Advanced Threat Analytics

Welcome! You can use this site to give feedback directly to our engineering teams that build the security products you rely on. You can suggest features or design changes, and vote on suggestions others have made. If you would like to further engage our engineering teams, please join our Security Community by visiting https://aka.ms/SecurityCommunity.

To learn more about Microsoft Advanced Threat Analytics or try it out, visit the product page.

How can we improve Advanced Threat Analytics?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Timeline and Activities Focus - Allow Configurable Refresh Rate

    Please consider adding configuration to all the customer to determine the refresh rate when viewing the timeline or activities timeline for an entity. The existing version 1.9 Update 1 seems to refresh frequently and this can be slightly annoying when trying to review the information. Allowing an option to configure this or pause it would be helpful. Thanks.

    5 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
    • Model Admin account behavior separate from standard users

      Administrative accounts are expected to behave differently than standard users in an organization. I would like to see the ability to 'tag' these accounts and have their behavior modeled separately from the non tagged users. This would allow ATA to still monitor the accounts for signs of compromise, rather than excluding them to suppress the false positives - providing better coverage for the organization.

      4 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
      • Notes Field for Closing, Excluding or Deleting Alerts

        Please add a notes field that can be annotated when taking any sort of action on an alert so that users/admins can keep track of why an alert was closed or add helpful information to an alert.

        9 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
        • DNS Intelligence

          When malware gets in the door, it typically reaches back to C2 systems on the Web by querying DNS servers. More often than not, DCs also run the function of DNS severs. Then why not tap into the rich DNS logs that are already on the DCs for wider visibility of lateral movement/data exfil?

          7 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
          • Increase detection for other techniques

            Currently, I can perform recon via WMI queries and ATA doesn't bark at me. I'd like to see Microsoft take a look at what some of the other techniques are and develop detection methods for them.

            For example, I can query for members of Domain Admins via WMI and ATA doesn't bark at me.

            Take a look here as a great start:
            http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html

            12 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
            • Dashboard Capability w/ Hunt Focus

              While ATA is great at posting alerts on the console, it lacks the overall visualization that other security tools provide in their respective console.

              Yes, there are a limited number of reports that do that but it doesn't have ATA wide visibility that ATA admins need to get an overall picture of the environment and the formatting of the spreadsheet feels clunky at times.

              Some of the example questions (think beyond regular alerts,what is abnormal judged by ATA, etc.):

              Who are the top 10 users flagged for doing X in the past X days?
              What are the top 10 alerts…

              6 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
              • Learning Period for ID Theft Alert

                In the future releases, could we see an option to change the threshold for ID theft learning period? A 30 day learning/alerting period is proving to be a little short in our environment.

                Thank you.

                3 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                • Report showing the objects with the largest number of suspicious events.

                  ATA is great at identifying unique events but it isn't great at allowing us to see systems that are the most suspicious. I want to be able to generate a list of objects being monitored that are seen as outliers to the rest of the environment and how it operates.

                  2 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
                  • All SID in Account Info Section to be Searchable

                    Can't use the Global search to search by SIDS that are listed under the Account Info section

                    3 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                    • Add the date/time for all incidents of a specific endpoint/user

                      Currently, when you select a specific user/endpoint and it shows a timeline of all the events that user/endpoint has been involved in, it doesn't display the specific date and time of the incident until it reaches "Three Weeks Ago". So it resembles something like:

                      Today 7:15am (event)
                      Wednesday 8:15am (event)
                      Tuesday 7:45am (event)
                      Monday 7:15pm (event)
                      Sunday (Time) (event)
                      Saturday (Time) (event)
                      Friday (Time) (event)
                      Thursday (Time) (event)

                      ...continues up until "Three Weeks Ago", then it starts adding the specific date instead of just day of the week:

                      7:15am Apr 21, 2018 (event)
                      7:30am Apr 20, 2018 (event)
                      7:55am Apr…

                      4 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                      • Allow Updating of Unresolved Objects

                        Currently there's no way to update objects that appear as Unresolved in ATA. It would be useful if there was a way to do so.

                        Example: an unresolved IP address appears in a suspicious activity alert, but nslookup/dig returns an A record and nmap reports ports open that are concurrent with a MacOS device.

                        If unresolved objects could be modified, the hostname and port information could be added to the IP address from the above example

                        3 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                        • Field to add notes when excluding Alerts

                          A lot of times when excluding an alert, I would like to document it with some notes. Please add a field/option/space for documentation with access to all ATA user access
                          Thanks!

                          6 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                          • Add functionality to create custom reports

                            In addition to the two reports added in version 1.8, add the option to create custom reports. for instance, be able to generate a report based suspicious activities.

                            7 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                            • Remote Vendor Access Monitoring (Unauthorized Lateral Movement)

                              We have numerous IT projects going on all the time and they remote in through our privileged access management system. Although it is helpful in controlling access and providing visibility, we want to firmly leverage ATA for detecting unauthorized lateral movement by explicitly telling ATA the scope of access (what AD account to what systems) so that it is ready to detect anomalies starting Day 1 vs. waiting for ATA to finish its learning period.

                              5 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                              • Far better integration with SIEMs

                                Currently alerts sent to SIEMs lack all the context of the alert. They just have basic details and A link to the portal. A SOC needs to be able to validate an alert with out having to log into the portal, thus the alerts needs all the context of the alert, and the SIEM needs to be able to display that alert.

                                This is especially important if you using an MSP to provide your SOC as it's unrealistic for them to be logging into multiple different ATA portals to understand multiple alerts on multiple customers.

                                8 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                • Show correlated incidents by system or user

                                  Right now, the console just displays a long list of alerts. It would be good to be able to group them by system name or user id to easier detect when a system or user has multiple alerts tied to it over a short period of time.

                                  4 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                  • VPN Support for Palo Alto Global Protect

                                    VPN Support for Palo Alto Global Protect

                                    1 vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Accound password has change

                                      Help understanding why one of my endpoint pc has "Account Password has changed"? no name next to it or what account?

                                      1 vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Step 9. Configure SAM-R required permissions - ???

                                        Please note that I was sent here after posting about this issue on GitHub 49 days ago.

                                        Following Step 9 resulted in hundreds of my users being unable to access resources via Citrix or RDP on Server 2012 R2 or earlier. Once the GPO change is made there is no way to back out of the change after the GPO is applied. Your options are to edit the registry of every affected server (200+ in our environment) or give "authenticated users" remote access to SAM in the GPO. We opted for the second in order to recover from some might…

                                        1 vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Public API documentation for ATA Center console

                                          ATA is a nice product, but maintenance of exclusions through the Console is a bit of a nightmare.

                                          Would it be possible to see the JSON spec for the /systemprofile/ api endpoint somewhere?

                                          Someone already wrapped calls for the timeline and a few config options in this PowerShell module: https://www.powershellgallery.com/packages/Advanced-Threat-Analytics/0.0.12

                                          But it would be great to be able to manage exclusions directly the API as well

                                          5 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base