Migrate from ATA to Azure ATP with easy PowerShell

This week Azure Advanced Threat Protection (ATP) was made available as a product that is part of EMS E5 and is essentially ATA in the cloud. ATA is a service that takes a data feed from all domain controllers then uses that data to help identify various types of attack such as pass-the-hash, golden ticket, dumps of DNS and more. Now those capabilities are available using the Azure ATP service removing the need for the on-premises components. Like the lightweight gateway option for ATA where the agent runs on each DC (instead of the full gateway where port forwarding is used), with Azure ATP a sensor is deployed to each DC (however if you don’t want this a standalone sensor can be deployed with port forwarding from DCs just like the regular gateway for ATA) which sends only a fraction of the traffic with minimal overhead.

Head over to https://portal.atp.azure.com, create a new workspace then once you select that workspace, select Configurations – Sensors. From here you can download the sensor setup file and get the access key which will link your DCs to the specific workspace.

I already had ATA deployed in my environment and wanted to simply uninstall the ATA lightweight gateway and silently deploy the Azure ATP sensor on all DCs so I created a simple PowerShell script to do just that. You can pass it a list of DCs, it could read from a file or it can scan the Domain Controllers OU. Of course you could remove the part about uninstalling ATA and just use it to deploy Azure ATP. Note I have saved the agent to a file share so you would want to change the file share I use in this script in addition to adding your access key.

#$servers = Get-Content .Documentsdcs.txt
#$servers = "AZUASEDC2","AZUEUEDC1","AZUEUEDC2","AZUUSWDC2","AZUUSWDC1","AZUASEDC1"
$servers = Get-ADComputer -SearchBase "OU=Domain Controllers, DC=savilltech, DC=net" -Filter * | Select-Object -ExpandProperty Name

$cred = Get-Credential #account used to map to share where the Azure ATP client is

foreach($server in $servers)
{
    Write-Output "Trying to move from ATA to Azure ATP for $server"
    Invoke-Command -ComputerName $server -ScriptBlock {
        Write-Output "   Uninstalling ATA"
        $app = Get-WmiObject -Class Win32_Product | Where-Object {
            $_.Name -match "Microsoft Advanced Threat Analytics Gateway" }
        $app.Uninstall()

        Write-Output "   Installing Azure ATP monitor"
        New-PSDrive -Name X -PSProvider FileSystem -Root \AZUUSEDC1Core -Credential $args[0] | out-null
        #https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-silent-installation
        & 'X:ATPAzure ATP Sensor Setup.exe' /quiet NetFrameworkCommandLineArguments="/q" AccessKey=WORKSPACEACCESSKEYHERE
        Start-Sleep -Seconds 60 #Enable the install to complete
        Remove-PSDrive X

    } -ArgumentList $cred
} 

Once deployment is finished complete the configuration via the Azure ATP portal, e.g. enable some sensors as domain synchronizer candidates. Bask in the great monitoring happening for your domain!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: