Microsoft Advanced Threat Analytics v1.8 update is now available. ATA focuses on detecting and investigating tactics, techniques, and procedures (TTPs) that are commonly used by attackers in their campaigns, and on abnormal behavior of entities (users, devices, resources) that indicate insider threats. Additionally, with each ATA release, we continue to enhance our engine to improve detections for known and unknown attacks, as well as discovering net new types of attacks. Finally, we are also making improvements in the product infrastructure, security, and user experience. In v1.8 we are delivering the following:

New & updated detections

Abnormal modification of sensitive groups

As part of the privilege escalation phase of an attack, attackers modify groups with high privileges to gain access to sensitive resources. ATA now detects when there’s an abnormal change in a group with elevated privileges (i.e. a sensitive group).

Suspicious authentication failures (Behavioral brute force)

Attackers often attempt to use brute force on credentials to compromise accounts. ATA now raises an alert when abnormal failed authentication behavior is detected.

Remote execution attempt – WMI exec

Attackers can attempt to control your network by running code remotely on your domain controller. ATA has added a detection for remote execution leveraging WMI methods to run code remotely.

Improved triage of suspicious activities

ATA v1.8 will empower sec ops to triage suspicious activities by:

  • Excluding entities from raising future suspicious activities, to prevent ATA from alerting when it detects benign true positives (such as an admin running remote code or using nslookup).
  • Suppressing recurring suspicious activities from alerting.
  • Deleting suspicious activities from the attack time line.

New reports to help you investigate

The summary report was added to enable you to see all the summarized data from ATA, including suspicious activities, health issues and more. You can even define a customized report that is automatically generated on a recurring basis.

The sensitive groups report was improved to enable you to see all the changes made in sensitive groups over a certain period.

Infrastructure

Center performance enhancements

The ATA Center can now handle more than 1M packets per second.

Local events reading for ATA Lightweight Gateway

The ATA Lightweight Gateway can now read events locally, without the need to configure event forwarding.

Product Security

Single sign-on for ATA management

Silent installation scripts for the ATA Gateway and ATA Lightweight Gateway now use the logged-on user’s context, without the need to provide credentials.

Auditing Logs

Auditing logs for the ATA Center and Gateways were added and all actions are now logged in the event viewer.