Microsoft Advanced Threat Analytics
Microsoft Advanced Threat Analytics Pack.#
This Integration is part of theManage suspicious activities, monitoring alerts and entities on Microsoft ATA.
This integration was integrated and tested with version 1.9.7478.57683 of Microsoft Advanced Threat Analytics.
#
Configure Microsoft Advanced Threat Analytics on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for Microsoft Advanced Threat Analytics.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
url | ATA Center URL (e.g. https://atacenter.contoso.com\) | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
max_fetch | Maximum number of incidents per fetch | False |
activity_status | Fetch suspicious activity with status | False |
activity_type | Fetch suspicious activity with type (leave empty to fetch all) | False |
min_severity | Minimum severity of suspicious activity to fetch | True |
first_fetch | First fetch time range (<number> <time unit>, e.g., 1 hour, 30 minutes) | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
- Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ms-ata-suspicious-activities-listRetrieves suspicious activities.
#
Base Commandms-ata-suspicious-activities-list
#
InputArgument Name | Description | Required |
---|---|---|
id | Identifier of suspicious activity to retrieve (if provided, all other arguments will be ignored). | Optional |
status | Retrieve suspicious activities with the specified status (comma-seperated values suuported). | Optional |
severity | Retrieve suspicious activities with the specified severity (comma-seperated values suuported). | Optional |
type | Retrieve suspicious activities of the specified type (comma-seperated values suuported). | Optional |
limit | The maximum number of suspicious activities to retrieve. | Optional |
start_time | Retrieve suspicious activities which occurred after the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours). | Optional |
end_time | Retrieve suspicious activities which occurred before the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftATA.SuspiciousActivity.DescriptionDetailFormatKeys | String | List of detailed description of the suspicious acitivity format keys. |
MicrosoftATA.SuspiciousActivity.DescriptionFormatKey | String | Suspicious activity format key description. |
MicrosoftATA.SuspiciousActivity.DestinationComputerIds | String | List of identifiers of the destination computers. |
MicrosoftATA.SuspiciousActivity.EndTime | Date | End time of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.ExclusionUniqueEntityId | String | Exclusion entity identifier of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.HasDetails | Boolean | Whether the suspicious activity has further details to retrieve. |
MicrosoftATA.SuspiciousActivity.HasUnknownLdapResources | Boolean | Whether the suspicious activity has unknown LDAP resources. |
MicrosoftATA.SuspiciousActivity.HasUnknownNtlmResources | Boolean | Whether the suspicious activity has unknown NTLM resources. |
MicrosoftATA.SuspiciousActivity.HoneytokenAccountId | String | Account identifier of the Honeytoken suspicious activity. |
MicrosoftATA.SuspiciousActivity.Id | String | Identifier of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.IsAdditionalDataAvailable | Boolean | Whether the suspicious activity has additional data available. |
MicrosoftATA.SuspiciousActivity.NtlmDestinationComputerIds | String | List of identifiers of the NTLM destination computers. |
MicrosoftATA.SuspiciousActivity.NtlmSourceComputerIds | String | List of identifiers of the NTLM source computers. |
MicrosoftATA.SuspiciousActivity.ReasonKey | String | The suspicious activity reason key. |
MicrosoftATA.SuspiciousActivity.RelatedActivityCount | Boolean | Count of related suspicious activities. |
MicrosoftATA.SuspiciousActivity.RelatedUniqueEntityIds | String | Exclusion entity identifier of related suspicious activities. |
MicrosoftATA.SuspiciousActivity.Severity | String | Severity of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.SourceComputerIds | String | List of identifiers of the source computers. |
MicrosoftATA.SuspiciousActivity.StartTime | Date | Start time of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.Status | String | Status of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.StatusUpdateTime | Date | Time in which the suspicious activity status was updated in. |
MicrosoftATA.SuspiciousActivity.SystemCreationTime | Date | Time in which the suspicious activity was created in. |
MicrosoftATA.SuspiciousActivity.SystemUpdateTime | Date | Time in which the suspicious activity was updated in. |
MicrosoftATA.SuspiciousActivity.TitleKey | String | The suspicious activity title key. |
MicrosoftATA.SuspiciousActivity.Type | String | Type of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.WindowsEventId | Boolean | Identifier of the suspicious activity windows event. |
MicrosoftATA.SuspiciousActivity.DetailsRecords.IsLogin | Boolean | Whether the suspicious activity indicates a login. |
MicrosoftATA.SuspiciousActivity.DetailsRecords.IsSuccess | Boolean | Whether the suspicious activity was successful. |
MicrosoftATA.SuspiciousActivity.DetailsRecords.IsTraffic | Boolean | Whether the suspicious activity indicates a traffic. |
MicrosoftATA.SuspiciousActivity.DetailsRecords.ProtocolName | String | Protocol of the suspicious activity. |
MicrosoftATA.SuspiciousActivity.DetailsRecords.ResourceIdentifier | String | Identifier of the suspicious activity source. |
MicrosoftATA.SuspiciousActivity.DetailsRecords.SourceComputerId | String | Identifier of the suspicious activity source computer. |
#
Command Example!ms-ata-suspicious-activities-list
#
Context Example#
Human Readable Output#
Microsoft Advanced Threat Analytics Suspicious Activity
Id Type Status Severity StartTime EndTime 5f1fe6b383eaed101ce19b58 HoneytokenActivitySuspiciousActivity Open Medium 2020-07-28T08:49:54.1366697Z 2020-07-28T08:51:09.7050476Z
#
ms-ata-suspicious-activity-status-setSets suspicious activity status.
