locked
How to test and verify WEF configuration for the ATA Lightweight Gateway? RRS feed

  • Question

  • Hello,

    I followed the deployment guide to create Event Viewer Subscriptions to forward Event ID 4776 to the DC itself; since each of my DCs has the Lightweight Gateway.

    On the ATA Center I have enabled Windows Event Forwarding and the configuration has synced with the Lightweight Gateways.

    However what I am having an issue with is, I do not see "Forwarded Events" anywhere in ATA Center. This is likely because there are no Event ID 4776 generated.

    How can I test/verify that my event forwarding configuration is actually working on my DCs? How can I simulate/create an Event ID 4776?

    We are running latest ATA build 1.7.

    It is important to be able to prove out event forwarding is actually working; can anyone from ATA team give some guidance to generate ID 4776 so it triggers the "Forwarded Events" in ATA Center?

    Wednesday, May 31, 2017 3:00 PM

All replies

  • Hello,

     

    Firstly, if you configure Windows Event Forwarding correctly, you can see Windows event 4776 at Windows Logs > Forwarded Events from Event Viewer on ATA Lightweight Gateway. Please see screenshot as below.

     


    Then, you can verify Windows Event Forwarding from ATA Center by following steps as below.

     

    1. Open a command line window and change the path to the MongoDB bin folder. The default path is: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin.

     

    1. Run: mongo.exe ATA. Make sure to type ATA with all capital letters.
    2. Copy and run the following code, the expected result is showing up the number of NTLM events.

     

        db.getCollectionNames().forEach(function(collection) {

        if (collection.substring(0,10)=="NtlmEvent_") {

                if (db[collection].count() > 0) {

                                  print ("Found "+db[collection].count()+" NTLM events")

                                }

                }

        });

     

     

     

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 1, 2017 6:48 AM
  • Hi Andy,

    Thanks for this; but what I was trying to imply is that I do not see any 4776 Event IDs in Forwarded Events because there simply aren't any in our environment. So what I wanted to do is create/fake a 4776 event to see if it will be successful forwarded to ATA Center.

    Is there some steps to creating a dummy 4776 event in the event viewer?

    Friday, June 2, 2017 4:18 PM
  • Hello,

    In my lab, I prepared a Workstation, which doesn't join any domain, and a Server in a domain. 

    From the Workstation, I use Remote Desktop Client to access the server. The event for credential validation will be logged with event ID 4776 in DC.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 5, 2017 6:18 AM
  • Hello,

    I would like to check if the solution is helpful.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 14, 2017 9:06 AM