Technology Tips and News
hi guys,
i had ATA working and successfully reporting/alerting on :
dns reconaissance
credentials exposed
computer broken trust
now suddenly when i try to recreate tehse same alerts it does not alert on them at all. i have rebooted the machine holding center and gateway and still no behavior change. nothign has changed on that gateway/ata center other than i turned on syslog forwarding
any ideas?
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
Hi ILMAV,
It is possible that the new events have aggregated under the existing Suspicious Activity, in those cases the timeframe to the left of the event would show a range. You can also click on the event, such as DNS Recon, and click Details, there you would see the attempts are being incremented.
Microsoft ATA Team
it does not appear to be so. i only have the 3 original alerts for suspicious activities even though i have tried to create different suspicious activities for same simulations. i am getting other activity in the console like resetting passwords, changing group memberships but not for dns reconnaissance, computer broken trust relationship and sensitive accounts credentials exposed. maybe i need to try to simulate another type of activity. is tehre another simulation i can performed to try and generate another alert for a different type of suspicious activity?
thanks
Hi ILMAV,
As Josh mentioned above, when you generate the same type of suspicious activity, you may see the new activity appear under the existing one. As Josh mention, this will change the date stamp to be a range of dates, instead of a single date, for example:
If this is not the case in your scenario, it is possible the port mirroring on the gateway machine does not work as expected. To check this, try the following:
1. Make sure the "Microsoft Advanced Threat Analytics Gateway" service on the gateway machine is in "Running" state.
2. Run network monitor on the gateway machine and filter for DNS activity and when you send the request to the DC, confirm you can see it on the network monitor.
3. In case you do not see the traffic to the DC reflect on the gateway machine - please double-check your port mirroring setup.
4. In case you do see the traffic, but it is still does not update the existing suspicious activity you can check the following log file for any exceptions from the time you did your test:
C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs\Microsoft.Tri.Gateway-Errors.log
If you find exception on this log file at the time of the test, please review the information or send the information here and we can help you with that.
Hope this helps,
Microsoft ATA Team.
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier