defender for Identity from ATA is possible from any ATA version. However, as data cannot be moved from ATA to Defender for Identity, it is recommended to retain your ATA Center data and alerts required for ongoing investigations until all ATA alerts are closed or remediated.
An Azure Active Directory tenant with at least one global/security administrator is required to create a Defender for Identity instance. Each Defender for Identity instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.
Defender for Identity requires .Net Framework 4.7 or later and may require a domain controller (restart) if your current .Net Framework version is not 4.7 or later.
Validate that all domain controllers you plan to use have sufficient internet access to the Defender for Identity service. Check and confirm your domain controllers meet the Defender for Identity proxy configuration requirements.
This migration guide is designed for Defender for Identity sensors only.
Make sure to gather the following information before starting your move:
- Account details for your Directory Services account.
- Syslog notification settings.
- Email notification details.
- ATA roles group membership
- VPN integration
- Alert exclusions
- Exclusions are not transferable from ATA to Defender for Identity, so details of each exclusion are required to replicate the exclusions in Defender for Identity.
- Account details for HoneyToken accounts.
- If you don't already have dedicated HoneyToken accounts, learn more about HoneyTokens in Defender for Identity and create new accounts to use for this purpose.
- Complete list of all entities (computers, groups, users) you wish to manually tag as Sensitive entities.
- Learn more about the importance of Sensitive entities in Defender for Identity.
- Report scheduling details (list of reports and scheduled timing).
Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.
Complete your move to Defender for Identity in two easy steps:
Step 1: Create and install Defender for Identity instance and sensors
Uninstall the ATA Lightweight Gateway on all domain controllers.
Install the Defender for Identity Sensor on all domain controllers:
Step 2: Configure and validate Defender for Identity instance
Certain tasks in the following list cannot be completed before installing Defender for Identity sensors and then completing an initial sync, such as selecting entities for manual Sensitive tagging. Allow up to 2 hours for the initial sync to be completed.
Sign in to the Defender for Identity portal and complete the following configuration tasks.
|1||Set delayed updates on a selection of domain controllers||- [ ]|
|2||Directory Services account details||- [ ]|
|3||Configure Syslog notifications||- [ ]|
|4||Integrate VPN information||- [ ]|
|5||Configure WDATP integration||- [ ]|
|6||Set HoneyTokens accounts||- [ ]|
|7||Tag Sensitive entities||- [ ]|
|8||Create Security alert exclusions||- [ ]|
|9||Email notification toggles||- [ ]|
|10||Schedule report settings (list of reports and scheduled timing)||- [ ]|
|11||Configure Role based permissions||- [ ]|
|12||SIEM notification configuration (IP address)||- [ ]|
Within the Defender for Identity portal:
- Review any health alerts for signs of service issues.
- Review Defender for Identity Sensor error logs for any unusual errors.
After the move
This section of the guide explains the actions that can be performed after completing your move.
Import of existing security alerts from ATA to Defender for Identity are not supported. Make sure to record or remediate all existing ATA alerts before decommissioning the ATA Center.
Decommission the ATA Center
- To reference the ATA Center data after the move, we recommend keeping the center data online for a period of time. After decommissioning the ATA Center, the number of resources can typically be reduced, especially if the resources are a Virtual Machine.
Back up Mongo DB
- If you wish to keep the ATA data indefinitely, back up Mongo DB.
Congratulations! Your move from ATA to Defender for Identity is complete.
Join the Community
Do you have more questions, or an interest in discussing Defender for Identity and related security with others? Join the Defender for Identity Community today!