#
Base Commandms-ata-suspicious-activity-status-set
#
InputArgument Name | Description | Required |
---|---|---|
id | Identifier of suspicious activity to update status of. | Required |
status | Status to update to | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!ms-ata-suspicious-activity-status-set id="5f1fe6b383eaed101ce19b58" status="Closed"
#
Human Readable OutputSuspicious activity 5f1fe6b383eaed101ce19b58 status was updated to Closed successfully.
#
ms-ata-monitoring-alerts-listRetrieves health alerts.
#
Base Commandms-ata-monitoring-alerts-list
#
InputArgument Name | Description | Required |
---|---|---|
status | Retrieve monitoring alerts with the specified status (comma-seperated values suuported). | Optional |
severity | Retrieve monitoring alerts with the specified severity (comma-seperated values suuported). | Optional |
type | Retrieve monitoring alerts of the specified type (comma-seperated values suuported). | Optional |
limit | The maximum number of monitoring alerts to retrieve. | Optional |
start_time | Retrieve monitoring alerts which occurred after the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours). | Optional |
end_time | Retrieve monitoring alerts which occurred before the given time. Supported formats: ISO 8601 (e.g. 2020-07-28T10:00:00Z) and time period (e.g. 24 hours). | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftATA.MonitoringAlert.DescriptionFormatKey | String | Monitoring alert format key description. |
MicrosoftATA.MonitoringAlert.DomainSynchronizerNotAssignedDomainDnsNames | String | Monitoring alert domain synchronizer not assigned domain DNS names. |
MicrosoftATA.MonitoringAlert.EndTime | Date | End time of the monitoring alert. |
MicrosoftATA.MonitoringAlert.Id | String | Identifier of the monitoring alert. |
MicrosoftATA.MonitoringAlert.NotificationTime | Date | Notification time of the monitoring alert. |
MicrosoftATA.MonitoringAlert.Severity | String | Severity of the monitoring alert. |
MicrosoftATA.MonitoringAlert.StartTime | Date | Start time of the monitoring alert. |
MicrosoftATA.MonitoringAlert.Status | String | Status of the monitoring alert. |
MicrosoftATA.MonitoringAlert.StatusUpdateTime | Date | Status update time of the monitoring alert. |
MicrosoftATA.MonitoringAlert.TitleKey | String | The monitoring alert title key. |
MicrosoftATA.MonitoringAlert.Type | String | Type of the monitoring alert. |
MicrosoftATA.MonitoringAlert.WindowsEventId | Boolean | Identifier of the monitoring alert windows event. |
MicrosoftATA.MonitoringAlert.AccountDomainName | String | Monitoring alert account domain name. |
MicrosoftATA.MonitoringAlert.AccountName | String | Monitoring alert account name. |
MicrosoftATA.MonitoringAlert.IsPasswordExpired | Boolean | Whether the monitoring alert indicates that password has expired. |
MicrosoftATA.MonitoringAlert.PasswordExpiryTime | Date | Password expiry time. |
#
Command Example!ms-ata-monitoring-alerts-list
#
Context Example#
Human Readable Output#
Microsoft Advanced Threat Analytics Monitoring Alert
Id Type Status Severity StartTime EndTime 5f159bbd83eaed101cd5c4e5 GatewayDomainSynchronizerNotAssignedMonitoringAlert Closed Low 2020-07-20T13:27:25.7800034Z 2020-07-28T11:17:28.6742502Z 5f159e9283eaed101cd5c837 GatewayDirectoryServicesClientAccountPasswordExpiryMonitoringAlert Closed Medium 2020-07-20T13:39:30.5559003Z 2020-07-28T12:06:30.9408859Z
#
ms-ata-entity-getRetrieves information of distinct entity, such as computers and users.
