Sep 26 2018
- last edited on
Nov 30 2021
I have two lightweight Gateways deployed in a test environment, both of those are versions 1.9.
When I am attempting BruteForce attacks against the DCs (around 500), no alerts are being displayed in ATA Center. However i verified and the events are created on the DC.
Is it an expected behavior ? Is there a setting, which needs to be enabled on the DC or in ATA Center ?
Sep 27 2018 01:37 AM
Which protocol did you use? NTLM or Kerberos?
I guess NTLM because you see the events in the DC, do you see events 4776?
You can see here the configurations that should be validated: https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step6
The LWGW supposed to read these events automatically.
Oct 09 2018 07:31 AM
Thank you for your answer. I can see the events 4776, however no attacks have been detected.
Oct 09 2018 08:04 AM
From where did you try to generate the BF?
If normally a lot of users authenticate from this machine we won't generate BF from it.
Oct 09 2018 09:14 AM
I tried to generate the traffic from two different machine, first a client connected to the domain, then from the ATA Center.
I generated more than 100 error logs, which is abnormal for the account, but it wasn't reported. How does the Gateway count for user account that are locked out but for which there are still brute force attempts ?