Public content repo for ATA documentation in OPS
License: Creative Commons Attribution 4.0 International
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
You've found one of the GitHub repositories that houses the source for Microsoft technical content.
![prmerger-automator[bot] avatar](https://avatars.githubusercontent.com/u/22479449?v=4 "prmerger-automator[bot]")
If your using Azure AD Connect, make sure you add the MSOL_XXXYYY account to this policy else you will not be able to do password reset or self service password resets. Also just be very very wary of this, once we turned it on, a lot of poorly developed apps broke, which required the service account being added to this policy.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
What user accounts specifically need to be licensed for this feature? Admins? Users? Both?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Suggest to update this article mentioning that the yammer group is now closed and moved to Tech Community
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Could clarity be added in the 'Domain synchronizer candidate' section to understand if Azure ATP sensors should be enable as synchronizer candidates in an exclusively ATP sensor environment (i.e. no ATP Standalone sensors)
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Since release of 1.9.2, Windows Server 2019 should be supported on ATA Center and Gateways. This is not mentioned in the prerequisites page.
Multiple workspaces are blocked by default: customer can only create one workspace.
Workspaces are moving to support multi-forest deployment
Need to remove this guidance :
In Azure ATP, you have the ability to manage and monitor multiple workspaces. This is especially helpful if you want to create a demo workspace and a test workspace in which you can POC Azure ATP before rolling it out to your whole organization. This is also needed to support deployments with multiple forests. A single workspace can only monitor multiple domains from a single forest.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@mbrogies commented on Mon Oct 08 2018
The offline install source of .net4.7 is wrong.
It's referencing to .net4.6.1
⚠ Bearbeiten Sie diesen Abschnitt nicht. Er ist für die Verknüpfung von docs.microsoft.com zum GitHub-Artikel erforderlich.
please be specific
and please fix the doc:
"Port 135" should be changed to "TCP port 135"
"Port 137" should be changed to "UDP port 137"
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Please can you add Command Line/PowerShell commands for resolving the VMWare issue?
Set the following settings to 0 or Disabled in the virtual machine's NIC configuration: TsoEnable, LargeSendOffload, TSO Offload, Giant TSO Offload.
I need to do the TSO Offload (as per the note) on Windows Server Core in particular
Thank you
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
It's great that ATA backs up it's config every 4 hours, but let's say I've just made a change and want to manually backup the config. How can I do that?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
"report is always available is LMPs were discovered"
should be
"report is always available if LMPs were discovered"
In other words: is -> if
The text states that the screen shot should show a standalone install, but the screen shot shows the installation on a domain controller. Please make the text and image consistent
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The top bullet point "Acquire a license for Enterprise Mobility + Security 5 (EMS E5) directly via the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model." is not factually correct.
Azure ATP may be procured as a standalone product by a customer. EM+S E5 is not required. However, if a customer owns EM+S E5, then yes, they will also own Azure ATP as well. Same thing as Microsoft 365 E5 -- if you own that license, then you also already own Azure ATP (because M365 E5 includes the EM+S E5 suite).
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I have a ATA 1.9.7312.32791. When ever i go to reports and try to download, it would not download with a error. please help. I am very sure it is not the browser issue and i have reinstall ATA a few times, and even create a new OS from start and reinstall it. Seems like it does not work.
Make sure you have defined credentials for the forest under Directory Services in Settings. (I forgot to enter a Service account, and the install package includes all the service accounts for all forests).
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The images are missing, and there is broken formatting in Step 2, section 1c.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The syntax for the install of the azure atp sensor has an inconsistency on the AccessKey param. In the syntax box is shows as prefaced with a slash but in the installation params section it doesn't. The install fails with an error "Option /AccessKey is unknown" if you include the slash.
This was mentioned in issue 98 but wasn't corrected completely.
After KB4487044 Windows Server 2019 should be supported. isn't it?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
One thing my might be helpful would be to give some options on how to verify connectivity to the ATP Cloud service.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I just wonder, for these, i notice it says it is changed, but it did not say who change it. Is this something can be done in Azure ATP?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The step to start ATA Center service should be after the system profile import
Step 5, a, iii - Start the ATA Center service
** should be moved to before Step 5, c
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
link is incorrect (404) in this section:
If you cannot export the private key, you must create a new certificate and deploy it to ATA, as described in Change the ATA Center certificate, and then export it.
should link to same guidance here: https://docs.microsoft.com/en-us/advanced-threat-analytics/modifying-ata-center-configuration#the-ata-center-certificate
Hi,
The path/prerequisites don't seem to explain how a customer that has implemented pure Azure AD, with Azure AD joined systems could possibly implement Azure ATP. It seems like the pre-requisites should mention that this only applies for on-premise (or traditional) Windows domains. I know that one can conclude that after reading all content carefully but why lead us down a path that is in the end invalid.