#
Base Commandms-ata-entity-get
#
InputArgument Name | Description | Required |
---|---|---|
id | Identifier of distinct entity to retrieve (Can be retrieved by running the command ms-ata-suspicious-activities-list from the output RelatedUniqueEntityIds). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
MicrosoftATA.Entity.BadPasswordTime | Date | Time in which bad password was entered. |
MicrosoftATA.Entity.CanonicalName | String | Entity canonical name. |
MicrosoftATA.Entity.CreationTime | Date | Time in which the entity was created in. |
MicrosoftATA.Entity.Description | String | Entity description. |
MicrosoftATA.Entity.DistinguishedName | String | Entity distinguished name. |
MicrosoftATA.Entity.DnsName | String | Entity DNS name. |
MicrosoftATA.Entity.DomainController.IsGlobalCatalog | Boolean | Whether the entity is in the global catalog. |
MicrosoftATA.Entity.DomainController.IsPrimary | Boolean | Whether the entity is primary. |
MicrosoftATA.Entity.DomainController.IsReadOnly | Boolean | Whether the entity is read only. |
MicrosoftATA.Entity.DomainId | String | Identifier of the entity domain. |
MicrosoftATA.Entity.ExpiryTime | Date | Expiration time of the entity. |
MicrosoftATA.Entity.Id | String | Identifer of the entity. |
MicrosoftATA.Entity.IpAddress | String | Entity IP address. |
MicrosoftATA.Entity.IsDelegationEnabled | Boolean | Whether the entity is delegation enabled. |
MicrosoftATA.Entity.IsDeleted | Boolean | Whether the entity is deleted. |
MicrosoftATA.Entity.IsDesEncryptionOnly | Boolean | Whether the entity is Data Encryption Standard only. |
MicrosoftATA.Entity.IsDisabled | Boolean | Whether the entity is disabled. |
MicrosoftATA.Entity.IsDomainController | Boolean | Whether the entity is domain controller. |
MicrosoftATA.Entity.IsExpired | Boolean | Whether the entity is expired. |
MicrosoftATA.Entity.IsHoneytoken | Boolean | Whether the entity is related to Honeytoken activity. |
MicrosoftATA.Entity.IsLocked | Boolean | Whether the entity is locked. |
MicrosoftATA.Entity.IsNew | Boolean | Whether the entity is new. |
MicrosoftATA.Entity.IsNotDelegatable | Boolean | Whether the entity is non-delegatable. |
MicrosoftATA.Entity.IsPartial | Boolean | Whether the entity is partial. |
MicrosoftATA.Entity.IsPasswordExpired | Boolean | Whether the entity password is expired. |
MicrosoftATA.Entity.IsSensitive | Boolean | Whether the entity is sensitive. |
MicrosoftATA.Entity.IsServer | Boolean | Whether the entity is a server. |
MicrosoftATA.Entity.IsSmartcardRequired | Boolean | Whether a smart card is required for the entity. |
MicrosoftATA.Entity.OperatingSystemDisplayName | String | The entity OS name, |
MicrosoftATA.Entity.SamName | String | Entitiy Security Account Manager name. |
MicrosoftATA.Entity.Sid | String | Entity security identifier. |
MicrosoftATA.Entity.Spns | String | Entity Search Service Principal Names. |
MicrosoftATA.Entity.SystemCreationTime | Date | System creation time of the entity. |
MicrosoftATA.Entity.SystemDisplayName | String | System display name of the entity. |
MicrosoftATA.Entity.Type | String | Type of the entity. |
MicrosoftATA.Entity.UpnName | String | Entity User Principal Name. |
MicrosoftATA.Entity.Profile.IsBehaviorChanged | Boolean | Whether the entity profile behavior changed. |
MicrosoftATA.Entity.Profile.OpenSuspiciousActivityCount | Boolean | Number of entity profile suspicious activities. |
MicrosoftATA.Entity.Profile.SuspiciousActivitySeverityToCountMapping.High | Number | Number of entity profile suspicious activities with High severity. |
MicrosoftATA.Entity.Profile.SuspiciousActivitySeverityToCountMapping.Low | Number | Number of entity profile suspicious activities with Low severity. |
MicrosoftATA.Entity.Profile.SuspiciousActivitySeverityToCountMapping.Medium | Number | Number of entity profile suspicious activities with Medium severity. |
MicrosoftATA.Entity.Profile.Type | String | Type of the entity profile. |
MicrosoftATA.Entity.Profile.UpdateTime | Date | Update time of the entity profile. |
#
Command Example!ms-ata-entity-get id="7a58c171-fa19-44f9-bf1e-81b544b318ad"
#
Context Example#
Human Readable Output#
Microsoft Advanced Threat Analytics Entity 7a58c171-fa19-44f9-bf1e-81b544b318ad
Id SystemDisplayName DistinguishedName UpnName Type CreationTime 7a58c171-fa19-44f9-bf1e-81b544b318ad Test ATA CN=Test ATA,CN=Users,DC=demisto,DC=local testata@demisto.local User 2020-07-21T13:58:11Z #
Entity Profile
Type SuspiciousActivitySeverityToCountMapping UpdateTime IsBehaviorChanged UserProfile Low: 0
Medium: 0
High: 02020-07-28T09:00:13.8696377Z true