none
Questions about ATA user behavior analysis time (21 days) RRS feed

  • Question

  • Hi,

    in this video Laura E. Hunter from Microsoft describes behavior analytics: https://youtu.be/hNZdboDvnuU?t=1251

    She says that ATA will analyze the behavior in a domain for 21 days and declare this as normal behavior. After the 21 days ATA will report unusual user behavior based on the 21 days analysis.

    I have two questions about this:

    1. Can we see the progress of the analysis somewhere? I searched through the ATA-center but there is nothing. Is it possible to see it in some kind of logfile or the Mongo-DB?

    2. We have started ATA with one DC. What happens if we add our other DCs later? Will the analysis recognize behavior from those, also when the 21 days are already over?

    I did not find anything about this 21 days analys period in the documentation. I'm more than happy with a hint if I have overseen something there.

    Thanks in advance

    Friday, June 26, 2020 12:22 PM

Answers

  • no, the 21 days are a sliding window. that means it always learns the last 21 days, so as you progress with the deployement the learning will be updated. there is no reason in this case to "force" a clean learning from scratch at the end of the deployment.
    • Marked as answer by Dr.Zoidberg Tuesday, July 7, 2020 3:02 PM
    Tuesday, July 7, 2020 2:57 PM

All replies

  • 1. Not in a readable form. 

    2. The learning is mainly per account, so if ATA learn about new accounts now, it will not trigger on them until it learned them long enough.

    once 21 days passed, those account will be handled as all the "old" ones.

    Friday, June 26, 2020 10:17 PM
  • Thanks for your reply. Is it possible to reset/restart the scan after we added all of our DCs?
    Tuesday, July 7, 2020 2:40 PM
  • Why would you want to do that ?
    Tuesday, July 7, 2020 2:43 PM
  • We have one DC with low traffic in ATA for about two weeks to try ATA.

    It takes about 2-3 weeks for us to add all DCs (extend hardware).

    So ATA will not learn "normal" user behavior in the first 21 days. Therefore I thought to restart the 21 days learning procedure after all DCs are included. 

    Does that make sense?

    Tuesday, July 7, 2020 2:46 PM
  • no, the 21 days are a sliding window. that means it always learns the last 21 days, so as you progress with the deployement the learning will be updated. there is no reason in this case to "force" a clean learning from scratch at the end of the deployment.
    • Marked as answer by Dr.Zoidberg Tuesday, July 7, 2020 3:02 PM
    Tuesday, July 7, 2020 2:57 PM
  • I understand, that helps a lot, thank you!
    Tuesday, July 7, 2020 3:02 PM