This article describes an update for Microsoft Advanced Threat Analytics (ATA) v1.7.
Issues that are fixed in this update
Migration from ATA v1.6 (1.6.4103) or ATA v1.6 Update 1 (1.6.4317) to ATA v1.7 (1.7.5402) fails with a 0x80070643 error code.
After you migrate to or install ATA v1.7 (1.7.5402), ATA still generates notifications (email, syslog, or event logs) for suspicious activities whose status has been changed to "dismissed."
ATA generates a large number of "Reconnaissance using directory services enumeration" suspicious activates after you migrate to or install ATA v1.7 (1.7.5402).
To fix these issues, download and run the update that's described in the "How to get this update" section. The update upgrades ATA to ATA 1.7 build 1.7.5647.
For Issue 3: After you install this update, you can use the following procedure to disable "Reconnaissance using directory services enumeration" suspicious activity detection and to remove the old suspicious activities after you upgrade to ATA v1.7 build 1.7.5647. To do this, follow these steps:
From an elevated command prompt, navigate to the following location:
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
To apply this update, you don't have to make any changes to the registry.
You may have to restart the computer after you apply this update.
Update replacement information
This update doesn't replace a previously released update.
Certificate is incompatible with ATA 1.7 migration
In ATA v1.7, the ATA Center requires one certificate for both the ATA Center service and the ATA Console. When you upgrade from ATA v1.6 to v1.7, the upgrade process takes the certificate currently being used by IIS for the ATA Console as the certificate for ATA v1.7. This certificate will be used by both the ATA Center service and the web console. If the certificate currently being used by IIS is a KSP certificate, the upgrade fails with the following message:
ATA version 1.7 doesn’t support the currently configured ATA Console certificate; please follow the instructions in KB3191777 to be able to complete the ATA Center update process.
To switch the certificate that's being used by the ATA Console, follow these steps:
Install the new certificate (non KSP) on the ATA Center server. You can use the same subject name as in the existing certificate to avoid causing issues when users browse to the ATA Console.
Open IIS Manager.
Expand the name of the server, and then expand Sites.
Select the Microsoft ATA Console site, and then in the Actions pane, click Bindings.
Select HTTPS, and then click Edit.
Under SSL certificate, select the new certificate.
Wait for all ATA gateways to synchronize with the center.
Rerun the ATA 1.7 upgrade.
Note if you have to install a new ATA gateway before rerunning the upgrade, you must download the updated ATA Gateway package from the ATA Center before running the ATA Gateway installation.
Note To verify that the certificate was issued using a KSP template, follow these steps:
Open an elevated command prompt, and then type the following:
certutil -store my <CertName>
If the output is "Provider = Microsoft Software Key Storage Provider," it’s a KSP certificate.
Learn about the terminology that Microsoft uses to describe software updates.