Advanced Threat Analytics

Welcome! You can use this site to give feedback directly to our engineering teams that build the security products you rely on. You can suggest features or design changes, and vote on suggestions others have made. If you would like to further engage our engineering teams, please join our Security Community by visiting https://aka.ms/SecurityCommunity.

To learn more about Microsoft Advanced Threat Analytics or try it out, visit the product page.

  1. Provide more frequent releases

    ATA doesnt seem to get updates very often. Initially it did. Updates means there is active development. Please keep it fresh and current!

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  2. track changes on specific attributes

    Currently, only hardcoded AD attributes are tracked for Directory Service Changes.

    It would be extremely useful (and I suppose trivial to implement) to be able to track changes on track changes on some custom attributes, that might be of high importance of each organization - e.g. EmployeeID. Basically, give the client to pick up additional attributes for tracking.

    Thanks

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  3. 5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
  4. Internal Azure Processes Trigger Alerts For Advanced Threat Analytics

    When internal azure processes change configuration, for example IP address, this can trigger advanced threat analytical (ATA) alerts. In our example automatic SQL database backups to Azure Storage controlled in the Azure Portal configuration of the Azure VM running SQL changed. We do not control the IP of that process, and so ATA kicked in and promptly told us something unexpected accessed our storage. Based upon what was shown and what we deduced it looked to be the auto backup process for a SQL VM. We turned it off and indeed we got another ATA alert. To prevent such worries…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am an employee of Microsoft  ·  Flag idea as inappropriate…  ·  Admin →
  5. ADD AIO

    MULTI AI

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  6. Renewing an existing certificate / automatically

    The process of renewing an existing certificate is not supported. The only way to renew a certificate is by creating a new certificate and configuring ATA to use the new certificate.

    Also the only way to upload a certificate is via UI / please at least allow powershell or some API way to do that.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  7. Configuration changes using cmdlets

    Currently, exclusion settings are set in the GUI one by one, but cannot be set at once.
    We would like to use commandrets settings, and some batch processing.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am an employee of Microsoft  ·  Flag idea as inappropriate…  ·  Admin →
  8. Move ATA Sizing tool to microsoft download center

    Can you move the sizing tool to a more reputable source like the MS Download Center? Or heck, even GitHub? And can you provide a single compressed exe with no dependencies on dll files?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  9. Migrate from Mongodb to SQL Express

    Can we get a version of this product that uses SQL Express instead of Mongo? I watched a video from one of your conferences with the speaker (I don't recall her name) stated that they would rather focus on providing better detection instead of using a different database technology. Well, it's now been a year and a half since the last product update. So that to me means this product is pretty close to maturity, so why not provide this using SQL Express?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  10. email notifications

    ATA per-alert email notifications

    I would like to send specific alert from the email notifications to specific department. For example, I would like to send to our infra team automatically for first step of investigation about specific alert such as Suspicion of identify theft based on abnormal behavior. Because this case usually our engineer logged in some laptop or server for legitimate tasks.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  11. Add role to view software inventory of "my" machines

    Currently, the software inventory is an "all or nothing" ting - I have access to data of all machines or no machines. But we have a lot of users that are allowed to install additional software (like VLC player), but need to manage updates of this software by themself.

    It would be great if each member of an AAD can see the software inventory data of all machines where she/he is in the group of local administrators (or the "Enrolled by User" shown in Intune or the "assigned user" in Windows Autopilot - whatever is faster to implement).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
  12. Typo found in logs

    We have implemented ATP and it has been to analyze the events. I found a typo in the logs .

    You may search for the following string > Potential sensiive lateral movement path ... > Please change the string incudes to includes. Just little typo. I could have sent a screenshot , but there is no such option here.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  13. More Information from Entities Recently Learned

    Currently, when a new entity is learned by ATA, a notification is listed on the right side of the screen. For example:

    "Entities recently learned
    1 computer
    2 hours ago"

    Would it be possible to make that notification user-interactive so the recently learned entities are listed as well? Currently, the notification does not give any additional information.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  14. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  15. Timeline and Activities Focus - Allow Configurable Refresh Rate

    Please consider adding configuration to all the customer to determine the refresh rate when viewing the timeline or activities timeline for an entity. The existing version 1.9 Update 1 seems to refresh frequently and this can be slightly annoying when trying to review the information. Allowing an option to configure this or pause it would be helpful. Thanks.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  16. Model Admin account behavior separate from standard users

    Administrative accounts are expected to behave differently than standard users in an organization. I would like to see the ability to 'tag' these accounts and have their behavior modeled separately from the non tagged users. This would allow ATA to still monitor the accounts for signs of compromise, rather than excluding them to suppress the false positives - providing better coverage for the organization.

    7 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  17. MongoDB security hardening

    I'd like to have possibility to enable SSL, encryption, authentication, auditing on the MongoDB instance. Some of these options like authentication or SSL enablement are crashing ATA, other like auditing and encryption are reserved to MongoDB Enterprise, while ATA comes with Community version.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  18. Log DNS requests and answers at client level

    Instead of logging DNS requests and answers at DNS server level, do it at the client level instead.
    Take the opportunity to do it at the client resolver cache level (local service) to also log which process is doing which DNS request.
    For ease of processing, log to windows event logs in separate event (1 for request, 1 for response, use DNS transaction ID to uniquely identify request/response pairs).

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
  19. Possibility to create custom query and (then) alerts

    The data is already in the database so it would be nice to make it possible to query data like:


    • "show me all userobjects which had password changes and were not used to logon in the last 14 days."


    • "show me all computerobjects which are not member of this group or that group"


    After we got the data back of the query it would be nice to save the query for future use and to create alerts when the data which is given back by the query got news or changes like:


    • "send me an e-mail if there's an account…
    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  I am a partner  ·  Flag idea as inappropriate…  ·  Admin →
  20. Learning Period for ID Theft Alert

    In the future releases, could we see an option to change the threshold for ID theft learning period? A 30 day learning/alerting period is proving to be a little short in our environment.

    Thank you.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  I am a customer  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base