locked
UEBA Alerts - missing? RRS feed

  • Question

  • I am using Version1.7.5757.57477, I've had it up and running for about 2 months now.  Every domain controller has the lightweight gateway agent installed and running.  I just had a request from legal to copy a large amount of data from multiple sources.  I expected that ATA would flag this as unusual behavior since it is unusal...I have received no alerts about this, nor have I received any alerts for any UEBA activities.  Am I missing something on the setup, or is it just not functioning as I would expect?

    Obviously, this is one of the main reasons ATA was set up in the first place, to detect the possible loss of corporate data, and it is a concern that it isn't flagging it.

    Tuesday, June 27, 2017 5:45 PM

All replies

  • Hello,

    ATA is not a network monitoring tool. I think ATA will not generate alert for copying a large amount of data.

    You can learn more details about what ATA can detect from the following article.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats

    In addition, there are some requirements for abnormal detection engine. It requires a minimum of 21 days to build the entities profiles and requires a minimum of 50 entity profiles. This can include 50 active human user profiles, active computer profiles and service accounts. To create a profile for an entity ATA needs to see network activity for the entity 12 out of the last 21 days.

    More details about ATA behavior analysis monitoring, please see the following article.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/06/30/ata-behavior-analysis-monitoring

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 28, 2017 6:27 AM
  • This is part of what is listed as behavior analysis.  And it is one of the biggest concerns that would make anyone want to have a behavior analytic tool.  A user is being used to copy a large amount of data out of the system, the user is accessing files and systems that it doesn't normally access (Abnormal Behavior), and is potentially stealing all this data.  This isn't network monitoring, it is monitoring the behavior of the user.

    Abnormal Behavior Often in cases of insider threats, as well as advanced attacks, the account credentials may be compromised using social engineering methods or new and not-yet-known methods and techniques. ATA is able to detect these types of compromises by analyzing the entity’s behavior and detecting and alerting on abnormalities of the operations performed by the entity.

    Steve

    Wednesday, June 28, 2017 11:28 AM
  • Hello,

    You can validate the abnormal detection engine by viewing the log file. Furthermore, you can validate that a single user is included in the behavior analysis model.

    More details about the methods, you can see the following article.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/06/30/ata-behavior-analysis-monitoring/

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 3, 2017 5:37 AM