I have a demo setup of 2 Domain Controllers with Lightweight Gateway installed on both, one Microsoft Advanced Threat Analytics server and 2 Windows 7 PC's. I am currently running through the playbook and noticing not all activities are getting logged. So far I can see Reconnaissance using DNS, Reconnaissance using SMB Session Enumeration and Unusual protocol Implementation. But Remote execution attempt detected did not set off an alert and either did Directory Services Enumeration. I can sit there all day typing net user /domain or net group /domain but nothing appears as an alert. I have the latest download of 1.8. Any reason for the inconsistent behavior especially since I am using the Lightweight Gateway agent? Under Gateway both DC's show up, I get nothing under Health which I find weird when I have Domain synchronizer candidate turned on, on both domain controllers.