locked
Honeypot Account Event Not Triggering Event RRS feed

  • Question

  • Honeypot Account events are not triggering an alert.  The events attempted are logins from workstation and simple binds using the honeypot account.  I am running version 1.8.6645.28499.  Is there any logs I can look at?
    Wednesday, November 29, 2017 6:52 PM

Answers

  • I made the mistake of surprising the alert. Thanks for the suggestions.
    • Marked as answer by LimeCrazy Friday, December 1, 2017 8:28 PM
    Friday, December 1, 2017 8:28 PM

All replies

  • First I would suggest to upgrade to the latest version 1.8 Update 1(1.8.1),

    Second - yes, if the DC you logon against was indeed monitored by ATA Gateway,

    Look both on the Gateway logs and the Center's logs to see if there are any errors that might block the system.

    Also, you can try to simulate DNS recon which is easier, if that doesn't work also, it's more likely a system wide problem.

    see https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs

    Wednesday, November 29, 2017 8:50 PM
  • Hello,

    Before viewing the logs, you may first check out that the ATA Gateway/ATA Lightweight Gateway is running, and  communicating with ATA Center correctly. 

    You also can try to use this account on another workstation, and then to see if an alert is generated from ATA.

    In addition, you can find out the logs by referring to the following documentation.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 30, 2017 10:05 AM
  • I made the mistake of surprising the alert. Thanks for the suggestions.
    • Marked as answer by LimeCrazy Friday, December 1, 2017 8:28 PM
    Friday, December 1, 2017 8:28 PM