WUDO Causing Suspicion of identity theft based on abnormal behavior alert to trigger several times per hour

All replies

• 

  

  0

  Sign in to vote

  Hello,

  If you have confirmed that this is a false positive, you can exclude the entities from triggering alerts.

  You can learn more details about excluding entities from detections by referring to the following article.

  https://docs.microsoft.com/en-us/advanced-threat-analytics/excluding-entities-from-detections

  On the other hand, you also can submit your request on the ATA Uservoice site.

  https://microsoftsecurity.uservoice.com/forums/905158-advanced-threat-analytics

  Best regards,

  Andy Liu

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Thursday, May 17, 2018 8:00 AM
• 

  

  1

  Sign in to vote

  There was a sudden onset of alerts in this category at my workplace as well. Something in the environment seems to have chnaged but it is unclear what the cause could be. The alerts don't seem to be specific to Windows 10 only. At this point we are getting alerts for random users in a domain comprised of thousands of user accounts, in roughly 15 minute intervals. This is with ATA 1.9, making exclusions for the false positives as they happen is not practical as there is not much repetition and a different user is flagged for "suspicion of identity theft based on abnormal behaviour " with the subsequent alerts.

  Thursday, May 17, 2018 6:39 PM
• 

  

  0

  Sign in to vote

  Andy Liu like @ASecurityGuy-ZA mentioned below there is simply too many hosts with this activity to create exclusions in ATA.

  For us these alerts are originating from Windows 10 Ent machines.

  Does anyone have an answer as to why Windows is doing this and how we can get ATA to stop firing?

  Monday, May 21, 2018 3:29 PM
• 

  

  0

  Sign in to vote

  This exact scenario is happening in our environment roughly one month after the upgrade to 1.9. It has created quite the "storm" of alerts.

  One of my questions is how to handle the alert without excluding the user and teaching ATA that the behavior is "normal". I have explored the links shared by Andy Liu, but they do not properly address the scenario.

  Any insights from the ATA team would be appreciated. Thanks!

  Tuesday, May 22, 2018 9:36 PM
• 

  

  0

  Sign in to vote

  +1 for Citrix Farms since the v.1.9 upgrade.
  

  Wednesday, May 23, 2018 3:19 PM
• 

  

  0

  Sign in to vote

  This is a similar scenario I'm investigating at the moment. I'll follow and keep this thread apprised of any confirmations.  MSFT needs to weight in on this.

  Thursday, July 19, 2018 11:54 PM
• 

  

  0

  Sign in to vote

  Hey,

  Within the Microsoft.Tri.Center.log (and additional Microsoft.Tri.Center-Archived-<number>.log) in the Logs folder within the ATA Center installation folder, look for lines starting with
  [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed

  Can you paste the full lines here so that we can examine an hypothesis we're having? For example:

  [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=01.21:01:40.4216556]

  Thanks,

  Jonathan

  Thursday, August 16, 2018 10:36 AM
• 

  

  0

  Sign in to vote

  Hey,

  Within the Microsoft.Tri.Center.log (and additional Microsoft.Tri.Center-Archived-<number>.log) in the Logs folder within the ATA Center installation folder, look for lines starting with
  [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed

  Can you paste the full lines here so that we can examine an hypothesis we're having? For example:

  [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=01.21:01:40.4216556]

  Thanks,

  Jonathan

  
  

  Thursday, August 16, 2018 10:38 AM
• 

  

  0

  Sign in to vote

  Hey,

  Within the Microsoft.Tri.Center.log (and additional Microsoft.Tri.Center-Archived-<number>.log) in the Logs folder within the ATA Center installation folder, look for lines starting with
  [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed

  Can you paste the full lines here so that we can examine an hypothesis we're having? For example:

  [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=01.21:01:40.4216556]

  Thanks,

  Jonathan

  
  

  Thursday, August 16, 2018 10:38 AM
• 

  

  0

  Sign in to vote

  Only 3 months later, but we are still struggling with this:

  2018-11-15 03:11:33.9396 4012 454 Debug [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=13:06:36.2074943]
  2018-11-16 14:14:01.5785 4012 721 Debug [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=11:02:27.6395249]
  2018-11-18 01:40:20.3758 4012 1215 Debug [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=11:26:18.7833957]
  2018-11-19 12:43:45.0914 4012 1453 Debug [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=11:03:24.7008887]
  2018-11-19 17:58:26.3991 3348 8   Debug [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=00:01:26.3149212]
  2018-11-21 05:19:48.8812 3348 243 Debug [AbnormalBehaviorDetector] Periodic task completed [name=BuildModelsAsync Elapsed=11:21:22.4664598]

  Wednesday, November 21, 2018 7:26 PM