locked
For small entities: Would it be recommended to tweak the ATA settings to better support such a "low-activity environment"? RRS feed

  • Question

  • Dear support team,

    I'm operating MS ATA 1.7 in a small entity (<50 users, 2 DCs). Would you recommend to tweak the ATA settings to better support such a "low-activity environment"?

    I stumbled across the recommendation to feed Mongo ATA with:

    db.SystemProfiles.update( {_t: "CenterSystemProfile"} , {$set:{"Configuration.EntityProfilerConfiguration.UniqueEntityProfileCacheMaxSize" : "4"}})

    in another thread.

    Best regards,

    G


    • Edited by G47HJKL Monday, March 20, 2017 8:44 AM
    Monday, March 20, 2017 8:43 AM

Answers

  • Hello,

    ATA supports for three different categories of detection: security issues and risks, malicious attacks and abnormal behavior.

    Security issues and risks and malicious attacks are deterministic attacks, and can be surfaced immediately as they occur. It's not relevant to the number of entities, or the network activities for these entities.

    However, abnormal behavior uses machine learning to detect suspicious activities. It requires a minimum of 21 days to build the entities profiles and requires a minimum of 50 entity profiles. This can include 50 active human user profiles, active computer profiles and service accounts. To create a profile for an entity ATA needs to see network activity for the entity 12 out of the last 21 days.

    To validate the abnormal behavior is working fine, you can follow the steps outlined in the article below.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/06/30/ata-behavior-analysis-monitoring/

    Finally, it's not recommended to modify the settings for abnormal behavior. First of all, you'd better verify that abnormal behavior is working, since even the number of entities is less than 50, there are still computers and service accounts. 


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by G47HJKL Tuesday, March 21, 2017 1:56 PM
    Tuesday, March 21, 2017 6:33 AM

All replies

  • >Dear support team, 

    This is a public forum. While sometimes Microsoft staff participate, if you actually need to speak to the support team, you will need to open a support case.

    Would you recommend to tweak the ATA settings to better support such a "low-activity environment"?

    >I stumbled across the recommendation to feed Mongo ATA with:

    I see where you found that recommendation from the Microsoft ATA team. I'm don't know of any formal recommendations/documentation from the product team about general settings for small environments. My understanding is that most of the algorithms should auto scale based on the amount of data they are working with. However, keep in mind that any tool that works with analyzing large datasets will be less effective the smaller the data set is.

    If you have a support agreement with Microsoft, it might be worth engaging them directly to deal with your specific scenario.

    I hope that helps,

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    If you found a bug or want the product to work differently, share your feedback.
    <-- If this post was helpful, please click the up arrow or propose as answer.

    Monday, March 20, 2017 4:49 PM
  • Hello,

    ATA supports for three different categories of detection: security issues and risks, malicious attacks and abnormal behavior.

    Security issues and risks and malicious attacks are deterministic attacks, and can be surfaced immediately as they occur. It's not relevant to the number of entities, or the network activities for these entities.

    However, abnormal behavior uses machine learning to detect suspicious activities. It requires a minimum of 21 days to build the entities profiles and requires a minimum of 50 entity profiles. This can include 50 active human user profiles, active computer profiles and service accounts. To create a profile for an entity ATA needs to see network activity for the entity 12 out of the last 21 days.

    To validate the abnormal behavior is working fine, you can follow the steps outlined in the article below.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/06/30/ata-behavior-analysis-monitoring/

    Finally, it's not recommended to modify the settings for abnormal behavior. First of all, you'd better verify that abnormal behavior is working, since even the number of entities is less than 50, there are still computers and service accounts. 


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by G47HJKL Tuesday, March 21, 2017 1:56 PM
    Tuesday, March 21, 2017 6:33 AM
  • Thanks for your explanation and the link, Andy! I hope after the 21 days, we can validate the abnormal behavior is working fine ...

    Best regards,

    G

    Tuesday, March 21, 2017 2:04 PM
  • You are welcome!

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 24, 2017 8:49 AM