We have been talking on this blog before about the importance Microsoft and the rest of cloud providers are giving to security features and products in the last couple of years. The well-known security incidents present in the industry just in 2017 generated to companies billions in a loss, hence a large number of releases from Microsoft to face these incidents and, above all, provide calm to their customers around the cloud.

Microsoft Advanced Threat Analytics (ATA) combines several of the latest security enhancements. In this article, we will review how to connect the ATA platform to Azure, guaranteeing a reliable monitoring.

Microsoft Advanced Threat Analytics abnormal behavior prevention

What is Advanced Threat Analytics?

ATA is an on-premises platform that can be implemented in organizations to detect abnormal behavior around activities related to user authentication and authorization. ATA collects data from the network (port mirroring from Domain Controllers or using a gateway in the DCs), parses the logs and events, analyses the data and generates reports about potential malicious activities in the network.

Microsoft says that 60% of all successful attacks rely on using compromised credentials. Therefore, ATA mainly focuses on collecting data from the authentication source in domains: Active Directory Domain Controllers. The main difference about ATA is that analyses several types of data, connects the dots between activities, logs and/or events, and using their engine, with machine learning capabilities, detects abnormal behavior or suspicious activities.

Microsoft Advanced Threat Analytics sequence

Connecting ATA with Azure

Most of the organizations have been or at least are currently exploring the alternatives around the hybrid cloud model, having some of the infrastructure components in the cloud is always the initial step. Securing this hybrid scenario will also be key; therefore, ATA will come handy for this requirement.

This is the step-by-step process to integrate Advanced Threat Analytics with Azure:

  1. Log on to the Advanced Threat Analytics (ATA) portal.
  2. Access the Syslog Server panel in the portal.                                                                                                                            Syslog Server panel
  3. In the Syslog server endpoint field, type, and type any unique port available in your network, usually, a good example is 5114 (similar than the default option used from MS). Click on Save.
  4. Click on Notifications and make sure all are enabled. Click on Save.                                                                                 Syslog Server panel
  5. Access to Azure Security Center dashboard.
  6. On the left pane, click Security Solutions.                                                                                                                                 Security Center - Security solutions
  1. Under Advanced Threat Analytics, click Add.
  2. Follow the steps and click Download agent.                                                                                                                             Install Windows Agent
  3. In the Add new non-Azure computer page, select the workspace.                                                                                        Add new non-Azure computer
  4. In the Direct Agent page, download the appropriate Windows agent, and take notes of the Workspace  ID and Primary Key that the panel will provide.                                                                                                                     Download and onboard agent for linux
  5. Install the agent in the Advanced Threat Analytics Center. You need to select the option “Connect the agent to Azure Log Analytics (OMS)”, and provide the workspace ID and primary key from the previous step.

With that, the integration should be complete and you should be able to see Advanced Threat Analytics as a “Connected solution”.

Connected solutions to Azure Security Center

Views All Time
Views Today
Appreciate how useful this article was to you?
No Ratings Yet
Back to blog
The following two tabs change content below.
Augusto Alvarez
Augusto Alvarez
Augusto is currently working as Principal Consultant in Dell EMC, originally from Argentina and now based in the US. His role currently is designing customer requirements into specific systems and processes; also performing technical briefings; leading architectural design sessions and proofs of concept. Augusto is also the author from two published App-V books: “Getting Started Microsoft Application Virtualization 4.6” and “Microsoft Application Virtualization Advanced Guide”.