Microsoft ATA

Release Details

 

Package Details

The application consists of the following components:

1. Alert Packages

• LP_Microsoft ATA_Pass the ticket
• LP_Microsoft ATA_Suspicious replication of directory services
• LP_Microsoft ATA_Database used by a Center is Down
• LP_Microsoft ATA_Identity theft using Pass-the-Ticket attack
• LP_Microsoft ATA_Malicious Data Protection Private Information Request
• LP_Microsoft ATA_Pass-the-hash

2. Dashboard Package

• LP_Microsoft ATA
  

3. Compiled Normalizer

• MicrosoftATANormalizer

General Description

The Microsoft ATA application enables you to monitor and identify threats in your organization using data from Microsoft ATA. You can further analyze the data using alerts and pre-set dashboard views. 

Installation 

Follow these steps to install the Microsoft ATA v5.1.0 application:

1. Download the Microsoft ATA package from the Download section above.
2. Add Microsoft ATA as the required device in LogPoint.
3. Create a collection policy with the Syslog collector and an appropriate processing policy. 
4. Assign the policy to the device.
5. Add the dashboard.

Screenshots

Supported Device

The device supported by the Microsoft ATA with LogPoint in this configuration is:

• Microsoft ATA v1.x

Log Format

Microsoft ATA v1.x

Expected Log Format

CEF

Log Sample

CEF:0|Microsoft|ATA|1.9.0.0|AbnormalSensitiveGroupMembershipChangeSuspiciousActivity|Abnormal modification of sensitive groups|5|start=2020-1-12T18:52:58.0000000Z app=GroupMembershipChangeEvent suser=abc msg=abc has uncharacteristically modified sensitive group memberships. externalId=1234 cs1Label=url cs1=https://1.1.1.1/suspiciousActivity/xxxxxxxxxxxxx

To export data to LogPoint, use the Syslog collector on port 514 of the LogPoint server.

Support

If you have any queries or require assistance, please feel free to contact our support team:

Email:             servicedesk@logpoint.com

Phone:           +45 7060 6100

Best regards,