cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Not seeing generated threat alerts in ATA

SpeedRacer
Brass Contributor

‎May 04 2017 01:05 PM - last edited on ‎Nov 30 2021 09:02 AM by

‎May 04 2017 01:05 PM - last edited on ‎Nov 30 2021 09:02 AM by

Not seeing generated threat alerts in ATA

We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:

 

  1. nslookup ls -d <domain> (this failed)
  2. net user /domain (this failed)
  3. net group /domain (success as I was able to see a list of all groups)

After running these three commands, I jumped into the ATA Console, but I never saw an alert associated with those commands.

 

Any ideas as to why I wouldn't see them? The system I'm running the commands from has never been flagged as being ok to run commands from so it hasn't been whitelisted per se.

 

Thx

3,648 Views
0 Likes
16 Replies
Reply
16 Replies
JIDE JIMOH

‎May 15 2017 03:57 AM

‎May 15 2017 03:57 AM

Re: Not seeing generated threat alerts in ATA

Are you running the runbook on a Server or on a client OS ?

0 Likes
Reply
SpeedRacer

‎May 15 2017 06:10 AM

‎May 15 2017 06:10 AM

Re: Not seeing generated threat alerts in ATA

On a client OS - Windows 8

 

Thx

0 Likes
Reply
JIDE JIMOH

‎May 15 2017 06:18 AM

‎May 15 2017 06:18 AM

Re: Not seeing generated threat alerts in ATA

Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation. 

0 Likes
Reply
JIDE JIMOH

‎May 15 2017 06:29 AM

‎May 15 2017 06:29 AM

Re: Not seeing generated threat alerts in ATA

Did you create a User in your Windows Active Directory and gave it permission to read deleted object and used that user for ATA to query the environment for information. Also how well can you say ATA has learnt about the objects in your environment. 

0 Likes
Reply
SpeedRacer

‎May 15 2017 10:16 AM

‎May 15 2017 10:16 AM

Re: Not seeing generated threat alerts in ATA

I'm using an existing user, and I've had AT running in my environment for about two months now so I believe ATA has had time to learn about the objects in my environment.

 

Thx

0 Likes
Reply
JIDE JIMOH

‎May 16 2017 02:03 AM

‎May 16 2017 02:03 AM

Re: Not seeing generated threat alerts in ATA

Can we quickly run thnrough your ATA installations. Did you create a honeytoken account? If you did, is it working ?

0 Likes
Reply
SpeedRacer

‎May 17 2017 06:26 AM

‎May 17 2017 06:26 AM

Re: Not seeing generated threat alerts in ATA

I do have a honeytoken and I just tried to log into a Windows server with the account (generated a few failed login attempts with it), and I'm waiting for an ATA alert. I'll let you know if I get/don't get one shortly.

 

Thx

0 Likes
Reply
JIDE JIMOH

‎May 17 2017 06:28 AM

‎May 17 2017 06:28 AM

Re: Not seeing generated threat alerts in ATA

That is fine Jeff, will be waiting for it. So do you use the Light Gateway or Normal Gateway.

0 Likes
Reply
SpeedRacer

‎May 18 2017 05:42 AM

‎May 18 2017 05:42 AM

Re: Not seeing generated threat alerts in ATA

Using Normal Gateway, and the failed login attempts I made yesterday using the honeytoken did not generate any alerts.

 

Thx

0 Likes
Reply
JIDE JIMOH

‎May 18 2017 06:57 AM

‎May 18 2017 06:57 AM

Re: Not seeing generated threat alerts in ATA

Advice when you will be available online so we can run through the installation together. i believe its your lab environment. 

 

https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1

 

0 Likes
Reply
SpeedRacer

‎May 19 2017 11:11 AM

‎May 19 2017 11:11 AM

Re: Not seeing generated threat alerts in ATA

Actually, this is our prod environment that I'm running some of the playbook steps against.

 

No alerts have been generated from failed logins using he honeytoken.

0 Likes
Reply
SpeedRacer

‎May 19 2017 11:12 AM

‎May 19 2017 11:12 AM

Re: Not seeing generated threat alerts in ATA

Normal Gateway

0 Likes
Reply
JIDE JIMOH

‎May 19 2017 12:19 PM

‎May 19 2017 12:19 PM

Re: Not seeing generated threat alerts in ATA

Am sorry i might be asking so many question. I really want to help you sort out where the bottle neck is. How many IP address does your ATA Center have and are the ATA center and Gateway domain joined?

1 Like
Reply
SpeedRacer

‎May 22 2017 10:45 AM

‎May 22 2017 10:45 AM

Re: Not seeing generated threat alerts in ATA

NP at all - appreciate the help

 

Console has two IPs, and we have two Gateways deployed (one in prod for the DCs there, and one for our DR DCs), and are joined to the same domain.

 

Thx

0 Likes
Reply
JIDE JIMOH

‎Jun 05 2017 04:27 AM

‎Jun 05 2017 04:27 AM

Re: Not seeing generated threat alerts in ATA

Hello Jeff, Am so sorry for the long silience. From your ATA console can you search for users and computer and most especially, Users you have newly created.

0 Likes
Reply
SpeedRacer

‎Jun 05 2017 07:02 AM

‎Jun 05 2017 07:02 AM

Re: Not seeing generated threat alerts in ATA

NP at all - actually opened a case with MSFT and they think the issue might be that the SPAN ports we have are dropping packets. They suggested that we install the Lightweight Gateway so we are going to discuss internally and hopefully go that way. I'll let you know.

 

Thx,

Jeff

0 Likes
Reply