locked
Question regarding ATA RRS feed

  • Question

  • We are looking to roll out MS ATA, and we were wondering if it is possible to use the ATA "agent" that resides on the domain controllers to collect events and send them to a SIEM.  Right now, we don't want to turn on windows event forwarding due directly to the SIEM due to resource issues, but if we can use ATA to collect and send these events we could kill two birds with one stone.

    I hope this question makes sense.

    Thursday, December 1, 2016 7:33 PM

All replies

  • Yes - this will work.  Any gateway can collect all of the events or some of the events.  Theoretically, you could forward all of the events to themselves or to another DC.  If event forwarding is on, the security dumps being cleared wouldn’t affect Windows Event Forwarding

     

    In short - the event can be collected by any gateway.

     

    If you’re collecting with a supported SIEM, take the events for these DC’s and forward them to one local LWGW or GW. 

    Monday, December 26, 2016 4:18 PM