Archive for category Microsoft Advanced Threat Analytics
The project was to install MS Advanced Thread Analytic Gateway in a virtual machine, in Vmware, to monitor a physical domain controller.
- Domain controller (physical) – DCServer1
- DELL switch – switch1
- ESXi host – host1
- MS ATA Gateway – atagw1
Setup Port Mirroring at Physical Switch Level
DC server DCserver1 and ESXi host1 are physically connected to switch1. DCserver1 connects on port 40 and host1 connects on port 44 of the switch.
We’re going to configure port mirroring on switch1 as source being port 40 and destination port 44 and we’re going to use use both directions in our config. You can use the following link to configure port mirroring on DELL switches.
Configure Vmware for Port Mirroring
As mentioned before, host1 connects to switch1, and we’re going to use this connection (vmnic2) and create a new standard switch (that was my setup). So, at point, vmnic2 connects to port 44 on switch1.
Once your new standard switch is created (vSwitch2), then we’ll create a new port group (ATA-Capture). While creating port group ATA-Capture, make sure to enable Promiscuous Mode and set VLAN ID to All (4095) – this part crucial!
Configure Microsoft ATA Gateway VM
Your MS ATA Gateway will need to have two NICs. One NIC will be used for day to day work and the second NIC for capture. To make thing easier, rename the NIC to something like ‘Capture‘. Next, make sure that your Capture NIC belongs to the ATA-Capture port group.
At this point you should be able to install MS ATA Gateway software.