Advanced Threat Analytics (ATA) to Azure Advanced Threat Protection (Azure ATP)
Use this guide to move from an existing ATA installation to the Azure Advanced Threat Protection (Azure ATP) service. The guide explains Azure ATP prerequisites and requirements, and details how to plan and then complete your move. Validation steps and tips to take advantage of the latest threat protection and security solutions with Azure ATP after installation are also included.
To learn more about the differences between ATA and Azure ATP, see the [Azure ATP frequently asked questions] (https://docs.microsoft.com/azure-advanced-threat-protection/atp-technical-faq#what-is-azure-atp).
In this guide you will:
- Review and confirm Azure ATP service prerequisites
- Document your existing ATA configuration
- Plan your move
- Set up and configure your Azure ATP service
- Perform post move checks and verification
- Decommission ATA after completing the move
Moving to Azure ATP from ATA is possible from any ATA version. However, as data cannot be moved from ATA to Azure ATP, it is recommended to retain your ATA Center data and alerts required for ongoing investigations until all ATA alerts are closed or remediated.
An Azure Active Directory tenant with at least one global/security administrator is required to create an Azure ATP instance. Each Azure ATP instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.
Azure ATP requires .Net Framework 4.7 and may require a domain controller (restart) if your current .Net Framework version is not 4.7.
Validate that all domain controllers you plan to use have sufficient internet access to the Azure ATP service. Check and confirm your domain controllers meet the Azure ATP proxy configuration requirements.
This migration guide is designed for Azure ATP sensors only. For more information, see choosing the right sensor for your deployment.
Make sure to gather the following information before starting your move:
- Account details for your Directory Services account.
- Syslog notification settings.
- Email notification details.
- ATA roles group membership
- VPN integration
- Alert exclusions
- Exclusions are not transferable from ATA to Azure ATP, so details of each exclusion are required to replicate the exclusions in Azure ATP.
- Account details for HoneyToken accounts.
- If you don't already have dedicated HoneyToken accounts, learn more about HoneyTokens in Azure ATP and create new accounts to use for this purpose.
- Complete list of all entities (computers, groups, users) you wish to manually tag as Sensitive entities.
- Learn more about the importance of Sensitive entities in Azure ATP.
- Report scheduling details (list of reports and scheduled timing).
- Identification and details of each ATA Lightweight Gateway that is an Azure ATP Domain Synchronizer candidate.
- Learn more about the importance of Domain Synchronizer candidates in Azure ATP.
Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.
Complete your move to Azure ATP in two easy steps:
Step 1: Create and install Azure ATP instance and sensors
Uninstall the ATA Lightweight Gateway on all domain controllers.
Install the Azure ATP Sensor on all domain controllers:
Step 2: Configure and validate Azure ATP instance
Certain tasks in the following list cannot be completed before installing Azure ATP sensors and then completing an initial sync, such as selecting entities for manual Sensitive tagging. Allow up to 2 hours for the initial sync to be completed.
Sign in to the Azure ATP portal and complete the following configuration tasks.
|1||Set delayed updates on a selection of domain controllers||- [ ]|
|2||Directory Services account details||- [ ]|
|3||Configure Domain Synchronizer candidates||- [ ]|
|4||Configure Syslog notifications||- [ ]|
|5||Integrate VPN information||- [ ]|
|6||Configure WDATP integration||- [ ]|
|7||Set HoneyTokens accounts||- [ ]|
|8||Tag Sensitive entities||- [ ]|
|9||Create Security alert exclusions||- [ ]|
|10||Email notification toggles||- [ ]|
|11||Schedule report settings (list of reports and scheduled timing)||- [ ]|
|12||Configure Role based permissions||- [ ]|
|12||SIEM notification configuration (IP address)||- [ ]|
Within the Azure ATP portal:
- Review any health alerts for signs of service issues.
- Review Azure ATP Sensor error logs for any unusual errors.
After the move
This section of the guide explains the actions that can be performed after completing your move.
Import of existing security alerts from ATA to ATP are not supported. Make sure to record or remediate all existing ATA alerts before decommissioning the ATA Center.
Decommission the ATA Center
- To reference the ATA Center data after the move, we recommend keeping the center data online for a period of time. After decommissioning the ATA Center, the number of resources can typically be reduced, especially if the resources are a Virtual Machine.
Back up Mongo DB
- If you wish to keep the ATA data indefinitely, back up Mongo DB.
Congratulations! Your move from ATA to Azure ATP is complete.
Join the Community
Do you have more questions, or an interest in discussing Azure ATP and related security with others? Join the Azure ATP Community today!