Advanced Threat Analytics (ATA) to Azure Advanced Threat Protection (Azure ATP)

Use this guide to move from an existing ATA installation to the Azure Advanced Threat Protection (Azure ATP) service. The guide explains Azure ATP prerequisites and requirements, and details how to plan and then complete your move. Validation steps and tips to take advantage of the latest threat protection and security solutions with Azure ATP after installation are also included.

In this guide you will:

  • Review and confirm Azure ATP service prerequisites
  • Document your existing ATA configuration
  • Plan your move
  • Set up and configure your Azure ATP service
  • Perform post move checks and verification
  • Decommission ATA after completing the move

Note

Moving to Azure ATP from ATA is possible from any ATA version. However, as data cannot be moved from ATA to Azure ATP, it is recommended to retain your ATA Center data and alerts required for ongoing investigations until all ATA alerts are closed or remediated.

Prerequisites

  • An Azure Active Directory tenant with at least one global/security administrator is required to create an Azure ATP instance. Each Azure ATP instance supports a multiple Active Directory forest boundary and Forest Functional Level (FFL) of Windows 2003 and above.

  • Azure ATP requires .Net Framework 4.7 and may require a domain controller (restart) if your current .Net Framework version is not 4.7.

  • Make sure your domain controllers meet all the Azure ATP sensor requirements and your environment meets all Azure ATP requirements.

  • Validate that all domain controllers you plan to use have sufficient internet access to the Azure ATP service. Check and confirm your domain controllers meet the Azure ATP proxy configuration requirements.

Note

This migration guide is designed for Azure ATP sensors only. For more information, see choosing the right sensor for your deployment.

Plan

Make sure to gather the following information before starting your move:

  1. Account details for your Directory Services account.
  2. Syslog notification settings.
  3. Email notification details.
  4. ATA roles group membership
  5. VPN integration
  6. Alert exclusions
  7. Account details for HoneyToken accounts.
    • If you don't already have dedicated HoneyToken accounts, learn more about HoneyTokens in Azure ATP and create new accounts to use for this purpose.
  8. Complete list of all entities (computers, groups, users) you wish to manually tag as Sensitive entities.
  9. Report scheduling details (list of reports and scheduled timing).
  10. Identification and details of each ATA Lightweight Gateway that is an Azure ATP Domain Synchronizer candidate.

Note

Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.

Move

Complete your move to Azure ATP in two easy steps:

Step 1: Create and install Azure ATP instance and sensors

  1. Create your new Azure ATP instance

  2. Uninstall the ATA Lightweight Gateway on all domain controllers.

  3. Install the Azure ATP Sensor on all domain controllers:

Step 2: Configure and validate Azure ATP instance

Note

Certain tasks in the following list cannot be completed before installing Azure ATP sensors and then completing an initial sync, such as selecting entities for manual Sensitive tagging. Allow up to 2 hours for the initial sync to be completed.

Configuration

Sign in to the Azure ATP portal and complete the following configuration tasks.

Step Action Status
1 Set delayed updates on a selection of domain controllers - [ ]
2 Directory Services account details - [ ]
3 Configure Domain Synchronizer candidates - [ ]
4 Configure Syslog notifications - [ ]
5 Integrate VPN information - [ ]
6 Configure WDATP integration - [ ]
7 Set HoneyTokens accounts - [ ]
8 Tag Sensitive entities - [ ]
9 Create Security alert exclusions - [ ]
10 Email notification toggles - [ ]
11 Schedule report settings (list of reports and scheduled timing) - [ ]
12 Configure Role based permissions - [ ]
12 SIEM notification configuration (IP address) - [ ]

Validation

Within the Azure ATP portal:

After the move

This section of the guide explains the actions that can be performed after completing your move.

Note

Import of existing security alerts from ATA to ATP are not supported. Make sure to record or remediate all existing ATA alerts before decommissioning the ATA Center.

  • Decommission the ATA Center

    • To reference the ATA Center data after the move, we recommend keeping the center data online for a period of time. After decommissioning the ATA Center, the number of resources can typically be reduced, especially if the resources are a Virtual Machine.
  • Back up Mongo DB

Mission accomplished

Congratulations! Your move from ATA to Azure ATP is complete.

Next steps

Learn more about Azure ATP features, functionality, and security alerts.

Join the Community

Do you have more questions, or an interest in discussing Azure ATP and related security with others? Join the Azure ATP Community today!