Microsoft Advanced Threat Analytics

Manage suspicious activities, monitoring alerts and entities on Microsoft ATA.

This integration was integrated and tested with version 1.9.7478.57683 of Microsoft Advanced Threat Analytics.

Configure Microsoft Advanced Threat Analytics on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Microsoft Advanced Threat Analytics.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlATA Center URL (e.g. https://atacenter.contoso.com\)True
credentialsUsernameTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
max_fetchMaximum number of incidents per fetchFalse
activity_statusFetch suspicious activity with statusFalse
activity_typeFetch suspicious activity with type (leave empty to fetch all)False
min_severityMinimum severity of suspicious activity to fetchTrue
first_fetchFirst fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes)False
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ms-ata-suspicious-activities-list


Retrieves suspicious activities.

Base Command

ms-ata-suspicious-activities-list

Input

Argument NameDescriptionRequired
idIdentifier of suspicious activity to retrieve (if provided, all other arguments will be ignored).Optional
statusRetrieve suspicious activities with the specified status (comma-seperated values suuported).Optional
severityRetrieve suspicious activities with the specified severity (comma-seperated values suuported).Optional
typeRetrieve suspicious activities of the specified type (comma-seperated values suuported).Optional
limitThe maximum number of suspicious activities to retrieve.Optional
start_timeRetrieve suspicious activities which occurred after the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours).
Optional
end_timeRetrieve suspicious activities which occurred before the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours).Optional

Context Output

PathTypeDescription
MicrosoftATA.SuspiciousActivity.DescriptionDetailFormatKeysStringList of detailed description of the suspicious acitivity format keys.
MicrosoftATA.SuspiciousActivity.DescriptionFormatKeyStringSuspicious activity format key description.
MicrosoftATA.SuspiciousActivity.DestinationComputerIdsStringList of identifiers of the destination computers.
MicrosoftATA.SuspiciousActivity.EndTimeDateEnd time of the suspicious activity.
MicrosoftATA.SuspiciousActivity.ExclusionUniqueEntityIdStringExclusion entity identifier of the suspicious activity.
MicrosoftATA.SuspiciousActivity.HasDetailsBooleanWhether the suspicious activity has further details to retrieve.
MicrosoftATA.SuspiciousActivity.HasUnknownLdapResourcesBooleanWhether the suspicious activity has unknown LDAP resources.
MicrosoftATA.SuspiciousActivity.HasUnknownNtlmResourcesBooleanWhether the suspicious activity has unknown NTLM resources.
MicrosoftATA.SuspiciousActivity.HoneytokenAccountIdStringAccount identifier of the Honeytoken suspicious activity.
MicrosoftATA.SuspiciousActivity.IdStringIdentifier of the suspicious activity.
MicrosoftATA.SuspiciousActivity.IsAdditionalDataAvailableBooleanWhether the suspicious activity has additional data available.
MicrosoftATA.SuspiciousActivity.NtlmDestinationComputerIdsStringList of identifiers of the NTLM destination computers.
MicrosoftATA.SuspiciousActivity.NtlmSourceComputerIdsStringList of identifiers of the NTLM source computers.
MicrosoftATA.SuspiciousActivity.ReasonKeyStringThe suspicious activity reason key.
MicrosoftATA.SuspiciousActivity.RelatedActivityCountBooleanCount of related suspicious activities.
MicrosoftATA.SuspiciousActivity.RelatedUniqueEntityIdsStringExclusion entity identifier of related suspicious activities.
MicrosoftATA.SuspiciousActivity.SeverityStringSeverity of the suspicious activity.
MicrosoftATA.SuspiciousActivity.SourceComputerIdsStringList of identifiers of the source computers.
MicrosoftATA.SuspiciousActivity.StartTimeDateStart time of the suspicious activity.
MicrosoftATA.SuspiciousActivity.StatusStringStatus of the suspicious activity.
MicrosoftATA.SuspiciousActivity.StatusUpdateTimeDateTime in which the suspicious activity status was updated in.
MicrosoftATA.SuspiciousActivity.SystemCreationTimeDateTime in which the suspicious activity was created in.
MicrosoftATA.SuspiciousActivity.SystemUpdateTimeDateTime in which the suspicious activity was updated in.
MicrosoftATA.SuspiciousActivity.TitleKeyStringThe suspicious activity title key.
MicrosoftATA.SuspiciousActivity.TypeStringType of the suspicious activity.
MicrosoftATA.SuspiciousActivity.WindowsEventIdBooleanIdentifier of the suspicious activity windows event.
MicrosoftATA.SuspiciousActivity.DetailsRecords.IsLoginBooleanWhether the suspicious activity indicates a login.
MicrosoftATA.SuspiciousActivity.DetailsRecords.IsSuccessBooleanWhether the suspicious activity was successful.
MicrosoftATA.SuspiciousActivity.DetailsRecords.IsTrafficBooleanWhether the suspicious activity indicates a traffic.
MicrosoftATA.SuspiciousActivity.DetailsRecords.ProtocolNameStringProtocol of the suspicious activity.
MicrosoftATA.SuspiciousActivity.DetailsRecords.ResourceIdentifierStringIdentifier of the suspicious activity source.
MicrosoftATA.SuspiciousActivity.DetailsRecords.SourceComputerIdStringIdentifier of the suspicious activity source computer.

