locked
Microsoft Advanced Threat Analytics - wrong time reported on alerts RRS feed

  • Question

  • I have 3 DCs running the lightweight gateway. The console is running on another server. The console emails all alerts to me.  Most of the time the time is correct on the emailed alerts, but on a lot of occasions the time is way off.  For example, the emailed alert today said that the lightweight gateway has stopped communicating.  Then it states "Last communication was on 8/9/2016 at 4:40:50 PM".  I received this alert at 12:15 on 8/9/2016.  I checked the times and time zones on the 3 DCs and the console.  The are all correct.  So where is it getting the time from?  Or is this just a bug that hasn't been worked out yet?
    Tuesday, August 9, 2016 5:40 PM

All replies

  • Time synchronization is required as per the following link.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/plan-design/ata-prerequisites

    Additionally you could try the following to test if time synchronization is working properly.

    https://support.microsoft.com/en-us/kb/193825

    Hope these help

    Wednesday, August 10, 2016 6:35 AM
  • Thanks for the reply.

    I have checked all 3 domain controllers and the ATA Center. They are all showing the exact same time (just like they should). They odd thing is that some alerts that are reported show the correct time. Other alerts are several hours off.

    Wednesday, August 10, 2016 8:43 PM
  • Don't bother with this product.  Tech support is minimal at best.  Error logs are useless.  We are stopping all services on our ATA console and lightweight gateways until this product is improved greatly.  MS obviously doesn't put much effort into the ATA.  We never got any useful information out of it.  The only thing it reported was trust issues when the PC lost its trust with the DC (which has to be manually fixed anyway--and the user who was at the PC with the trust issue let us know immediately) or when a user logs in on too many machines at one time.  That was useless because all of our techs login on multiple machines every day.  We will wait for a major update or improvement of this product before we use it again, if ever.
    Tuesday, January 3, 2017 1:51 PM
  • This is because all logging is done in UTC time. 
    • Proposed as answer by Oddvar MoeMVP Monday, January 16, 2017 9:46 PM
    Monday, January 9, 2017 6:44 PM