locked
How to test if the system is functional? RRS feed

  • Question

  • Hey!

    I've set up ATA environment rather successfully I suppose. I have the Center-server in Azure and a Gateway-server on-premises. It seems that I can search AD objects just fine in ATA portal. So the connection should be good.

    Now my question is that how should I put the system to test? I would like ATA in action and some red warnings in the portal.

    Tuesday, March 15, 2016 10:22 AM

All replies

  • Hi,

    you can enter an SID as an HoneyToken user and try to logon with it. Another way is to try an DNS Zone Transfer to your client so you have an unauthorized transfer and it should appear in ATA as an DNS thread.

    Regards

    Wednesday, March 16, 2016 6:29 AM
  • Hi,

    Thanks for the answer Eli. I entered my own SID as a HoneyToken and I've been using this AD-account normally by logging in and out. When I search my user object from the ATA-console I can see the object marked as a bee, so I suppose that it registers my user account as a honey token user. 

    But still I cannot see any action from ATA. I have tested the gateway server that it can listen the domain controller just fine. It seems odd that no logs from different behaviour hasn't been recorded.


    Thursday, March 17, 2016 12:02 PM
  • Hi,

    in general ATA will do nothing :D it is just a passive tool. You can access the database via tools like "MongoVUE", for example. All activities will be stored within the database. You will not see any activities in the ATA lgs itself.

    What exactly do you mean with "cannot see any action from ATA"? The only way what you can see is what ATA also can see. You can install the NetworkMonitor and watch the mirrored traffic that will be analyzed by ATA.

    Regards

    Thursday, March 17, 2016 12:42 PM
  • I mean, shouldn't it be warning or anything if I am using a user account which is marked as honey token SID?
    Monday, March 21, 2016 8:10 AM
  • Hi,

    yes it should. If the SID is in the HenyTokenUser field, it should give an message if this account is used to access some resources. Did you tried to make an dns zone transfer with your normal pc? This should also generate a message.

    Regards

    Tuesday, March 22, 2016 6:06 AM
  • This is what you will see in the console. If you not see anything verify the SID for the Honey account

    MicrosoftATA-honey

    //Mattias Borg

    • Proposed as answer by Narcoticoo Monday, October 17, 2016 5:42 PM
    Wednesday, March 23, 2016 12:09 PM