Command Example

!ms-ata-suspicious-activities-list

Context Example

{
"MicrosoftATA": {
"SuspiciousActivity": {
"DescriptionDetailFormatKeys": [
"HoneytokenActivitySuspiciousActivityDescriptionDetailNtlmUnknownResourcesSuccess"
],
"DescriptionFormatKey": "HoneytokenActivitySuspiciousActivityDescription",
"DestinationComputerIds": [
"6b0e48f5-6c63-449c-8b6f-c749e18e28b3"
],
"EndTime": "2020-07-28T08:51:09.7050476Z",
"EvidenceKeys": [],
"ExclusionUniqueEntityId": null,
"HasDetails": true,
"HasUnknownLdapResources": false,
"HasUnknownNtlmResources": true,
"HoneytokenAccountId": "7a58c171-fa19-44f9-bf1e-81b544b318ad",
"Id": "5f1fe6b383eaed101ce19b58",
"IsAdditionalDataAvailable": false,
"KerberosLoginDestinationComputerIds": [],
"KerberosLoginSourceComputerIds": [],
"KerberosResourceAccessDestinationComputerIds": [],
"KerberosResourceAccessResourceIdentifiers": [],
"KerberosResourceAccessSourceComputerIds": [],
"LdapDestinationComputerIds": [],
"LdapResourceIdentifiers": [],
"LdapSourceComputerIds": [],
"NtlmDestinationComputerIds": [
"6b0e48f5-6c63-449c-8b6f-c749e18e28b3"
],
"NtlmResourceIdentifiers": [],
"NtlmSourceComputerIds": [
"computer ec2-63-35-159-19.eu-west-1.compute.amazonaws.com"
],
"ReasonKey": "HoneytokenActivitySuspiciousActivityReason",
"RelatedActivityCount": 3,
"RelatedUniqueEntityIds": [
"7a58c171-fa19-44f9-bf1e-81b544b318ad",
"computer ec2-63-35-159-19.eu-west-1.compute.amazonaws.com"
],
"Severity": "Medium",
"SourceComputerIds": [
"computer ec2-63-35-159-19.eu-west-1.compute.amazonaws.com"
],
"SourceIpAddresses": [],
"StartTime": "2020-07-28T08:49:54.1366697Z",
"Status": "Open",
"StatusUpdateTime": "2020-08-08T09:01:09.3438227Z",
"SystemCreationTime": "2020-07-28T08:49:55.3139871Z",
"SystemUpdateTime": "2020-08-08T09:01:09.3438227Z",
"TitleKey": "HoneytokenActivitySuspiciousActivityTitle",
"Type": "HoneytokenActivitySuspiciousActivity",
"WindowsEventId": 2014
}
}
}

Human Readable Output

Microsoft Advanced Threat Analytics Suspicious Activity

IdTypeStatusSeverityStartTimeEndTime
5f1fe6b383eaed101ce19b58HoneytokenActivitySuspiciousActivityOpenMedium2020-07-28T08:49:54.1366697Z2020-07-28T08:51:09.7050476Z

ms-ata-suspicious-activity-status-set


Sets suspicious activity status.

Base Command

ms-ata-suspicious-activity-status-set

Input

Argument NameDescriptionRequired
idIdentifier of suspicious activity to update status of.Required
statusStatus to update toRequired

Context Output

There is no context output for this command.

Command Example

!ms-ata-suspicious-activity-status-set id="5f1fe6b383eaed101ce19b58" status="Closed"

Human Readable Output

Suspicious activity 5f1fe6b383eaed101ce19b58 status was updated to Closed successfully.

ms-ata-monitoring-alerts-list


Retrieves health alerts.

