Information missing when exporting to Excel RRS feed

  • Question

  • I have two alerts for Sensitive Account Credentials Exposed, "Credentials were exposed in cleartext using LDAP simple bind.  He of these alerts are showing as being from several source machines using several different user accounts.  When the alerts first started the console would should the first date detected 1/10 and the last date detected 1/23.  If I would export the data to Excel I would see all of the detected events 1/10 - 1/23.  I fixed all the problems and marked the events as Resolved.  

    Several days later the events showed back in the ATA console as detected and the date range was up to the current date 2/3.  However if I export this data to Excel the last date displayed is 1/23.  I see a new user on the Exposed tab, but on the Network Activities tab I do not the new date, only up to 1/23.  I have 10001 rows on the Network Activities tab.

    Wednesday, February 10, 2016 8:04 PM

All replies

  • Brian,

    I'm having a similar issue.   Did you receive any feedback?



    Thursday, April 21, 2016 5:42 PM
  • No I didn't.  
    Thursday, April 21, 2016 5:59 PM
  • I called Premier Support.

    It's a known issue.   Somewhat on purpose.

    The MongoDB has an export limitation of 10,001 events.

    Development saw it as a prevention for Denial of Service.

    It possibly could be changed in the new 1.6 that's forthcoming.

    Monday, April 25, 2016 4:42 PM
  • Is there a solution for this behavior ?

    I need to export a bunch of events but I only get the oldest 10.000 entries.

    Tuesday, August 8, 2017 11:46 AM
  • No, 10000 is the maximum we keep in the db so nothing more to export. 

    Tuesday, August 8, 2017 1:42 PM
  • Is there a way to clear out the existing 10,000 entries so that we can detect/report on new ones?
    Tuesday, August 8, 2017 1:45 PM
  • If you are running ATA 1.8, you can completely delete the SA.

    If the problem continues, ATA will generate a new SA for it, and collect new 10,000 entries again.

    For 1.7 it can be done in theory by manipulating the DB, but just upgrading to 1.8 should be better.

    Tuesday, August 8, 2017 5:42 PM
  • Yes, the lack of recent history makes it difficult to verify that the underlying activity has stopped.

    For example, when we first deployed ATA we found a lot of unencrypted LDAP binds.   The volume of activity quickly exceeded the 10k mark because all of the binds from all of the source servers were bundled into a single SA.

    We would request that the application owners correct the configuration but, because the SA had stopped collecting new history, we couldn't verify the resolution (at least from ATA's perspective).  We didn't want to delete the SA because it had many other servers listed in it, but ultimately had to do that to get fresh data.

    Friday, December 1, 2017 2:54 PM
  • You can export the SA to excel before deleting it, thus not really loosing the data.

    Anyway, note that the metadata is still updated, only the network activities collection is limited.

    Friday, December 1, 2017 8:59 PM