none
Forwarding events still usable? RRS feed

  • Question

  • Hi there,

    we've just enabled event-forwarding for our ATA deployment (version 1.9.7478.57683).

    It looks like the events are not processed since there are no activities showing in ATA from DCs that are monitored only by forwarded events. 

    Scenario:

    DC1 (event colltector) has an installed ATA agent. Events from DC1 itself are triggering activities in ATA. 

    Event forwarding is working without any issues and we can see dozens (tbh millions!) of events in the "Forwarded Events" section.

    DCs 3, 4 and 5 (not involved in event forwarding) also have an installed ATA agent. Events from DC 3 - 5 are triggering activities in ATA. 

    DCs 6 - 10 (event sources) are configured to send events 4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045 and have no ATA agent. They are not in any way triggering events in ATA: no DNS Reconnaisance on zone xfer, no user x requested user y on machine z, no password changed, no ... nothing. 


    Checking against the MongoDB as written here: https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-technical-faq is just responding with:

    MongoDB shell version v3.6.10
    connecting to: mongodb://127.0.0.1:xxxx/?gssapiServiceName=mongodb
    Implicit session: session { "id" : UUID("123456789andsoon") }
    MongoDB server version: 3.6.10

    So my questions are:

    Is event-forwarding still used in the most up-to-date version or is it completely depreceated (since maybe an installed agent is expected)? 

    Did I miss to configure an option for this to work?

    Any help is appreciated.

    Best regards

    Marco


    Wednesday, September 11, 2019 2:51 PM

Answers

  • Event forwarding is not enough. are you mirroring the network traffic from those DCs to the standalone gateway?

    Did you configure in the Gateway which DCs are monitored by it?

    • Marked as answer by m.glende Thursday, September 12, 2019 6:58 AM
    Wednesday, September 11, 2019 6:36 PM