Base Command

ms-ata-monitoring-alerts-list

Input

Argument NameDescriptionRequired
statusRetrieve monitoring alerts with the specified status (comma-seperated values suuported).Optional
severityRetrieve monitoring alerts with the specified severity (comma-seperated values suuported).Optional
typeRetrieve monitoring alerts of the specified type (comma-seperated values suuported).Optional
limitThe maximum number of monitoring alerts to retrieve.Optional
start_timeRetrieve monitoring alerts which occurred after the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours).
Optional
end_timeRetrieve monitoring alerts which occurred before the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours).Optional

Context Output

PathTypeDescription
MicrosoftATA.MonitoringAlert.DescriptionFormatKeyStringMonitoring alert format key description.
MicrosoftATA.MonitoringAlert.DomainSynchronizerNotAssignedDomainDnsNamesStringMonitoring alert domain synchronizer not assigned domain DNS names.
MicrosoftATA.MonitoringAlert.EndTimeDateEnd time of the monitoring alert.
MicrosoftATA.MonitoringAlert.IdStringIdentifier of the monitoring alert.
MicrosoftATA.MonitoringAlert.NotificationTimeDateNotification time of the monitoring alert.
MicrosoftATA.MonitoringAlert.SeverityStringSeverity of the monitoring alert.
MicrosoftATA.MonitoringAlert.StartTimeDateStart time of the monitoring alert.
MicrosoftATA.MonitoringAlert.StatusStringStatus of the monitoring alert.
MicrosoftATA.MonitoringAlert.StatusUpdateTimeDateStatus update time of the monitoring alert.
MicrosoftATA.MonitoringAlert.TitleKeyStringThe monitoring alert title key.
MicrosoftATA.MonitoringAlert.TypeStringType of the monitoring alert.
MicrosoftATA.MonitoringAlert.WindowsEventIdBooleanIdentifier of the monitoring alert windows event.
MicrosoftATA.MonitoringAlert.AccountDomainNameStringMonitoring alert account domain name.
MicrosoftATA.MonitoringAlert.AccountNameStringMonitoring alert account name.
MicrosoftATA.MonitoringAlert.IsPasswordExpiredBooleanWhether the monitoring alert indicates that password has expired.
MicrosoftATA.MonitoringAlert.PasswordExpiryTimeDatePassword expiry time.

Command Example

!ms-ata-monitoring-alerts-list

Context Example

{
"MicrosoftATA": {
"MonitoringAlert": [
{
"DescriptionDetailFormatKeys": [],
"DescriptionFormatKey": "GatewayDomainSynchronizerNotAssignedMonitoringAlertDescription",
"DomainSynchronizerNotAssignedDomainDnsNames": [
"demisto.local"
],
"EndTime": "2020-07-28T11:17:28.6742502Z",
"Id": "5f159bbd83eaed101cd5c4e5",
"NotificationTime": "2020-07-20T13:27:25.8510125Z",
"Severity": "Low",
"StartTime": "2020-07-20T13:27:25.7800034Z",
"Status": "Closed",
"StatusUpdateTime": "2020-07-28T11:17:28.6742502Z",
"TitleKey": "GatewayDomainSynchronizerNotAssignedMonitoringAlertTitle",
"Type": "GatewayDomainSynchronizerNotAssignedMonitoringAlert",
"WindowsEventId": 1007
},
{
"AccountDomainName": "demisto",
"AccountName": "Administrator",
"DescriptionDetailFormatKeys": [],
"DescriptionFormatKey": "GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlertDescriptionNearExpiry",
"EndTime": "2020-07-28T12:06:30.9408859Z",
"Id": "5f159e9283eaed101cd5c837",
"IsPasswordExpired": false,
"NotificationTime": "2020-07-20T13:39:30.5978881Z",
"PasswordExpiryTime": "2020-08-17T13:01:15.1609716Z",
"Severity": "Medium",
"StartTime": "2020-07-20T13:39:30.5559003Z",
"Status": "Closed",
"StatusUpdateTime": "2020-07-28T12:06:30.9408859Z",
"TitleKey": "GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlertTitleNearExpiry",
"Type": "GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlert",
"WindowsEventId": 1006
}
]
}
}

Human Readable Output

Microsoft Advanced Threat Analytics Monitoring Alert

IdTypeStatusSeverityStartTimeEndTime
5f159bbd83eaed101cd5c4e5GatewayDomainSynchronizerNotAssignedMonitoringAlertClosedLow2020-07-20T13:27:25.7800034Z2020-07-28T11:17:28.6742502Z
5f159e9283eaed101cd5c837GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlertClosedMedium2020-07-20T13:39:30.5559003Z2020-07-28T12:06:30.9408859Z

ms-ata-entity-get


Retrieves information of distinct entity, such as computers and users.

