Answered by:
ATA Reporting

Question
-
Hi All;
ATA already installed and functional, yet we're receiving the same alert from different client PCs.
Is there a way to extract all alerts with specific type to a single report/excel file so as to work on them once instead of working on detections one by one ?
Thanks
Monday, April 10, 2017 10:47 AM
Answers
-
Hello,
It's not supported for exporting all alerts into a single excel file from the ATA console currently. You have to export alert details to excel one by one.
However, you can get a list of all suspicious activities by using PowerShell cmdlets for ATA database.
ATA logs all alerts to the Windows event log. To get a list of all suspicious activities generated today, we can use the PowerShell command below:
Get-winevent -Filterhashtable @{logname=’Microsoft ATA’; StartTime=(Get-Date).date.adddays(-7); EndTime=(get-date).date} | where-object {$_.ProviderName -eq ‘Suspicious Activity’} | fl
We can also pull a list of suspicious activities from the mongo database by running the command below from the mongoDB\bin folder on the ATA Center server:
Var mydate= Date(); Mongo ATA db.SuspiciousActivity.find({StartTime: myDate})
More information about suspicious activities alerts, please see the following article below.
https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/understanding-ata-suspicious-activity-alerts/
Best regards,
Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Andy Liu50Microsoft contingent staff Tuesday, April 11, 2017 1:56 AM
- Marked as answer by Ahmadgeo Tuesday, April 11, 2017 7:41 AM
Tuesday, April 11, 2017 1:38 AM
All replies
-
Hello,
It's not supported for exporting all alerts into a single excel file from the ATA console currently. You have to export alert details to excel one by one.
However, you can get a list of all suspicious activities by using PowerShell cmdlets for ATA database.
ATA logs all alerts to the Windows event log. To get a list of all suspicious activities generated today, we can use the PowerShell command below:
Get-winevent -Filterhashtable @{logname=’Microsoft ATA’; StartTime=(Get-Date).date.adddays(-7); EndTime=(get-date).date} | where-object {$_.ProviderName -eq ‘Suspicious Activity’} | fl
We can also pull a list of suspicious activities from the mongo database by running the command below from the mongoDB\bin folder on the ATA Center server:
Var mydate= Date(); Mongo ATA db.SuspiciousActivity.find({StartTime: myDate})
More information about suspicious activities alerts, please see the following article below.
https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/understanding-ata-suspicious-activity-alerts/
Best regards,
Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Andy Liu50Microsoft contingent staff Tuesday, April 11, 2017 1:56 AM
- Marked as answer by Ahmadgeo Tuesday, April 11, 2017 7:41 AM
Tuesday, April 11, 2017 1:38 AM -
Thanks Andy Liu50 for your reply. yet I would like to have some more details on running MongoDB command as I'm not familiar with this procedure.Tuesday, April 11, 2017 7:42 AM
-
Hello,
You can follow steps below to interact with database.
1. Open a command line window and change the path to the MongoDB bin folder. The default path is: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin.
2. Run: mongo.exe ATA. Make sure to type ATA with all capital letters.More details about MongoDB, you can refer to the following article.
Best regards,
Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Edited by Andy Liu50Microsoft contingent staff Tuesday, April 11, 2017 7:56 AM
Tuesday, April 11, 2017 7:56 AM