locked
ATA Center is not sending Email Alerts RRS feed

  • Question

  • I am able to trigger a Honeytoken event, but no email is sent and i have configured the mail section with the basics (FQDN, Port 25, no authentication, valid sender and receipients).  I can resolve the smtp server, telnet to it and send the message old school, but it seems ATA doesn't even try to send it because I don't even see an attempted connection on TCP 25 from the ATA center to the smtp server (the connection traverses our firewall, so i can see everything permit/deny).

    Has anyone gotten email alerting to work?  Is there an extra step I'm missing?  I followed the lab install guide.

    Thanks!

    Friday, July 10, 2015 7:48 PM

All replies

  • Hello terosaur,

    The feature should work with that configuration.

    Did you enable the SMTP reporting before you triggered the Honeytoken event or after?

    If after - then I recommend to test with different type of event, as it possible your tests aggregate to the existing event which does not re-send notification.

    Microsoft ATA Team

    Monday, July 13, 2015 7:53 AM
  • Hi ATA Team!

    I think I enabled it afterwards. Unfortunately that's the only event I can easily trigger.

    I would argue that every single instance of a HoneyToken event should be alerted on.  Alerting only once doesn't alert you to further attacks from other computers.  That has to be a bug if that's the case.

    Can you confirm that you can trigger alerts on the HoneyToken on all instances of it being triggered?

    Any other ideas?

    Thanks!

    Monday, July 13, 2015 1:53 PM
  • Hi terosaur,

    In the current public preview version, we generate notification only when the suspicious activity open and any subsequence events get aggregate into the same event without sending new notification.

    The logic behind this design is that many suspicious activities in ATA are ongoing event and not single event (think about brute-force, would you want to get 1000 emails if someone try to brute-force 1000 accounts?).

    The good news: In the upcoming version we added option to change the verbosity level of the alerts in such way you can choose either "High" or "Low" (default). When choosing "High" - each time a "significant change" added to the event (this is define differently for each event) a new notification will be sent.

    For example, in your specific scenario (Honeytoken) - If a new account (you can have more then one honeytoken account) is identified, or if same user login from different machine, or access a new resource, this will re-generate alert/email if you will set the verbosity level to "High".

    With the current version, the only way to trigger a new event is by generating a new type of event.

    You can take a look on the following thread for some ideas how to simulate events:

    https://social.technet.microsoft.com/Forums/security/en-US/0752bc4b-9119-4756-8a5e-9475b25dc105/simulating-suspicious-actions-in-a-lab-environment?forum=mata

    Hope this helps,

      Microsoft ATA Team

    Monday, July 13, 2015 3:12 PM
  • Hello,

    Great news that you are including that feature.  I agree, in some cases, you don't want an alert every instance.

    I'll take a look at the link you provided.

    Thanks so much for your help.  I look forward to the final release.  When is that going to be available for download btw?

    --T


    • Edited by terosaur Monday, July 13, 2015 6:51 PM
    Monday, July 13, 2015 6:51 PM