ATA analyzes and learns user and entity behavior by aggregating data from various data sources, such as deep packet inspection of domain-controller traffic, windows events, and data provided by SIEM systems. After ATA begins gathering information about Active Directory traffic and correlating that information with AD components, it will then scan for abnormal behavior and suspicious activities. ATA alerts on the following three different categories of detection: security issues and risks, malicious attacks and abnormal behavior.
While the deterministic attacks such as account enumeration and PtT can be surfaced immediately as they occur, the abnormal detection engine has some requirements to build the model. ATA continuously learns from the organizational entity behavior and adjusts itself to reflect the changes in the enterprise.
Information such as resources users access, where they are accessed from, and date and time of access is analyzed. The anomaly detection engine is based on a combination of association rule mining and decision trees. Based on this analysis ATA builds an organizational graph and starts detecting security issues, advanced attacks and abnormal entity behavior. A common question raised by customers is, how do they confirm the abnormal detection engine is running and validate it’s working properly?
What Are The Requirements
ATA behavioral analytics uses machine learning to detect suspicious activities in the organization.The abnormal detection engine requires a minimum of 21 days to build the entities profiles and requires a minimum of 50 entity profiles. This can include 50 active “human” user profiles, active computer profiles and service accounts. To create a profile for an entity ATA needs to see network activity for the entity 12 out of the last 21 days.
Validation and Insights
ATA does provide a variety of logs to provide insight into the different detections which it monitors. On the ATA Center server there is a detection log file named, Microsoft.Tri.Center-Detection.log which by default is located in C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs folder. This log contains details on detection progress and debug information. For more information about ATA log files see, https://technet.microsoft.com/en-us/library/mt637889.aspx.
Once ATA is able to validate the abnormal detection engine requirements outlined above, the detection log will show an entry for “[AbnormalBehaviorDetector]Building a Model.” ATA captures the information on the number of users whose behavioral profiles have been completed in this same log. This can take some time depending on the size of the customer and number of accounts.
1. How can we validate that a single user is included in the behavior analysis model?
ATA behavior analysis model will include users who have consistent network activity (4 days a week during the last 3 weeks). To confirm the user is part of the model, we will retrieve the associated userID and validate that profile exists for him with the following steps:
- From a command prompt on the ATA center, go to c:\Program files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin
- Output the list of entities to a file to retrieve the userID in question
- mongo ATA –eval “printjson(db.UniqueEntities.find().toArray())” >> ATAentities.json
- Open the ATAentities.json file from the .\bin folder in notepad
- Use notepad Find feature to search for string: “Name” : “<UserName>”
- Copy the value of the “_id” field to your clipboard