Enterprise Mobility and Security Blog

RSS

Intro

ATA analyzes and learns user and entity behavior by aggregating data from various data sources, such as deep packet inspection of domain-controller traffic, windows events, and data provided by SIEM systems. After ATA begins gathering information about Active Directory traffic and correlating that information with AD components, it will scan for abnormal behavior and suspicious activities. ATA alerts on three different categories of detection: security issues and risks, malicious attacks and abnormal behavior.

While the deterministic attacks such as account enumeration and PtT can be surfaced immediately as they occur, the abnormal detection engine has some requirements to build the model. ATA continuously learns from the organizational entity behavior and adjusts itself to reflect the changes in the enterprise. Information such as resources users access, where they are accessed from, and date and time of access is analyzed. The anomaly detection engine is based on a combination of association rule mining and decision trees. Based on this analysis ATA builds an organizational graph and starts detecting security issues, advanced attacks and abnormal entity behavior. A common question raised by customers is, how do they confirm the abnormal detection engine is running and validate it’s working properly?

 

Requirements

ATA behavioral analytics uses machine learning to detect suspicious activities in the organization. The abnormal detection engine requires a minimum of 21 days to build the entities profiles and requires a minimum of 50 entity profiles. This can include 50 active “human” user profiles, active computer profiles and service accounts. To create a profile for an entity ATA needs to see network activity for the entity 12 out of the last 21 days.

 

Validation

ATA provides a variety of logs to provide insight into the different detections which it monitors. On the ATA Center server there is a detection log file named, Microsoft.Tri.Center-Detection.log which by default is located in C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs folder. This log contains details on detection progress and debug information. For more information about ATA log files see, https://technet.microsoft.com/en-us/library/mt637889.aspx.

 

Once ATA is able to validate the abnormal detection engine requirements outlined above, the detection log will show an entry for “[AbnormalBehaviorDetector]Building a Model.” ATA captures the information on the number of users whose behavioral profiles have been completed in this same log. This can take some time depending on the size of the customer and number of accounts. Portion of the log with this entry is shown below: