Advanced Threat Analytics

Welcome! You can use this site to give feedback directly to our engineering teams that build the security products you rely on. You can suggest features or design changes, and vote on suggestions others have made. If you would like to further engage our engineering teams, please join our Security Community by visiting https://aka.ms/SecurityCommunity.

To learn more about Microsoft Advanced Threat Analytics or try it out, visit the product page.

How can we improve Advanced Threat Analytics?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Public API documentation for ATA Center console

    ATA is a nice product, but maintenance of exclusions through the Console is a bit of a nightmare.

    Would it be possible to see the JSON spec for the /systemprofile/ api endpoint somewhere?

    Someone already wrapped calls for the timeline and a few config options in this PowerShell module: https://www.powershellgallery.com/packages/Advanced-Threat-Analytics/0.0.12

    But it would be great to be able to manage exclusions directly the API as well

    5 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
    • Learning Period for ID Theft Alert

      In the future releases, could we see an option to change the threshold for ID theft learning period? A 30 day learning/alerting period is proving to be a little short in our environment.

      Thank you.

      1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
      • Report showing the objects with the largest number of suspicious events.

        ATA is great at identifying unique events but it isn't great at allowing us to see systems that are the most suspicious. I want to be able to generate a list of objects being monitored that are seen as outliers to the rest of the environment and how it operates.

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
        • Additional workitem status for large teams working ATA Identified Issues

          Customer is asking that there be additional status messages that can be set for active alerts. They have a large team and find team members working the same alerts without realizing it. Something in the console to flag that someone is already working the alerted item.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  I am an employee of Microsoft  ·  Flag idea as inappropriate…  ·  Admin →
          • Notification Report Email of VPN Logs

            When a user connects to the company network via VPN the ATA has VPN accounting logs for that user but you have to manually go search for the user on ATA to see the logs. A notification report email would help keep track of all the VPN connections on one report that's sent daily like other reports ATA sends out.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
            • Trail Support ATA

              I have been using ATA for about month and half. Were can I get support or ask a question about ATA?

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
              • Dashboard Capability w/ Hunt Focus

                While ATA is great at posting alerts on the console, it lacks the overall visualization that other security tools provide in their respective console.

                Yes, there are a limited number of reports that do that but it doesn't have ATA wide visibility that ATA admins need to get an overall picture of the environment and the formatting of the spreadsheet feels clunky at times.

                Some of the example questions (think beyond regular alerts,what is abnormal judged by ATA, etc.):

                Who are the top 10 users flagged for doing X in the past X days?
                What are the top 10 alerts…

                4 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                • DNS Intelligence

                  When malware gets in the door, it typically reaches back to C2 systems on the Web by querying DNS servers. More often than not, DCs also run the function of DNS severs. Then why not tap into the rich DNS logs that are already on the DCs for wider visibility of lateral movement/data exfil?

                  4 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                  • All SID in Account Info Section to be Searchable

                    Can't use the Global search to search by SIDS that are listed under the Account Info section

                    2 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                    • WUDO Causing Suspicion of identity theft based on abnormal behavior alert to trigger several times per hour

                      false positive started on ata version 1.9 triggered vy windows 10 machines
                      each alert is triggered by gifs connections to around 30 hosts

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                      • mfa

                        Enable the use of MFA using a product such as Duo when logging into the Portal

                        2 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                        • Notes Field for Closing, Excluding or Deleting Alerts

                          Please add a notes field that can be annotated when taking any sort of action on an alert so that users/admins can keep track of why an alert was closed or add helpful information to an alert.

                          5 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add the date/time for all incidents of a specific endpoint/user

                            Currently, when you select a specific user/endpoint and it shows a timeline of all the events that user/endpoint has been involved in, it doesn't display the specific date and time of the incident until it reaches "Three Weeks Ago". So it resembles something like:

                            Today 7:15am (event)
                            Wednesday 8:15am (event)
                            Tuesday 7:45am (event)
                            Monday 7:15pm (event)
                            Sunday (Time) (event)
                            Saturday (Time) (event)
                            Friday (Time) (event)
                            Thursday (Time) (event)

                            ...continues up until "Three Weeks Ago", then it starts adding the specific date instead of just day of the week:

                            7:15am Apr 21, 2018 (event)
                            7:30am Apr 20, 2018 (event)
                            7:55am Apr…

                            2 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                            • Allow for some UI customization

                              Two use cases:
                              - Customer runs multiple ATA Centers for multiple forests: Allow some UI customization (changed logos or colors) to keep them visually separate
                              - Customer keeps vital user data in more than just the "title" AD attribute: allow for other AD attributes to be displayed in the UI "profile" tile and in the the Account Info tile.

                              3 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                              • Allow Updating of Unresolved Objects

                                Currently there's no way to update objects that appear as Unresolved in ATA. It would be useful if there was a way to do so.

                                Example: an unresolved IP address appears in a suspicious activity alert, but nslookup/dig returns an A record and nmap reports ports open that are concurrent with a MacOS device.

                                If unresolved objects could be modified, the hostname and port information could be added to the IP address from the above example

                                2 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                • VPN integration support for Juniper VPN devices

                                  Please provide support for VPN integration with Juniper VPN devices.

                                  3 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Increase detection for other techniques

                                    Currently, I can perform recon via WMI queries and ATA doesn't bark at me. I'd like to see Microsoft take a look at what some of the other techniques are and develop detection methods for them.

                                    For example, I can query for members of Domain Admins via WMI and ATA doesn't bark at me.

                                    Take a look here as a great start:
                                    http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html

                                    9 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Add detection for DNS Sinkhole

                                      Add the ability to add DNS sinkhole IP's to ATA, and alert when one is returned.

                                      4 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Add the ability to tag specific groups as "Sensitive"

                                        ATA automatically tags some AD groups as "sensitive groups" (e.g. the "Domain Admins" groups) and can monitor/report when users are added or removed from these groups.

                                        It would be great to be able to mark some specific custom groups as "Sensitive" so that they are included in the attack detection and group monitoring processes.

                                        11 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Visualisation of number of events per DC + agent/gateway stats

                                          Currently it's very hard to tell how the system as a whole is performing. Questions like this:

                                          Are we now pushing more events than the centre can handle?
                                          have we breached the threshold of traffic the agent can handle, and should now use a gateway?
                                          As there been a significant drop (but not zero) in events recorded on a domain controller.

                                          Are very hard to answer with either running the capacity planning tool again, or doing very detailed and time consuming investigation work.

                                          It would be great to this covered in the portal.

                                          5 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base