Learned entities

Under the installation guide. there is a statement under  "validating your deployment" stating You should see a list of Entities Recently Learned in the notification bar on the right side of the console. with an example showing entities recently learned.  The first entry shows 1 Domain, 2 domain controllers, 963 users etc.   I certainly don't see that as a learned entity under the Bell - should I ?   

I have tried the DNS and simple LDAP BIND "emulations" , and they show up just fine

May 15th, 2015 11:24am

Hi Stuart,

Just to clarify that when you do the DNS and simple LDAP bind emulations you see the suspicious activity in the Attack Timeline?

Are you not seeing the entities, domains, DCs, users, groups, and computers,  that ATA has learned (discovered)?

Thanks

ATA Team

Free Windows Admin Tool Kit Click here and download it now
May 17th, 2015 3:25am

Thanks for the reply Gershon.

Yes, I am seeing the 2 tests (DNS and simple LDAP Bind) on the timeline, I just don't see the prior discovery pieces (seeing my AD basically) which is shown in the install guide.  I would think it be useful info (if only to confirm connectivity), as at least you know that it can actually see your AD, DCs etc !  I just didn't see it, hence asking the question "should I ?"

May 17th, 2015 4:35am

Hi Stuart,

By default, the notification cycle is every 10 minutes, and it stay active until midnight same day.

So if you did not wait 10 minutes, you may not see the "Entities Recently Learned " notification, and if you shutdown the machine and checked it the next day, you may lost it already...

For a test - you can, for example,  add a user to your AD and wait ~10 minutes, and see if you get such notification.

Hope this helps,

Microsoft ATA Team.

Free Windows Admin Tool Kit Click here and download it now
May 17th, 2015 11:31am

The ATA Center and Gateway have not been turned off, and the data never showed from what I can see

Just to be clear, I am referring to this useful info from the installation guide:

When is it surfaced?  Did I miss something ?  Like I said, it is useful info...at least you know that ATA is "connected". What other things are dropped into "Recently learned"

I did add a user, and within 2-3 mins, I saw "Entries recently learned : 1 user"..but no more detail.

May 17th, 2015 6:53pm

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 5:12am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

May 18th, 2015 9:10am

Hi Stuart,

As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

Hope this helps.

Microsoft ATA team.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 9:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics