Migrate from ATA to Azure ATP with easy PowerShell

This week Azure Advanced Threat Protection (ATP) was made available as a product that is part of EMS E5 and is essentially ATA in the cloud. ATA is a service that takes a data feed from all domain controllers then uses that data to help identify various types of attack such as pass-the-hash, golden ticket, dumps of DNS and more. Now those capabilities are available using the Azure ATP service removing the need for the on-premises components. Like the lightweight gateway option for ATA where the agent runs on each DC (instead of the full gateway where port forwarding is used), with Azure ATP a sensor is deployed to each DC (however if you don’t want this a standalone sensor can be deployed with port forwarding from DCs just like the regular gateway for ATA) which sends only a fraction of the traffic with minimal overhead.

Head over to https://portal.atp.azure.com, create a new workspace then once you select that workspace, select Configurations – Sensors. From here you can download the sensor setup file and get the access key which will link your DCs to the specific workspace.

I already had ATA deployed in my environment and wanted to simply uninstall the ATA lightweight gateway and silently deploy the Azure ATP sensor on all DCs so I created a simple PowerShell script to do just that. You can pass it a list of DCs, it could read from a file or it can scan the Domain Controllers OU. Of course you could remove the part about uninstalling ATA and just use it to deploy Azure ATP. Note I have saved the agent to a file share so you would want to change the file share I use in this script in addition to adding your access key.

#$servers = Get-Content .Documentsdcs.txt
$servers = Get-ADComputer -SearchBase "OU=Domain Controllers, DC=savilltech, DC=net" -Filter * | Select-Object -ExpandProperty Name

$cred = Get-Credential #account used to map to share where the Azure ATP client is

foreach($server in $servers)
    Write-Output "Trying to move from ATA to Azure ATP for $server"
    Invoke-Command -ComputerName $server -ScriptBlock {
        Write-Output "   Uninstalling ATA"
        $app = Get-WmiObject -Class Win32_Product | Where-Object {
            $_.Name -match "Microsoft Advanced Threat Analytics Gateway" }

        Write-Output "   Installing Azure ATP monitor"
        New-PSDrive -Name X -PSProvider FileSystem -Root \AZUUSEDC1Core -Credential $args[0] | out-null
        & 'X:ATPAzure ATP Sensor Setup.exe' /quiet NetFrameworkCommandLineArguments="/q" AccessKey=WORKSPACEACCESSKEYHERE
        Start-Sleep -Seconds 60 #Enable the install to complete
        Remove-PSDrive X

    } -ArgumentList $cred

Once deployment is finished complete the configuration via the Azure ATP portal, e.g. enable some sensors as domain synchronizer candidates. Bask in the great monitoring happening for your domain!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: