locked
Learned entities RRS feed

  • Question

  • Under the installation guide. there is a statement under  "validating your deployment" stating You should see a list of Entities Recently Learned in the notification bar on the right side of the console. with an example showing entities recently learned.  The first entry shows 1 Domain, 2 domain controllers, 963 users etc.   I certainly don't see that as a learned entity under the Bell - should I ?   

    I have tried the DNS and simple LDAP BIND "emulations" , and they show up just fine

    Friday, May 15, 2015 3:20 PM

All replies

  • Hi Stuart,

    Just to clarify that when you do the DNS and simple LDAP bind emulations you see the suspicious activity in the Attack Timeline?

    Are you not seeing the entities, domains, DCs, users, groups, and computers,  that ATA has learned (discovered)?

    Thanks

    ATA Team


    Gershon Levitz [MSFT]

    Sunday, May 17, 2015 7:23 AM
  • Thanks for the reply Gershon.

    Yes, I am seeing the 2 tests (DNS and simple LDAP Bind) on the timeline, I just don't see the prior discovery pieces (seeing my AD basically) which is shown in the install guide.  I would think it be useful info (if only to confirm connectivity), as at least you know that it can actually see your AD, DCs etc !  I just didn't see it, hence asking the question "should I ?"

    Sunday, May 17, 2015 8:34 AM
  • Hi Stuart,

    By default, the notification cycle is every 10 minutes, and it stay active until midnight same day.

    So if you did not wait 10 minutes, you may not see the "Entities Recently Learned " notification, and if you shutdown the machine and checked it the next day, you may lost it already...

    For a test - you can, for example,  add a user to your AD and wait ~10 minutes, and see if you get such notification.

    Hope this helps,

    Microsoft ATA Team.

    Sunday, May 17, 2015 3:29 PM
  • The ATA Center and Gateway have not been turned off, and the data never showed from what I can see

    Just to be clear, I am referring to this useful info from the installation guide:

    When is it surfaced?  Did I miss something ?  Like I said, it is useful info...at least you know that ATA is "connected". What other things are dropped into "Recently learned"

    I did add a user, and within 2-3 mins, I saw "Entries recently learned : 1 user"..but no more detail.

    Sunday, May 17, 2015 10:52 PM
  • Hi Stuart,

    As mention before - there is a notification cycle that happen every 10 minutes (by default) which sends on the notification area (the one you referring to) information about recently learned entities. The list includes the 5 categories you see in the screenshot (domains, DCs, users, computers and groups).

    If adding a user generated notification - this mean the mechanism is working as expected. Since the notifications only show "delta" (i.e. new entities) it is expected to only show you the 1 user.

    Since the notification is active until midnight, it is possible it was generated in the initial cycle (after ~10 minutes from initial install) and was removed in midnight and you may miss it.

    It will be interesting to hear from other people in the forum if they manage to see those initial notification or not. If this happen to other people (missing initial notification) we can investigate if there is a generic issue with the mechanism.

    Hope this helps.

    Microsoft ATA team.

    Monday, May 18, 2015 9:10 AM
  • i have the same problem here I did saw the entities and in the next day it disappeared its useful info and its biter than creating a new user every day to check that it works probable pleas give us a useful info to fix this problem.

    best regards,

    Omar Nahhas.

       
    Sunday, January 31, 2016 10:26 AM