ATA and Exchange OWA brute-force attack

%3CLINGO-SUB%20id%3D%22lingo-sub-1624097%22%20slang%3D%22en-US%22%3EATA%20and%20Exchange%20OWA%20brute-force%20attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624097%22%20slang%3D%22en-US%22%3E%3CP%3Ewe%20were%20hit%20with%20a%20brute-force%20attack%20on%20our%20exchange%20server%20last%20week%20but%20ATA%20did%20not%20detect%20anything%20wrong.%26nbsp%3B%20should%20it%20have%20warned%20me%20that%20a%20single%20IP%20address%20was%20logging%20into%20our%20exchange%20server%20(via%20OWA)%20all%20day%20and%20night%20with%20different%20user%20accounts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1624134%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20and%20Exchange%20OWA%20brute-force%20attack%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624134%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F17028%22%20target%3D%22_blank%22%3E%40James%20Auman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhich%20exact%20version%20of%20ATA%20%3F%3C%2FP%3E%0A%3CP%3EAny%20health%20issues%20reported%20in%20the%20console%3F%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20full%20DC%20coverage%20with%20Gateways%3F%3C%2FP%3E%0A%3CP%3EHow%20many%20different%20accounts%20were%20attempted%20%3F%20how%20many%20of%20them%20were%20existing%20accounts%3F%3C%2FP%3E%0A%3CP%3Eduring%20which%20time%20span%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20fact%20that%20this%20was%20a%20single%20IP%20with%20many%20attempts%20would%20not%20alone%20trigger%20an%20alert%20or%20we%20would%20have%20alerted%20on%20many%20false%20positives...%26nbsp%3B%3CBR%20%2F%3EAnswers%20to%20above%20questions%20might%20give%20more%20clarity%20about%20what%20happened...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

we were hit with a brute-force attack on our exchange server last week but ATA did not detect anything wrong.  should it have warned me that a single IP address was logging into our exchange server (via OWA) all day and night with different user accounts?

1 Reply
Highlighted

@James Auman 

Which exact version of ATA ?

Any health issues reported in the console?

Do you have full DC coverage with Gateways?

How many different accounts were attempted ? how many of them were existing accounts?

during which time span?

 

The fact that this was a single IP with many attempts would not alone trigger an alert or we would have alerted on many false positives... 
Answers to above questions might give more clarity about what happened...