Advanced Threat Analytics

Welcome! You can use this site to give feedback directly to our engineering teams that build the security products you rely on. You can suggest features or design changes, and vote on suggestions others have made. If you would like to further engage our engineering teams, please join our Security Community by visiting https://aka.ms/SecurityCommunity.

To learn more about Microsoft Advanced Threat Analytics or try it out, visit the product page.

How can we improve Advanced Threat Analytics?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Model Admin account behavior separate from standard users

    Administrative accounts are expected to behave differently than standard users in an organization. I would like to see the ability to 'tag' these accounts and have their behavior modeled separately from the non tagged users. This would allow ATA to still monitor the accounts for signs of compromise, rather than excluding them to suppress the false positives - providing better coverage for the organization.

    2 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
    • VPN Support for Palo Alto Global Protect

      VPN Support for Palo Alto Global Protect

      1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
      • Accound password has change

        Help understanding why one of my endpoint pc has "Account Password has changed"? no name next to it or what account?

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
        • Step 9. Configure SAM-R required permissions - ???

          Please note that I was sent here after posting about this issue on GitHub 49 days ago.

          Following Step 9 resulted in hundreds of my users being unable to access resources via Citrix or RDP on Server 2012 R2 or earlier. Once the GPO change is made there is no way to back out of the change after the GPO is applied. Your options are to edit the registry of every affected server (200+ in our environment) or give "authenticated users" remote access to SAM in the GPO. We opted for the second in order to recover from some might…

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
          • Public API documentation for ATA Center console

            ATA is a nice product, but maintenance of exclusions through the Console is a bit of a nightmare.

            Would it be possible to see the JSON spec for the /systemprofile/ api endpoint somewhere?

            Someone already wrapped calls for the timeline and a few config options in this PowerShell module: https://www.powershellgallery.com/packages/Advanced-Threat-Analytics/0.0.12

            But it would be great to be able to manage exclusions directly the API as well

            5 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
            • Learning Period for ID Theft Alert

              In the future releases, could we see an option to change the threshold for ID theft learning period? A 30 day learning/alerting period is proving to be a little short in our environment.

              Thank you.

              2 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
              • Additional workitem status for large teams working ATA Identified Issues

                Customer is asking that there be additional status messages that can be set for active alerts. They have a large team and find team members working the same alerts without realizing it. Something in the console to flag that someone is already working the alerted item.

                2 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  I am an employee of Microsoft  ·  Flag idea as inappropriate…  ·  Admin →
                • Report showing the objects with the largest number of suspicious events.

                  ATA is great at identifying unique events but it isn't great at allowing us to see systems that are the most suspicious. I want to be able to generate a list of objects being monitored that are seen as outliers to the rest of the environment and how it operates.

                  1 vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
                  • Notification Report Email of VPN Logs

                    When a user connects to the company network via VPN the ATA has VPN accounting logs for that user but you have to manually go search for the user on ATA to see the logs. A notification report email would help keep track of all the VPN connections on one report that's sent daily like other reports ATA sends out.

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                    • Trail Support ATA

                      I have been using ATA for about month and half. Were can I get support or ask a question about ATA?

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                      • WUDO Causing Suspicion of identity theft based on abnormal behavior alert to trigger several times per hour

                        false positive started on ata version 1.9 triggered vy windows 10 machines
                        each alert is triggered by gifs connections to around 30 hosts

                        2 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                        • Dashboard Capability w/ Hunt Focus

                          While ATA is great at posting alerts on the console, it lacks the overall visualization that other security tools provide in their respective console.

                          Yes, there are a limited number of reports that do that but it doesn't have ATA wide visibility that ATA admins need to get an overall picture of the environment and the formatting of the spreadsheet feels clunky at times.

                          Some of the example questions (think beyond regular alerts,what is abnormal judged by ATA, etc.):

                          Who are the top 10 users flagged for doing X in the past X days?
                          What are the top 10 alerts…

                          5 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                          • DNS Intelligence

                            When malware gets in the door, it typically reaches back to C2 systems on the Web by querying DNS servers. More often than not, DCs also run the function of DNS severs. Then why not tap into the rich DNS logs that are already on the DCs for wider visibility of lateral movement/data exfil?

                            5 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                            • mfa

                              Enable the use of MFA using a product such as Duo when logging into the Portal

                              3 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                              • All SID in Account Info Section to be Searchable

                                Can't use the Global search to search by SIDS that are listed under the Account Info section

                                2 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                • Notes Field for Closing, Excluding or Deleting Alerts

                                  Please add a notes field that can be annotated when taking any sort of action on an alert so that users/admins can keep track of why an alert was closed or add helpful information to an alert.

                                  8 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Add the date/time for all incidents of a specific endpoint/user

                                    Currently, when you select a specific user/endpoint and it shows a timeline of all the events that user/endpoint has been involved in, it doesn't display the specific date and time of the incident until it reaches "Three Weeks Ago". So it resembles something like:

                                    Today 7:15am (event)
                                    Wednesday 8:15am (event)
                                    Tuesday 7:45am (event)
                                    Monday 7:15pm (event)
                                    Sunday (Time) (event)
                                    Saturday (Time) (event)
                                    Friday (Time) (event)
                                    Thursday (Time) (event)

                                    ...continues up until "Three Weeks Ago", then it starts adding the specific date instead of just day of the week:

                                    7:15am Apr 21, 2018 (event)
                                    7:30am Apr 20, 2018 (event)
                                    7:55am Apr…

                                    3 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Allow for some UI customization

                                      Two use cases:
                                      - Customer runs multiple ATA Centers for multiple forests: Allow some UI customization (changed logos or colors) to keep them visually separate
                                      - Customer keeps vital user data in more than just the "title" AD attribute: allow for other AD attributes to be displayed in the UI "profile" tile and in the the Account Info tile.

                                      3 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                      • VPN integration support for Juniper VPN devices

                                        Please provide support for VPN integration with Juniper VPN devices.

                                        4 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Allow Updating of Unresolved Objects

                                          Currently there's no way to update objects that appear as Unresolved in ATA. It would be useful if there was a way to do so.

                                          Example: an unresolved IP address appears in a suspicious activity alert, but nslookup/dig returns an A record and nmap reports ports open that are concurrent with a MacOS device.

                                          If unresolved objects could be modified, the hostname and port information could be added to the IP address from the above example

                                          2 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base