Join Pete Zerger for an in-depth discussion in this video Managing ATA telemetry and settings, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Voiceover] Because Advanced Threat Analytics is collecting and analyzing authentication and authorization traffic in your environment, it's worth taking a moment to discuss ATA Telemetry. What data from ATA is shared with Microsoft? ATA collects anonymized telemetry data about ATA and transmits the data over an HTTPS connection to Microsoft servers. This data is used by Microsoft to help improve future versions of ATA.
By default, ATA collects anonymized data including performance counters, product ID information from licensed copies of ATA, the deployment date of the ATA center, and the number of deployed ATA gateways in your environment. The following active directory related data is sent to Microsoft by default, including non-sensitive information like the number of domain controllers, the domain ID, the number of sites in your environment, as well as counts of computers, groups and users.
ATA also shares information regarding suspicious activities. And again, this is anonymized data collected for each of the suspicious activity types in your environment. Their ID, their status, start and end time, etc. Do bear in mind that computer names, user names and IP addresses are not collected. ATA health is also shared with Microsoft, and the following anonymized data is collected for each health issue in your environment. And again, computer names, users and IP addresses are never collected and shared with Microsoft.
The URL addresses of the ATA consoles in your environment and which pages are visited in the console are also shared. It's also possible for you to disable telemetry data collection if this is outside your comfort level in your organization. To disable telemetry data collection, perform the following steps. Log in to the ATA console, click the three dots in the toolbar, the ellipsis we call that, and select "About." And then simply uncheck the box for "Send us usage information to help improve "your customer experience in the future," and that's all there is to it.
You've now disabled telemetry collection in your environment. You may find that you want to export or import your ATA configuration when you reach a known good point. The configuration of ATA is stored in the system profile collection in the database. This collection is actually backed up every hour by the ATA center service to files called "SystemProfile" with a timestamp. It's a JSON file. The 10 most recent versions are stored automatically.
Now this folder is located in a sub-folder called \backup in the ATA installation directory. It is recommended that you back up this file somewhere when making major changes to your ATA environment. It's also possible to restore all of your ATA settings simply by running the following command.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure