ATA LWG not reading Bruteforce Attacks

Highlighted
Occasional Contributor

I have two lightweight Gateways deployed in a test environment, both of those are versions 1.9.

 

When I am attempting BruteForce attacks against the DCs (around 500), no alerts are being displayed in ATA Center. However i verified and the events are created on the DC.

Is it an expected behavior ? Is there a setting, which needs to be enabled on the DC or in ATA Center ?

 

Thank you

4 Replies
Highlighted

Hi Marc,

 

Which protocol did you use? NTLM or Kerberos?

I guess NTLM because you see the events in the DC, do you see events 4776?

 

You can see here the configurations that should be validated: https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step6

The LWGW supposed to read these events automatically. 

 

Thanks,

Tali

Highlighted

Hi Tali,

 

Thank you for your answer. I can see the events 4776, however no attacks have been detected.

Highlighted

Hi Marc,

 

From where did you try to generate the BF?

If normally a lot of users authenticate from this machine we won't generate BF from it.

 

Thanks,

Tali

 

Highlighted

I tried to generate the traffic from two different machine, first a client connected to the domain, then from the ATA Center.

I generated more than 100 error logs, which is abnormal for the account, but it wasn't reported. How does the Gateway count for user account that are locked out but for which there are still brute force attempts ?