ATA data security and privacy

Applies to: Advanced Threat Analytics version 1.9


This article provides steps for how to delete personal data from the device or service and can be used to support your obligations under the GDPR. If you’re looking for general info about GDPR, see the GDPR section of the Service Trust portal.

Searching for and identifying personal data

All data in ATA that relates to entities is derived from Active Directory (AD) and replicated to ATA from there. When searching for personal data, the first place you should consider searching is AD.

From the ATA Center, use the search bar to view the identifiable personal data that is stored in the database. Users can search for a specific user or device. Clicking on the entity will open the user or device profile page. The profile provides you with the comprehensive details about the entity, it's history, and related network activity derived from AD.

Updating personal data

Personal data about users and entities in ATA is derived from the user's object in your organization's AD. Because of this, any changes made to the user profile in AD are reflected in ATA.

Deleting personal data

Although data in ATA is replicated and always updated from AD, when an entity is deleted in AD, the entity’s data in ATA is maintained for purposes of security investigation.

To permanently delete user-related data from the ATA database, follow this procedure:

  1. Download the MongoDB script (gdpr.js).

  2. Copy the script into the ATA folder (located at "C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB and run the following command from the ATA Center machine:

Use the ATA GDPR database script to delete entities and delete entity activity data, as described in the following sections.

Delete entities

This action permanently deletes an entity from the ATA database. To run this command, provide the command name deleteAccount, and the SamName, UpnName or GUID of the computer or username you wish to delete. For example:

"C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin\mongo.exe" ATA --eval "var params='deleteAccount,';" GDPR.js

Running this completely removes the entity with the UPN from the database along with all the activities and security alerts associated with the entity.

Delete entity activity data

This action permanently deletes an entity's activities data from the ATA database. All entities will are unchanged but the activities and security alerts related to them for the specified timeframe are deleted.

To run this command, provide the command name deleteOldData, and the number of days of data you want to keep in the database.

For example:

"C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin\mongo.exe" ATA --eval "var params='deleteOldData,30';" GDPR.js

This script removes all data for all entity activities and security alerts from the database that are older than 30 days. You will retain only the last 30 days of data.

Exporting personal data

Because the data related to entities in ATA is derived from AD, only a subset of that data is stored in the ATA database. For this reason, you should export entity-related data from AD.

ATA enables you to export to Excel all security-related information, which might include personal data.

Opt-out of system-generated logs

ATA collects anonymized system-generated logs about each deployment and transmits this data over HTTPS to Microsoft servers. This data is used by Microsoft to help improve future versions of ATA.

For more information, see Manage system-generated logs.

To disable data collection:

  1. Log in to the ATA Console, click the three dots in the toolbar and select About.
  2. Uncheck the box for Send us usage information to help improve your customer experience in the future.

Additional resources