Base Command

ms-ata-entity-get

Input

Argument NameDescriptionRequired
idIdentifier of distinct entity to retrieve (Can be retrieved by running the command ms-ata-suspicious-activities-list from the output RelatedUniqueEntityIds).Required

Context Output

PathTypeDescription
MicrosoftATA.Entity.BadPasswordTimeDateTime in which bad password was entered.
MicrosoftATA.Entity.CanonicalNameStringEntity canonical name.
MicrosoftATA.Entity.CreationTimeDateTime in which the entity was created in.
MicrosoftATA.Entity.DescriptionStringEntity description.
MicrosoftATA.Entity.DistinguishedNameStringEntity distinguished name.
MicrosoftATA.Entity.DnsNameStringEntity DNS name.
MicrosoftATA.Entity.DomainController.IsGlobalCatalogBooleanWhether the entity is in the global catalog.
MicrosoftATA.Entity.DomainController.IsPrimaryBooleanWhether the entity is primary.
MicrosoftATA.Entity.DomainController.IsReadOnlyBooleanWhether the entity is read only.
MicrosoftATA.Entity.DomainIdStringIdentifier of the entity domain.
MicrosoftATA.Entity.ExpiryTimeDateExpiration time of the entity.
MicrosoftATA.Entity.IdStringIdentifer of the entity.
MicrosoftATA.Entity.IpAddressStringEntity IP address.
MicrosoftATA.Entity.IsDelegationEnabledBooleanWhether the entity is delegation enabled.
MicrosoftATA.Entity.IsDeletedBooleanWhether the entity is deleted.
MicrosoftATA.Entity.IsDesEncryptionOnlyBooleanWhether the entity is Data Encryption Standard only.
MicrosoftATA.Entity.IsDisabledBooleanWhether the entity is disabled.
MicrosoftATA.Entity.IsDomainControllerBooleanWhether the entity is domain controller.
MicrosoftATA.Entity.IsExpiredBooleanWhether the entity is expired.
MicrosoftATA.Entity.IsHoneytokenBooleanWhether the entity is related to Honeytoken activity.
MicrosoftATA.Entity.IsLockedBooleanWhether the entity is locked.
MicrosoftATA.Entity.IsNewBooleanWhether the entity is new.
MicrosoftATA.Entity.IsNotDelegatableBooleanWhether the entity is non-delegatable.
MicrosoftATA.Entity.IsPartialBooleanWhether the entity is partial.
MicrosoftATA.Entity.IsPasswordExpiredBooleanWhether the entity password is expired.
MicrosoftATA.Entity.IsSensitiveBooleanWhether the entity is sensitive.
MicrosoftATA.Entity.IsServerBooleanWhether the entity is a server.
MicrosoftATA.Entity.IsSmartcardRequiredBooleanWhether a smart card is required for the entity.
MicrosoftATA.Entity.OperatingSystemDisplayNameStringThe entity OS name,
MicrosoftATA.Entity.SamNameStringEntitiy Security Account Manager name.
MicrosoftATA.Entity.SidStringEntity security identifier.
MicrosoftATA.Entity.SpnsStringEntity Search Service Principal Names.
MicrosoftATA.Entity.SystemCreationTimeDateSystem creation time of the entity.
MicrosoftATA.Entity.SystemDisplayNameStringSystem display name of the entity.
MicrosoftATA.Entity.TypeStringType of the entity.
MicrosoftATA.Entity.UpnNameStringEntity User Principal Name.
MicrosoftATA.Entity.Profile.IsBehaviorChangedBooleanWhether the entity profile behavior changed.
MicrosoftATA.Entity.Profile.OpenSuspiciousActivityCountBooleanNumber of entity profile suspicious activities.
MicrosoftATA.Entity.Profile.SuspiciousActivitySeverityToCountMapping.HighNumberNumber of entity profile suspicious activities with High severity.
MicrosoftATA.Entity.Profile.SuspiciousActivitySeverityToCountMapping.LowNumberNumber of entity profile suspicious activities with Low severity.
MicrosoftATA.Entity.Profile.SuspiciousActivitySeverityToCountMapping.MediumNumberNumber of entity profile suspicious activities with Medium severity.
MicrosoftATA.Entity.Profile.TypeStringType of the entity profile.
MicrosoftATA.Entity.Profile.UpdateTimeDateUpdate time of the entity profile.

