Description of Update 1 for Microsoft Advanced Threat Analytics v1.7

View products that this article applies to.

This article describes an update for Microsoft Advanced Threat Analytics (ATA) v1.7.

DO NOT run the command in this article on the versions that are later than v1.7, as this damages the system. Also, do not try to change this command and run it without direct instruction from Microsoft Support Services or the Product Group.

Issues that are fixed in this update

Issue 1

Migration from ATA v1.6 (1.6.4103) or ATA v1.6 Update 1 (1.6.4317) to ATA v1.7 (1.7.5402) fails with a 0x80070643 error code.

Issue 2

After you migrate to or install ATA v1.7 (1.7.5402), ATA still generates notifications (email, syslog, or event logs) for suspicious activities whose status has been changed to "dismissed."

Issue 3

ATA generates a large number of "Reconnaissance using directory services enumeration" suspicious activates after you migrate to or install ATA v1.7 (1.7.5402).

↑ Back to the top

Resolution

To fix these issues, download and run the update that's described in the "How to get this update" section. The update upgrades ATA to ATA 1.7 build 1.7.5647.

For Issue 3: After you install this update, you can use the following procedure to disable "Reconnaissance using directory services enumeration" suspicious activity detection and to remove the old suspicious activities after you upgrade to ATA v1.7 build 1.7.5647. To do this, follow these steps:

From an elevated command prompt, navigate to the following location:
C:\Program Files\Microsoft Advanced ThreatAnalytics\Center\MongoDB\bin
Type – Mongo.exe ATA. (Note "ATA" must be uppercase.)
Paste the following commands in the mongo command prompt.
1. To dismiss the existing suspicious activities:
  
  db.SuspiciousActivity.update({_t: "SamrReconnaissanceSuspiciousActivity"}, {$set: {Status: "Dismissed"}}, {multi: true})
2. To disable the "Reconnaissance using directory services enumeration" suspicious activity:
  
  db.SystemProfile.update({_t:"CenterSystemProfile"},{$set:
  {"Configuration.SamrReconnaissanceDetectorConfiguration.IsEnabled":false}})

How to get this update

Method 1: Microsoft Update

This update is available on Microsoft Update. For more information about how to use Microsoft Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The following file is available for download from the Microsoft Download Center:

Download the ATA v1.7 Update 1 package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information

Prerequisites

To install this update, you should first install ATA v1.6 with Update 1 (1.6.4317) or ATA v1.7 (1.7.5402). If you have ATA v1.6 (1.6.4103), you must first upgrade to ATA v1.6 Update 1 from Description of Update 1 for Microsoft Advanced Threat Analytics v1.6.

Registry information

To apply this update, you don't have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this update.

Update replacement information

This update doesn't replace a previously released update.

↑ Back to the top

More Information

Certificate is incompatible with ATA 1.7 migration

Introduction

In ATA v1.7, the ATA Center requires one certificate for both the ATA Center service and the ATA Console. When you upgrade from ATA v1.6 to v1.7, the upgrade process takes the certificate currently being used by IIS for the ATA Console as the certificate for ATA v1.7. This certificate will be used by both the ATA Center service and the web console. If the certificate currently being used by IIS is a KSP certificate, the upgrade fails with the following message:

ATA version 1.7 doesn’t support the currently configured ATA Console certificate; please follow the instructions in KB3191777 to be able to complete the ATA Center update process.

Resolution

To switch the certificate that's being used by the ATA Console, follow these steps:

Install the new certificate (non KSP) on the ATA Center server. You can use the same subject name as in the existing certificate to avoid causing issues when users browse to the ATA Console.
Open IIS Manager.
Expand the name of the server, and then expand Sites.
Select the Microsoft ATA Console site, and then in the Actions pane, click Bindings.
Select HTTPS, and then click Edit.
Under SSL certificate, select the new certificate.
Wait for all ATA gateways to synchronize with the center.
Rerun the ATA 1.7 upgrade.

Note if you have to install a new ATA gateway before rerunning the upgrade, you must download the updated ATA Gateway package from the ATA Center before running the ATA Gateway installation.

Note To verify that the certificate was issued using a KSP template, follow these steps:

Open an elevated command prompt, and then type the following:
certutil -store my <CertName>
If the output is "Provider = Microsoft Software Key Storage Provider," it’s a KSP certificate.