Enhancing Security in the Hybrid Cloud: Step-by-Step to Connect Advanced Threat Analytics to Azure Security Center

Posted by Augusto Alvarez on November 15, 2017
Share on Facebook0Share on Google+0Share on LinkedIn1Share on Reddit4Tweet about this on Twitter0
5/5 (3)

We have been talking on this blog before about the importance Microsoft and the rest of cloud providers are giving to security features and products in the last couple of years. The well-known security incidents present in the industry just in 2017 generated to companies billions in a loss, hence a large number of releases from Microsoft to face these incidents and, above all, provide calm to their customers around the cloud.

Microsoft Advanced Threat Analytics (ATA) combines several of the latest security enhancements. In this article, we will review how to connect the ATA platform to Azure, guaranteeing a reliable monitoring.

Microsoft Advanced Threat Analytics abnormal behavior prevention

What is Advanced Threat Analytics?

ATA is an on-premises platform that can be implemented in organizations to detect abnormal behavior around activities related to user authentication and authorization. ATA collects data from the network (port mirroring from Domain Controllers or using a gateway in the DCs), parses the logs and events, analyses the data and generates reports about potential malicious activities in the network.

Microsoft says that 60% of all successful attacks rely on using compromised credentials. Therefore, ATA mainly focuses on collecting data from the authentication source in domains: Active Directory Domain Controllers. The main difference about ATA is that analyses several types of data, connects the dots between activities, logs and/or events, and using their engine, with machine learning capabilities, detects abnormal behavior or suspicious activities.

Microsoft Advanced Threat Analytics sequence

Connecting ATA with Azure

Most of the organizations have been or at least are currently exploring the alternatives around the hybrid cloud model, having some of the infrastructure components in the cloud is always the initial step. Securing this hybrid scenario will also be key; therefore, ATA will come handy for this requirement.

This is the step-by-step process to integrate Advanced Threat Analytics with Azure:

  1. Log on to the Advanced Threat Analytics (ATA) portal.
  2. Access the Syslog Server panel in the portal.                                                                                                                            Syslog Server panel
  3. In the Syslog server endpoint field, type, and type any unique port available in your network, usually, a good example is 5114 (similar than the default option used from MS). Click on Save.
  4. Click on Notifications and make sure all are enabled. Click on Save.                                                                                 Syslog Server panel
  5. Access to Azure Security Center dashboard.
  6. On the left pane, click Security Solutions.                                                                                                                                 Security Center - Security solutions
  1. Under Advanced Threat Analytics, click Add.
  2. Follow the steps and click Download agent.                                                                                                                             Install Windows Agent
  3. In the Add new non-Azure computer page, select the workspace.                                                                                        Add new non-Azure computer
  4. In the Direct Agent page, download the appropriate Windows agent, and take notes of the Workspace  ID and Primary Key that the panel will provide.                                                                                                                     Download and onboard agent for linux
  5. Install the agent in the Advanced Threat Analytics Center. You need to select the option “Connect the agent to Azure Log Analytics (OMS)”, and provide the workspace ID and primary key from the previous step.

With that, the integration should be complete and you should be able to see Advanced Threat Analytics as a “Connected solution”.

Connected solutions to Azure Security Center

Related materials:

Views All Time
Views Today

Please rate this

To download the software products, please, make your choice below. An installer link and a license key will be sent to the e-mail address you’ve specified. If you consider StarWind Virtual SAN but are uncertain of the version, please check the following document Free vs. Paid. The recent build of Release Notes. A totally unrestricted NFR (Not For Resale) version of StarWind Virtual SAN is available for certain use cases. Learn more details here.

Return to all posts

Take a look at Storage QoS Policies in Windows Server 2016
StarWind iSER technology support
The following two tabs change content below.
Augusto Alvarez
Augusto Alvarez
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.