ATA configuration and false positives

Norah Alomirah .. · ‎Oct 14 2018

Hi all,

I have few questions and concerns regarding ATA which are as followed:

We are receiving many false positives alerts from ATA, since ATA is not deployed on all the Domain controllers do you think that this is the main cause of those false positives.
What is the benefit of deploying both ATA Gateway options? or having the ATA lightweight gateway is enough to analyse the traffic.
After determining the false positives alert, how can i specify them as false positives to not appear again in ATA Dashboard as for now I only have the option to close the alert or suppress it for 7 days.

Thank you in advance for your replies.

Eli Ofek · ‎Oct 14 2018

You do not want to cover the same DC both with a lightweight version and a standalone version, it will cause problems.

A DC needs to be covered by just one Gateway. it's better to use the Lightweight one if it can handle the traffic.

Not having full coverage should not be a trigger to false positives.

it will usually won't see some of the traffic if you are not covered, which means we might miss true events...

You need to research why you keep getting the same FP, and if the source entity that creates them is supposed to create them, you can exclude it.

Norah Alomirah .. · ‎Oct 16 2018

Thank you for your response, highly appreciated.

Re: ATA configuration and false positives