Microsoft Advanced Threat Analytics is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.
ATA leverages a proprietary network parsing engine to capture and parse network traffic of multiple protocols (such as Kerberos, DNS, RPC, NTLM, and others) for authentication, authorization, and information gathering. This information is collected by ATA via either:
Port mirroring from Domain Controllers and DNS servers to the ATA Gateway and/or
Deploying an ATA Lightweight Gateway (LGW) directly on Domain Controllers
ATA takes information from multiple data-sources, such as logs and events in your network, to learn the behavior of users and other entities in the organization and build a behavioral profile about them. ATA can receive events and logs from:
Windows Event Forwarding (WEF)
Directly from the Windows Event Collector (for the Lightweight Gateway)