Hi ILMAV,
As Josh mentioned above, when you generate the same type of suspicious activity, you may see the new activity appear under the existing one. As Josh mention, this will change the date stamp to be a range of dates, instead of a single date, for example:
If this is not the case in your scenario, it is possible the port mirroring on the gateway machine does not work as expected. To check this, try the following:
1. Make sure the "Microsoft Advanced Threat Analytics Gateway" service on the gateway machine is in "Running" state.
2. Run
network monitor on the gateway machine and filter for DNS activity and when you send the request to the DC, confirm you can see it on the network monitor.
3. In case you do not see the traffic to the DC reflect on the gateway machine - please double-check your port mirroring setup.
4. In case you do see the traffic, but it is still does not update the existing suspicious activity you can check the following log file for any exceptions from the time you did your test:
C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs\Microsoft.Tri.Gateway-Errors.log
If you find exception on this log file at the time of the test, please review the information or send the information here and we can help you with that.
Hope this helps,
Microsoft ATA Team.