Not seeing generated threat alerts in ATA

Brass Contributor

We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:


  1. nslookup ls -d <domain> (this failed)
  2. net user /domain (this failed)
  3. net group /domain (success as I was able to see a list of all groups)

After running these three commands, I jumped into the ATA Console, but I never saw an alert associated with those commands.


Any ideas as to why I wouldn't see them? The system I'm running the commands from has never been flagged as being ok to run commands from so it hasn't been whitelisted per se.



16 Replies

Are you running the runbook on a Server or on a client OS ?

On a client OS - Windows 8



Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation. 

Did you create a User in your Windows Active Directory and gave it permission to read deleted object and used that user for ATA to query the environment for information. Also how well can you say ATA has learnt about the objects in your environment. 

I'm using an existing user, and I've had AT running in my environment for about two months now so I believe ATA has had time to learn about the objects in my environment.



Can we quickly run thnrough your ATA installations. Did you create a honeytoken account? If you did, is it working ?

I do have a honeytoken and I just tried to log into a Windows server with the account (generated a few failed login attempts with it), and I'm waiting for an ATA alert. I'll let you know if I get/don't get one shortly.



That is fine Jeff, will be waiting for it. So do you use the Light Gateway or Normal Gateway.

Using Normal Gateway, and the failed login attempts I made yesterday using the honeytoken did not generate any alerts.



Advice when you will be available online so we can run through the installation together. i believe its your lab environment.


Actually, this is our prod environment that I'm running some of the playbook steps against.


No alerts have been generated from failed logins using he honeytoken.

Normal Gateway

Am sorry i might be asking so many question. I really want to help you sort out where the bottle neck is. How many IP address does your ATA Center have and are the ATA center and Gateway domain joined?

NP at all - appreciate the help


Console has two IPs, and we have two Gateways deployed (one in prod for the DCs there, and one for our DR DCs), and are joined to the same domain.



Hello Jeff, Am so sorry for the long silience. From your ATA console can you search for users and computer and most especially, Users you have newly created.

NP at all - actually opened a case with MSFT and they think the issue might be that the SPAN ports we have are dropping packets. They suggested that we install the Lightweight Gateway so we are going to discuss internally and hopefully go that way. I'll let you know.