Advanced Threat Analytics(ATA) deployment Steps. Part-I

[bing_translator]Hello our solution enthusiasts. In this Post, we will go through Advanced threat analytics step by step installation, setup and looking around its capabilities. We will refer this as ATA.

ATA is an on-prem product of Microsoft and helps protect your enterprise in various ways. that could be any anonymous cyber attacks, threats using multiple techniques around your network. Internet is extremely vulnerable to attacks and its our responsibility to keep it secured and get aware of any abnormal and suspicious activities quickly to act. You can read about it here

As you go through and understand what it is, i will walk you through the installation steps along with Pre and post installation steps.

Don't forget go through Part2 of this blog to understand capabilities of ATA

In this setup, i am using four machines


Computer name Description
DC First Domain controller Server 2012 R2 in
DC2 Second DC in same forest running Windows server 2012 R2
ATACenter Windows Server 2012 R2 and is member of
ATAGateway Windows Server 2012 R2 and is member of
Client1 Windows 7 client and is member of domain


I am using hyper-V to host these machines. Lets start with Activity 1.

Step1: Configure port mirror on DC

  • In Hyper-V manager, go to settings for DC -->Advanced features -->Port mirroring.
  • Change the mirroring mode to Source from drop down menu.




  • Connect to ATAGateway and note down MacAddress. (Remember to have 2 network adaptor for ATA gateway server and i am checking Mac address of 2nd adaptor named capture)

On powershell, Type "Get-netAdapter -Name Capture"



And that's my second adaptor



  • Scroll down for this adaptor and enable mirroring mode to set it as destination.



  • To verify your port mirroring is success and correctly configured, you can use network monitor tool.

Step 2: Validate  Service account of ATA

Note: ATAGateway server should be able to query DC via LDAP using the account credentials that ATA is going to use. this is necessary to retrieve the users, computers and other objects. This is a requirement. I will use LDAP connection from ATAGateway to DC using account contoso\ATAService. This account will need read permission to access all object that will be monitored.

  • On ATAGateway VM, run LDP.exe
  • On connection, client connect on top left corner and enter your DC name. in my case its -->OK

(This confirms, name resolution is working)

  • Again click on connection and select Bind -->Bind with credential--> Enter. Input credential (Contoso\ATAservice) and click OK, notice the output as you will be expecting when all is good



Note: If you click on view and expand Tree, you should see objects of domain.

Step 3: Assign Permission to ATAService

Note: ATAService account needs to have read permission on deleted object container in domain.

  • On elevated cmd prompt, type the command 'dsacls "CN=Deleted Objects,DC=Contoso,DC=Com" /takeownership'  -->ENTER. this will take ownership on deleted object container.



  • Again on elevated cmd prompt type: dsacls "CN=Deleted objects,DC=Contoso,DC=com" /G CONTOSO\ATAService:LCRP  -->ENTER to grant permission to view objects


Note: Upto this point, we have completed our pre installation steps of ATA. Next we will go with installation. Lets start with Step4

Step4: ATA center Installation:-

  • Run the downloaded setup file.



  • As you move forward accepting the EULA with default steps and you reach to below page, Enter details.



  1. ATA center service IP address is used by ATA Gateway to communicate with ATA Center. ATA console IP is used to connect to ATA console. As you install Gateway, ATA Gateway will register with ATA center using ATA Console IP on port 443

  2. In case you have one IP address, you can modify the port number used by ATA center service. ATA console will always use 443

  3. In production, we recommend you to use PKI cert instead of self signed certificate.

  • Launch the page by hitting on launch after completion message. Click Continue to this website(not recommended) hyperlink to continue.



  • Enter credential in directory services page




Step 5: Configure HoneyToken user (User that have no activity)

  • On PS prompt, type: Get-AdUser Admin -->ENTER to get SID




  • Copy the SID and paste under detection settings -->Save  (Don't forget to hit on + next to ID before saving)



Note: We are done with configuration. Next we will install ATA Gateway

Step 6: ATA Gateway Installation steps.

  • On ATAGateway server, go to URL (Console IP address)
  • Click on "Download Gateway setup and install the first Gateway" --> save the file
  • Extract the file and run the setup.



Note:-. Net framework 4.6.1 has to be preinstalled. if preinstalled, it will avoid reboot while installation of ATA Gateway.

  • Select the available option as below after you pass welcome window.



  • In the next page, we will create a self signed certificate. and enter user name and password -->Install



Note:- The user account is set for gateway and is domain admin here.

  • Launch once install is completed.

Step 7: Configure ATA gateway

  • Once you hit Launch in previous step, the page opens. and you see the status of gateway below. Click on Not Configured


  • Enter the information as below. And select Capture check box (Remember 2 network adapter of ATA gateway from above and we are selecting second adapter) -->Save



  • Verify "Microsoft Advanced Threat Analytics gateway" service is running, this may take long time before it reaches to running from starting.

2017-04-26_0-05-47 2017-04-26_0-07-18


  • Once service is started, verify if user and computer are synced in ATA console.



Note: Once we have ATA gateway installed, we will setup our lightweight Gateway.

Step 8:- Install Lightweight gateway.

  • On DC2, browse to console IP and download gateway setup and save it.
  • Run Microsoft ATA Gateway setup.exe. (Remember to extract it and not run from zip file)
  • Setup automatically identifies already installed ATAgateway and asks you to install lightweight gateway.



  • Enter credential as you did for ATAGateway.
  • Once done, service will turn into running.



Note:- First time the service starts will take approx. 15-20 min until it turns from starting to running.

This concludes our Advanced Threat Analytics server setup.

In next blog, we will discuss on how to track suspicious activities across the network. Please check Blog 2.