Microsoft Advanced Threat Analytics IP has changed, ATA Console unavailable

Update: From version 1.8 you will be able to access the console at https://localhost, and update the IP using the ATA Console

When you move Microsoft Advanced Threat Analytics to a new location, your IP will possibly change. After the IP change the ATA Console is not available anymore. When you take a look at the Windows Services you will notice that the “Microsoft Advanced Threat Analytics Center” service is in “Starting” state or does not run. To make the ATA Console accessible you will need to update the configuration, which resides in the underlying Mongo DB. Luckily enough there is an easy way to get this done!

  1. Login to your ATA Console server
  2. Go to “C:\Program Files\Microsoft Advanced Threat Analytics\Center\Backup” and copy the latest version to a known location
  3. Open the backup file with notepad and search and replace the old IP with the new IP
  4. Save the configuration backup file
  5. Open a command prompt
  6. Go to “C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin”
  7. And execute ‘mongoimport.exe –db ATA –collection SystemProfile –file “h:\SystemProfile_newip.json” –upsert’, where h:\SystemProfile_newip.json is the location of the updated configuration backup file
  8. Now you will notice that the service will be back up-and-running within 5 minutes

But now we are halfway… all ATA (lightweight) gateways need to be updated too.

  1. Go to”C:\Program Files\Microsoft Advanced Threat Analytics\Gateway”
  2. Open the GatewayConfiguration.json file
  3. Replace the old IP for the new IP
  4. Restart the “Microsoft Advanced Threat Analytics Gateway” service using the Service Manager

So what have we learned. Read the manual before moving Microsoft ATA to a new IP. An outlined plan can be found at