We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA: nslookup ls -d <domain> (this failed) net user /domain (this failed) net group /domain (success as I was able to see a list of all groups) After running these three commands, I jumped into the ATA Console, but I never saw an alert associated with those commands. Any ideas as to why I wouldn't see them? The system I'm running the commands from has never been flagged as being ok to run commands from so it hasn't been whitelisted per se. Thx

Am sorry i might be asking so many question. I really want to help you sort out where the bottle neck is. How many IP address does your ATA Center have and are the ATA center and Gateway domain joined?

Are you running the runbook on a Server or on a client OS ?

Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation.

Did you create a User in your Windows Active Directory and gave it permission to read deleted object and used that user for ATA to query the environment for information. Also how well can you say ATA has learnt about the objects in your environment.

SpeedRacer

Brass Contributor

May 04, 2017

Not seeing generated threat alerts in ATA

We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:

nslookup ls -d <domain> (this failed)
net user /domain (this failed)
net group /domain (success as I was able to see a list of all groups)

After running these three commands, I jumped into the ATA Console, but I never saw an alert associated with those commands.

Any ideas as to why I wouldn't see them? The system I'm running the commands from has never been flagged as being ok to run commands from so it hasn't been whitelisted per se.

Thx

16 Replies

JIDE-JIMOH
MCT
May 15, 2017
Are you running the runbook on a Server or on a client OS ?
- SpeedRacer
  Brass Contributor
  May 15, 2017
  On a client OS - Windows 8
  
  Thx
  - JIDE-JIMOH
    MCT
    May 15, 2017
    Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation.

Forum Discussion

Not seeing generated threat alerts in ATA