Also: What if we have a radius server that is connected to Azure AD, what document do we need to consult? How can we possible set up Azure ATP. Did Microsoft built ATP sensors into Azure AD?
Bart
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi,
We are a pure Azure Active Directory shop and when I went through the motions to set this up, one of the first steps was indeed to download the sensor to one of our Domain controllers, which we don't have since we don't have Domain Controllers.
Please add some clarification that this is not for Azure Active Directory. And maybe you can then also point users of Azure Active Directory to ATP for those setups, if they exist?
Thank you
Bart
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
https://docs.microsoft.com/en-us/advanced-threat-analytics/opbuildpdf/TOC.pdf?branch=live
...has a Download PDF option, that doesn't open.
[Enter feedback here]
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Under Step 1, there are a number of endpoints listed, however the following article shows even more endpoints. I would suggest to align both articles so they have the same endpoints listed.
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I assume there was supposed to be a graphic embedded in the page?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
You need to enable "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" in Group Policy. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Should registry value DefaultConnectionSetting be DefaultConnectionSettings ? Like HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSetting\Connections\DefaultConnectionSettings
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The Sample is "1.1.1.1/32", but this ip has been used by CloudFlare. it have sensor and it's DNS server.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The daily reports are always sent shortly after midnight, UTC - that's not great for our timezone (which changes based on daylight savings). Can this be configurable?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Requiring a username/password and service account that isn't a GMSA is very old school.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Is should say "on-premises", not "on-premesis".
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Can you update this document to include instructions for Server Core? Subscriptions is not accessible from Event Viewer connected to a remote computer, and Event Viewer is not available on Server Core.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
In environments with many, many DC's, it's very useful to be able to install via automation / unattended. Please add support for DSC or Powershell based automation...
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
In the paragraph:
Optional: When deploying the standalone sensor, it is necessary to forward Windows events 4776, 4732, 4733, 4728, 4729, 4756, 4757, and 7045 to zure ATP to further enhance Azure ATP Pass-the-Hash, Brute Force, Modification to sensitive groups, Honey Tokens detections, and malicious service creation. Azure ATP sensor receives these events automatically. In Azure ATP standalone sensor, these events can be received from your SIEM or by setting Windows Event Forwarding from your domain controller. Events collected provide Azure ATP with additional information that is not available via the domain controller network traffic.
After 7045 you're missing the A in Azure.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The syntax listed for silently installing the sensor has accesskey listed as an option, not a parameter, which causes the install to fail with "Option '/accesskey' is unknown".
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
"nslookup -" > enter > "ls -d" isn't a real sequence of commands. Please correct, thanks.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Within minutes of enabling this policy all RDP and Citrix logins to pre-Server 2016 systems were blocked. I backed out of the policy, but the registry change on the servers wasn't reversed. Rather than manually edit the registry on several hundred servers I re-enabled the policy, but added Authenticated Users to the ACL to recover. Did anyone at Microsoft ever consider that Server 2008 and Server 2012 are still in use and should be included in testing?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I run into some issues using silent installation for ATA Center. I wrote a post here https://www.stefanroth.net/2018/01/15/advanced-threat-analytics-silent-installation-adventure/
Could you please fix the documentation?
Please give recommendations for for the HT user. The documenation is lacking information about this.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
document update needed to show 1.9 update 1 release
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I couldn't get the event log forwarding to function when following this article. Would give me a "Access Denied". When you add the computer object of your ATA Gateway machine to the domain group "Event Log Readers", The subscriptions starts to work.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hi Team, two things I noticed. There's a "bout" word that should be "about." Also "network recourses" should be "network resources." Hope this helps.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
I was looking at some articles to see how we're doing with prev and next buttons in docs and noticed that we have some double lines in the beginning of some articles such as this one:
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1
fix issues please
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
According to https://nmap.org/npcap/guide/npcap-users-guide.html#npcap-installation-options the installer options should be
/loopback_support=no /winpcap_mode=no
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Network Name Resolution (NNR) mechanism was improved significantly - Is this done by program logic? or Is there any better Windows API?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Item 6. Go to Account Logon , double click on Audit Security Group Management and select Configure the following audit events for both success and failure events.
Should be:
Go to Account Management , double click on Audit Security Group Management and select Configure the following audit events for both success and failure events.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
How does ATA know where to send this notification email to? Is this a configurable field?
Thanks!
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
