Not seeing generated threat alerts in ATA

Highlighted
Occasional Contributor

We're currently running ATA version 1.7.5757.57477 and as I was following along with the ATA Playbook, I performed three commands to see if I could generate the alerts in ATA:

 

  1. nslookup ls -d <domain> (this failed)
  2. net user /domain (this failed)
  3. net group /domain (success as I was able to see a list of all groups)

After running these three commands, I jumped into the ATA Console, but I never saw an alert associated with those commands.

 

Any ideas as to why I wouldn't see them? The system I'm running the commands from has never been flagged as being ok to run commands from so it hasn't been whitelisted per se.

 

Thx

16 Replies
Highlighted

Are you running the runbook on a Server or on a client OS ?

Highlighted

On a client OS - Windows 8

 

Thx

Highlighted

Can you try use one of the tools in sysinternals for your test. the ATA in my lab is working fine and detecting the lateral movement. If that does not working. i will help troubleshoot your ATA installation. 

Highlighted

Did you create a User in your Windows Active Directory and gave it permission to read deleted object and used that user for ATA to query the environment for information. Also how well can you say ATA has learnt about the objects in your environment. 

Highlighted

I'm using an existing user, and I've had AT running in my environment for about two months now so I believe ATA has had time to learn about the objects in my environment.

 

Thx

Highlighted

Can we quickly run thnrough your ATA installations. Did you create a honeytoken account? If you did, is it working ?

Highlighted

I do have a honeytoken and I just tried to log into a Windows server with the account (generated a few failed login attempts with it), and I'm waiting for an ATA alert. I'll let you know if I get/don't get one shortly.

 

Thx

Highlighted

That is fine Jeff, will be waiting for it. So do you use the Light Gateway or Normal Gateway.

Highlighted

Using Normal Gateway, and the failed login attempts I made yesterday using the honeytoken did not generate any alerts.

 

Thx

Highlighted

Advice when you will be available online so we can run through the installation together. i believe its your lab environment. 

 

https://docs.microsoft.com/en-us/advanced-threat-analytics/deploy-use/install-ata-step1

 

Highlighted

Actually, this is our prod environment that I'm running some of the playbook steps against.

 

No alerts have been generated from failed logins using he honeytoken.

Highlighted

Normal Gateway

Highlighted

Am sorry i might be asking so many question. I really want to help you sort out where the bottle neck is. How many IP address does your ATA Center have and are the ATA center and Gateway domain joined?

Highlighted

NP at all - appreciate the help

 

Console has two IPs, and we have two Gateways deployed (one in prod for the DCs there, and one for our DR DCs), and are joined to the same domain.

 

Thx

Highlighted

Hello Jeff, Am so sorry for the long silience. From your ATA console can you search for users and computer and most especially, Users you have newly created.

Highlighted

NP at all - actually opened a case with MSFT and they think the issue might be that the SPAN ports we have are dropping packets. They suggested that we install the Lightweight Gateway so we are going to discuss internally and hopefully go that way. I'll let you know.

 

Thx,

Jeff