We’ve helped organizations embrace Microsoft’s Advanced Threat Analytics (ATA) solution to protect their Active Directory environments from attacks.
On January 12th, 2021, mainstream support for this product ends. ATA version 1.9.3, released on September 14th, 2020 is the final update as part of mainstream support.
It’s time to move on to Microsoft Defender for Identity.
About Microsoft Advanced Threat Analytics (ATA)
Microsoft Advanced Threat Analytics (ATA) is a solution to detect suspicious activities and Identity-related attacks to Active Directory environments. ATA monitors all devices in the network performing authentication and authorization requests against Active Directory, including non-Windows and mobile devices.
Three weeks after deployment, ATA starts to detect behavioral suspicious activities. On the other hand, ATA will start detecting known malicious attacks and security issues immediately after deployment.
In addition to analyzing Active Directory traffic using deep packet inspection technology, ATA can also collect relevant events from your Security Information and Event Management (SIEM) implementation and from the event logs if the organization configures Windows Event Log forwarding.
ATA is licensed as part of the Enterprise Mobility + Security (EMS) E5 license, and is available as a part of Microsoft 365 E5 licensing. In grandfathered licensing schemes, ATA was part of the Enterprise Client Access License (CAL) suite.
About Microsoft Defender for Identity
Azure Advanced Threat Protection (ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Previously labeled Azure Advanced Threat Protection (Azure ATP), Microsoft Defender for Identity is a cloud service with lightweight agents on each of the Domain Controllers in the Active Directory environment.
In contrast to Microsoft Advanced Threat Analytics (ATA), Microsoft Defender for Identity leverages cloud-based Machine Learning (ML) to detect threats. This offloads the need for organizations to keep analysis assets and to keep current in terms of rules.
Start migrating today
The end of mainstream support should be your start signal to:
- Stop new deployments
Deployments in extended support may not be able to add their benefits in the timeframe that is allotted to the deployment. This time period is typically 4-5 years and determined by economic motives. It’s a unpopular to say today that new deployments should not be built using Windows Server 2016, but is the best thing to do today, already.
- Migrate off the product to a successor, if such a product or service exists
Microsoft has introduced its lifecycle policies to help organizations determine their right courses of action ahead of time. Despite this information being available without registration and for free, some organizations still end up using unsupported versions and migrating off products after their end of support date.
Steps to migrate
To migrate from Advanced Threat Analytics (ATA) to Microsoft Defender for Identity, follow these steps:
Currently, version 1.9.3 is the latest version of Advanced Threat Analytics (ATA). If you run an older version of ATA, upgrade to the latest version. You can upgrade from 1.8.x versions directly. for older versions, an upgrade path scheme is available.
In terms of licenses, Microsoft Defender for Identity is not part of the Enterprise CAL suite. If your organization intends to use Microsoft Defender for Identity, an upgrade to the Enterprise Mobility + Security (EMS) E5 or Microsoft 365 E5 suite is necessary.
Meet the requirements
Microsoft Advanced Threat Analytics (ATA) and Microsoft Defender for Identity are totally different products from an infrastructure point of view. You will need to meet additional requirements:
- You need an Azure AD tenant
- You need an account with Global administrator privileges to configure Microsoft Defender for Identity
- All Domain Controllers and Read-only Domain Controllers need to run Windows Server 2012, or up. Windows Server 2019-based Domain Controllers need to run at least the February 2019 cumulative update (KB4487044).
- All Domain Controllers and Read-only Domain Controllers need to run .NET Framework version 4.7, or up.
- All Domain Controllers need to be able to send traffic with *.atp.azure.com on TCP port 443. This traffic can be exchanged through a proxy server. Any (privileged access) workstations that will be used to manage Microsoft Defender for Identity require the same network access.
- A new standard user account as the sensor’s serivce account or a new group Managed Service Account (gMSA)
Create the Microsoft Defender for Identity instance
To get started with Microsoft Defender for Identity, create your instance in the Azure Portal. After creation, assign any co-administrators the Administrators, Users and/or Viewers role groups.
Switch out the sensors
Uninstall the ATA Lightweight Gateway on all Active Directory Domain Controllers and install the Azure ATP Sensor on all Active Directory Domain Controllers. Next, configure the sensor with the new service account.
Decommission the ATA Center
Microsoft ATA relied on an ATA Center installation on the network. Its security alerts and reports are not migrated over. To reference this information, keep the ATA Center online for a period of time. After decommissioning the ATA Center, the number of resources can typically be deallocated, especially if the ATA Center is a virtual machine.
Extended support for Advanced Threat Analytics (ATA) continues until January 2026.
Support for Microsoft Advanced Threat Analytics (ATA) versions
End of mainstream support for Advanced Threat Analytics January 2021
Advanced Threat Analytics (ATA) to Azure Advanced Threat Protection (Azure ATP)
ATA is part of the Enterprise Mobility + Security E3 (!) and , as a result of this, also part of EMS E5.
My experience is that organizations who currently (still) use ATA have EMS/Microsoft365 E3 licenses and have activated the separate on-premises ATA product keys through the Volume Licensing Service Center (VLSC).
To utilize Microsoft Defender for Identity, though, the EMS/Microsoft365 E3 license needs to be 'upgraded' to EMS/Microsoft365 E5.