ATA Tunning

Hello,

I wanted to know if there is a way to control data flows between Center role and Gateway role(s) components.

I performed a all in one installation (mutualised ATA roles on same machine) and defined listening settings on same NIC.

Everything is working well on AD discovery side but since I performed attacks I expected to see evidencies quickly displayed on the Web interface, may be is due to scheduled refresh cycle to collect/display data's or caused by my low VM hardware configuration (768 RAM 4 vCPUs) the threat analysis was available on the web interface around an hour later my attacks simulation.

Can I have an advises on role's design & tunning please ?

Regards,

May 29th, 2015 7:31am

Hi Kvin,

The delay is being probably being caused by the lack of resources on VM. If you could add more memory you will see a big difference.

If I understand correctly you only have one NIC installed in the ATA vm. If this is true,  the way you are configured, ATA is actually inspecting all of the traffic to and from the ATA virtual machine and the port mirrored DC traffic. We only want to inspect the DC traffic. So install a second virtual NIC and configure port mirroring (destination) on this NIC. After this modify the "Capture network adapters" setting for the Gateway. Enable the new NIC and remove the original NIC. This should also help with performance.

HTH

ATA Team

Free Windows Admin Tool Kit Click here and download it now
June 1st, 2015 4:20am

Hello,

Thanks for your reply , I will modify my hardware configuration.

Your remark is relevant about the traffic flow, my sniffing tool show that I see to many traffic on the ATA server cause I have only one NIC you're true ;)

By the way, I have a last question :

There is a possibility to manage how data is rendered from Gateway's to the Web Interface without doing "QOS or other network priorization" or the product is simply not designed to manage that particular piece of thing ?

June 2nd, 2015 8:26am

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 10:35am

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

June 8th, 2015 2:33pm

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

  • Marked as answer by KISOKA Kévin Thursday, June 11, 2015 7:43 PM
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 2:33pm

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

  • Marked as answer by KISOKA Kévin Thursday, June 11, 2015 7:43 PM
June 8th, 2015 2:33pm

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

  • Marked as answer by KISOKA Kévin Thursday, June 11, 2015 7:43 PM
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 2:33pm

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

  • Marked as answer by KISOKA Kévin Thursday, June 11, 2015 7:43 PM
June 8th, 2015 2:33pm

This is likely due to the "learning" period of the software.

"Check the attack timeline to view detected suspicious activities and search for users or computers and view their profiles.

Remember that it takes a minimum of three weeks for ATA to build behavioral profiles, so during the first three weeks you will not see any suspicious behavior activities."

https://technet.microsoft.com/en-US/library/dn707704.aspx 

  • Marked as answer by KISOKA Kévin Thursday, June 11, 2015 7:43 PM
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2015 2:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics