Advanced Threat Analytics

Welcome! You can use this site to give feedback directly to our engineering teams that build the security products you rely on. You can suggest features or design changes, and vote on suggestions others have made. If you would like to further engage our engineering teams, please join our Security Community by visiting https://aka.ms/SecurityCommunity.

To learn more about Microsoft Advanced Threat Analytics or try it out, visit the product page.

How can we improve Advanced Threat Analytics?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Typo found in logs

    We have implemented ATP and it has been to analyze the events. I found a typo in the logs .

    You may search for the following string > Potential sensiive lateral movement path ... > Please change the string incudes to includes. Just little typo. I could have sent a screenshot , but there is no such option here.

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  2. More Information from Entities Recently Learned

    Currently, when a new entity is learned by ATA, a notification is listed on the right side of the screen. For example:

    "Entities recently learned
    1 computer
    2 hours ago"

    Would it be possible to make that notification user-interactive so the recently learned entities are listed as well? Currently, the notification does not give any additional information.

    3 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  3. 2 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  4. Timeline and Activities Focus - Allow Configurable Refresh Rate

    Please consider adding configuration to all the customer to determine the refresh rate when viewing the timeline or activities timeline for an entity. The existing version 1.9 Update 1 seems to refresh frequently and this can be slightly annoying when trying to review the information. Allowing an option to configure this or pause it would be helpful. Thanks.

    7 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  5. Model Admin account behavior separate from standard users

    Administrative accounts are expected to behave differently than standard users in an organization. I would like to see the ability to 'tag' these accounts and have their behavior modeled separately from the non tagged users. This would allow ATA to still monitor the accounts for signs of compromise, rather than excluding them to suppress the false positives - providing better coverage for the organization.

    7 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  6. MongoDB security hardening

    I'd like to have possibility to enable SSL, encryption, authentication, auditing on the MongoDB instance. Some of these options like authentication or SSL enablement are crashing ATA, other like auditing and encryption are reserved to MongoDB Enterprise, while ATA comes with Community version.

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  7. Log DNS requests and answers at client level

    Instead of logging DNS requests and answers at DNS server level, do it at the client level instead.
    Take the opportunity to do it at the client resolver cache level (local service) to also log which process is doing which DNS request.
    For ease of processing, log to windows event logs in separate event (1 for request, 1 for response, use DNS transaction ID to uniquely identify request/response pairs).

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  8. Possibility to create custom query and (then) alerts

    The data is already in the database so it would be nice to make it possible to query data like:

    - "show me all userobjects which had password changes and were not used to logon in the last 14 days."

    - "show me all computerobjects which are not member of this group or that group"

    After we got the data back of the query it would be nice to save the query for future use and to create alerts when the data which is given back by the query got news or changes like:

    - "send me an e-mail if…

    2 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
  9. 1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  10. Public API documentation for ATA Center console

    ATA is a nice product, but maintenance of exclusions through the Console is a bit of a nightmare.

    Would it be possible to see the JSON spec for the /systemprofile/ api endpoint somewhere?

    Someone already wrapped calls for the timeline and a few config options in this PowerShell module: https://www.powershellgallery.com/packages/Advanced-Threat-Analytics/0.0.12

    But it would be great to be able to manage exclusions directly the API as well

    9 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  11. Digitally Sign Emailed Reports

    The ability to digitally sign / encrypt reports is critical in a secured environment where reports cannot be sent without a digital signature / encryption.

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  12. Notes Field for Closing, Excluding or Deleting Alerts

    Please add a notes field that can be annotated when taking any sort of action on an alert so that users/admins can keep track of why an alert was closed or add helpful information to an alert.

    16 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  13. ATA - Authorized Usage Banner

    We need a way to create an authorized usage banner acknowledgement upon initial login to the ATA Center web interface.

    Similar to that which is described in this NIST guidance?

    NIST Special Publication 800-53 (Rev. 4)
    https://nvd.nist.gov/800-53/Rev4/control/AC-8

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  14. DNS Intelligence

    When malware gets in the door, it typically reaches back to C2 systems on the Web by querying DNS servers. More often than not, DCs also run the function of DNS severs. Then why not tap into the rich DNS logs that are already on the DCs for wider visibility of lateral movement/data exfil?

    12 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  15. 1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  16. Dashboard Capability w/ Hunt Focus

    While ATA is great at posting alerts on the console, it lacks the overall visualization that other security tools provide in their respective console.

    Yes, there are a limited number of reports that do that but it doesn't have ATA wide visibility that ATA admins need to get an overall picture of the environment and the formatting of the spreadsheet feels clunky at times.

    Some of the example questions (think beyond regular alerts,what is abnormal judged by ATA, etc.):

    Who are the top 10 users flagged for doing X in the past X days?
    What are the top 10 alerts…

    8 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  17. Increase detection for other techniques

    Currently, I can perform recon via WMI queries and ATA doesn't bark at me. I'd like to see Microsoft take a look at what some of the other techniques are and develop detection methods for them.

    For example, I can query for members of Domain Admins via WMI and ATA doesn't bark at me.

    Take a look here as a great start:
    http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html

    15 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  18. mfa

    Enable the use of MFA using a product such as Duo when logging into the Portal

    7 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  19. Learning Period for ID Theft Alert

    In the future releases, could we see an option to change the threshold for ID theft learning period? A 30 day learning/alerting period is proving to be a little short in our environment.

    Thank you.

    3 votes
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  20. Accound password has change

    Help understanding why one of my endpoint pc has "Account Password has changed"? no name next to it or what account?

    1 vote
    Sign in
    (thinking…)
    Sign in with: facebook google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base