May 04 2017 01:05 PM - last edited on Nov 30 2021 09:02 AM by Allen
We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:
After running these three commands, I jumped into the ATA Console, but I never saw an alert associated with those commands.
Any ideas as to why I wouldn't see them? The system I'm running the commands from has never been flagged as being ok to run commands from so it hasn't been whitelisted per se.
Thx
May 15 2017 03:57 AM
Are you running the runbook on a Server or on a client OS ?
May 15 2017 06:18 AM
Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation.
May 15 2017 06:29 AM
Did you create a User in your Windows Active Directory and gave it permission to read deleted object and used that user for ATA to query the environment for information. Also how well can you say ATA has learnt about the objects in your environment.
May 15 2017 10:16 AM
I'm using an existing user, and I've had AT running in my environment for about two months now so I believe ATA has had time to learn about the objects in my environment.
Thx
May 16 2017 02:03 AM
Can we quickly run thnrough your ATA installations. Did you create a honeytoken account? If you did, is it working ?
May 17 2017 06:26 AM
I do have a honeytoken and I just tried to log into a Windows server with the account (generated a few failed login attempts with it), and I'm waiting for an ATA alert. I'll let you know if I get/don't get one shortly.
Thx
May 17 2017 06:28 AM
That is fine Jeff, will be waiting for it. So do you use the Light Gateway or Normal Gateway.
May 18 2017 05:42 AM
Using Normal Gateway, and the failed login attempts I made yesterday using the honeytoken did not generate any alerts.
Thx
May 18 2017 06:57 AM
Advice when you will be available online so we can run through the installation together. i believe its your lab environment.
https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1
May 19 2017 11:11 AM
Actually, this is our prod environment that I'm running some of the playbook steps against.
No alerts have been generated from failed logins using he honeytoken.
May 19 2017 12:19 PM
Am sorry i might be asking so many question. I really want to help you sort out where the bottle neck is. How many IP address does your ATA Center have and are the ATA center and Gateway domain joined?
May 22 2017 10:45 AM
NP at all - appreciate the help
Console has two IPs, and we have two Gateways deployed (one in prod for the DCs there, and one for our DR DCs), and are joined to the same domain.
Thx
Jun 05 2017 04:27 AM
Hello Jeff, Am so sorry for the long silience. From your ATA console can you search for users and computer and most especially, Users you have newly created.
Jun 05 2017 07:02 AM
NP at all - actually opened a case with MSFT and they think the issue might be that the SPAN ports we have are dropping packets. They suggested that we install the Lightweight Gateway so we are going to discuss internally and hopefully go that way. I'll let you know.
Thx,
Jeff