Command Example

!ms-ata-entity-get id="7a58c171-fa19-44f9-bf1e-81b544b318ad"

Context Example

{
"MicrosoftATA": {
"Entity": {
"BadPasswordTime": null,
"CanonicalName": "demisto.local/Users/Test ATA",
"ConstrainedDelegationSpns": [],
"CreationTime": "2020-07-21T13:58:11Z",
"Department": null,
"Description": null,
"DistinguishedName": "CN=Test ATA,CN=Users,DC=demisto,DC=local",
"DomainId": "3ae90e0d-eb20-4a4c-a922-0606ab7ae307",
"ExpiryTime": null,
"HasPhoto": false,
"Id": "7a58c171-fa19-44f9-bf1e-81b544b318ad",
"IsDelegationEnabled": false,
"IsDeleted": false,
"IsDesEncryptionOnly": false,
"IsDisabled": false,
"IsExpired": false,
"IsHoneytoken": true,
"IsLocked": false,
"IsNew": true,
"IsNotDelegatable": false,
"IsPartial": false,
"IsPasswordExpired": false,
"IsPasswordFarExpiry": false,
"IsPasswordNeverExpires": true,
"IsPasswordNotRequired": false,
"IsPlaintextPasswordAllowed": false,
"IsPreauthenticationNotRequired": false,
"IsSensitive": false,
"IsSmartcardRequired": false,
"IsTaggedAsSensitive": false,
"Mail": null,
"MobileNumber": null,
"Office": null,
"PasswordExpiryTime": null,
"PasswordUpdateTime": "2020-07-21T13:58:11.4101455Z",
"PhoneNumber": null,
"Profile": {
"AccessedResourceAccountIdToTimeMapping": {},
"DateToPrivilegeEscalationPathsMapping": {},
"DateToSourceComputerIdToProtocolToCertaintyMapping": {
"2020-07-21T00:00:00Z": {
"6b0e48f5-6c63-449c-8b6f-c749e18e28b3": {
"NtlmEvent": "High"
}
},
"2020-07-22T00:00:00Z": {
"6b0e48f5-6c63-449c-8b6f-c749e18e28b3": {
"NtlmEvent": "High"
},
"computer ec2-63-35-159-19.eu-west-1.compute.amazonaws.com": {
"NtlmEvent": "High"
}
},
"2020-07-28T00:00:00Z": {
"computer ec2-63-35-159-19.eu-west-1.compute.amazonaws.com": {
"NtlmEvent": "High"
}
}
},
"GeolocationIdToTimeMapping": {},
"Id": "7a58c171-fa19-44f9-bf1e-81b544b318ad",
"IsBehaviorChanged": true,
"LogonComputerIdToTimeMapping": {},
"OpenSuspiciousActivityCount": 0,
"SuspiciousActivitySeverityToCountMapping": {
"High": 0,
"Low": 0,
"Medium": 0
},
"Type": "UserProfile",
"UpdateTime": "2020-07-28T09:00:13.8696377Z"
},
"SamName": "testata",
"SensitiveRootParentGroupIds": [],
"SensitivityReasonFormatKeys": [],
"Sid": "S-1-5-21-1234499873-1172443441-1549941920-1115",
"Spns": [],
"SystemCreationTime": "2020-07-21T14:00:07.5795659Z",
"SystemDisplayName": "Test ATA",
"SystemSubDisplayName": null,
"Title": null,
"Type": "User",
"UpnName": "testata@demisto.local"
}
}
}

Human Readable Output

Microsoft Advanced Threat Analytics Entity 7a58c171-fa19-44f9-bf1e-81b544b318ad

IdSystemDisplayNameDistinguishedNameUpnNameTypeCreationTime
7a58c171-fa19-44f9-bf1e-81b544b318adTest ATACN=Test ATA,CN=Users,DC=demisto,DC=localtestata@demisto.localUser2020-07-21T13:58:11Z

Entity Profile

TypeSuspiciousActivitySeverityToCountMappingUpdateTimeIsBehaviorChanged
UserProfileLow: 0
Medium: 0
High: 0
2020-07-28T09:00:13.8696377Ztrue