locked
Network Activities tab in download details of the ATA alert. RRS feed

  • Question

  • After upgrading to Version 1.9.7478.57683, our incident response team has noticed that the Network Activities tab is missing from some of the alerts like "Suspicion of identity theft based on abnormal behavior," "Identity theft using Pass-the-Ticket attack" and "Malicious replication of Directory Services". Is this by design or are we missing a configuration setting?
    Wednesday, August 7, 2019 8:39 PM

All replies

  • depends on from which version did you upgrade.

    If you upgraded from version 1.8.*, then we didn't migrate the data that was supposed to be there when  you upgraded to 1.9.*.

    this is for existing alerts.

    new alerts, or ongoing alerts will retain new data as expected, so I am guessing all those alerts you mentioned were opened before the upgrade to 1.9...

    Wednesday, August 7, 2019 9:09 PM
  • If I understand you correctly, if the alert was previously detected under 1.8.* but now it is triggered again under 1.9.* version, we won't have the data for the "Network Activities" tab but any new alert trigger under 1.9.* will generate data for "Network Activities" ?


    • Edited by Ed Healea Friday, August 23, 2019 9:02 PM
    Friday, August 23, 2019 8:58 PM
  • True. (mostly).

    it could be that alerts created under 1.8 MIGHT now get NEW network activities, it depends on their state before the migration.

    Alerts that were created after the 1.9 upgrade will work as usual.

    If you want to get new data, the best thing is to export the alert to excel for offline archiving, 

    and deleting it. if it will happen again, it will be totally new and collect all the new info...

    Friday, August 23, 2019 9:16 PM
  • So for new alerts, we are not getting network activities for every alert such as "Suspicion of identity theft based on abnormal behavior." When we download the alert details to Excel, the Network Activities tab is missing.
    Should there be a 
    network activities tab in every type of alert? 

    Friday, August 23, 2019 10:15 PM
  • Not every alert is based on network activities or has this tab.

    Specifically, Abnormal does not have it, you will just get normal and abnormal resource access, as it's based on long term profiling.

    Friday, August 23, 2019 10:22 PM
  • We have an example of a Suspicion of Identity...abnormal behavior alert saved from before the upgrade which the alert details does have the Network Activities containing Kerberos auth events.  Doesn't the ATA specifically look at Kerberos auth events which are all network events? Our CSIRT has built a process around using the network events to investigate these alerts. 
    Tuesday, August 27, 2019 3:17 PM
  • That is expected, we did keep the network activities for abnormal up to 1.8. once you upgraded to 1.9, we changed how it works (and how it profiles) and now it won't keep this data any more.

    What value exactly did this data brought with this specific SA that you lost now?

    Tuesday, August 27, 2019 8:00 PM