locked
ATA Reporting RRS feed

  • Question

  • Hi All;

    ATA already installed and functional, yet we're receiving the same alert from different client PCs.

    Is there a way to extract all alerts with specific type to a single report/excel file so as to work on them once instead of working on detections one by one ?

    Thanks

    Monday, April 10, 2017 10:47 AM

Answers

  • Hello,

    It's not supported for exporting all alerts into a single excel file from the ATA console currently. You have to export alert details to excel one by one.

    However, you can get a list of all suspicious activities by using PowerShell cmdlets for ATA database.

    ATA logs all alerts to the Windows event log. To get a list of all suspicious activities generated today, we can use the PowerShell command below:
    Get-winevent -Filterhashtable @{logname=’Microsoft ATA’; StartTime=(Get-Date).date.adddays(-7); EndTime=(get-date).date} | where-object {$_.ProviderName -eq ‘Suspicious Activity’} | fl

    We can also pull a list of suspicious activities from the mongo database by running the command below from the mongoDB\bin folder on the ATA Center server:

    Var mydate= Date();
    Mongo ATA db.SuspiciousActivity.find({StartTime: myDate})

    More information about suspicious activities alerts, please see the following article below.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/understanding-ata-suspicious-activity-alerts/


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Tuesday, April 11, 2017 1:38 AM

All replies

  • Hello,

    It's not supported for exporting all alerts into a single excel file from the ATA console currently. You have to export alert details to excel one by one.

    However, you can get a list of all suspicious activities by using PowerShell cmdlets for ATA database.

    ATA logs all alerts to the Windows event log. To get a list of all suspicious activities generated today, we can use the PowerShell command below:
    Get-winevent -Filterhashtable @{logname=’Microsoft ATA’; StartTime=(Get-Date).date.adddays(-7); EndTime=(get-date).date} | where-object {$_.ProviderName -eq ‘Suspicious Activity’} | fl

    We can also pull a list of suspicious activities from the mongo database by running the command below from the mongoDB\bin folder on the ATA Center server:

    Var mydate= Date();
    Mongo ATA db.SuspiciousActivity.find({StartTime: myDate})

    More information about suspicious activities alerts, please see the following article below.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/understanding-ata-suspicious-activity-alerts/


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Tuesday, April 11, 2017 1:38 AM
  • Thanks Andy Liu50 for your reply. yet I would like to have some more details on running MongoDB command as I'm not familiar with this procedure.
    Tuesday, April 11, 2017 7:42 AM
  • Hello,

    You can follow steps below to interact with database.

    1. Open a command line window and change the path to the MongoDB bin folder. The default path is: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin.

    2. Run: mongo.exe ATA. Make sure to type ATA with all capital letters.

    More details about MongoDB, you can refer to the following article.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshoot/troubleshooting-ata-using-ata-database

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, April 11, 2017 7:56 AM