locked
ATA Alerts from Vulnerability Scans RRS feed

  • Question

  • Hello, I was wondering if anyone else had the same issue of getting alerts that are caused by scheduled internal vulnerability scans and more importantly, how it was dealt with.  For instance, we would receive alerts on <g class="gr_ gr_404 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="404" id="404">enumeration</g> of domain users against DCs from the machines that are being scanned by the internal scanner.  ATA, however, would see the activity as the remote machines enumerating and not necessarily catching the scanner doing it behind the scanned machines.  

    While I do realize that there are alert exclusions but it really should be a last resort as it is degrading the ATA capabilities in the first place.   

    Thank you.   

    • Edited by Chae Cho Monday, October 30, 2017 10:30 PM
    Monday, October 30, 2017 10:21 PM

All replies

  • Dear Chae Cho,

    What I can tell from my experience is that you can expect the creation of the following ATA alerts due to some vulnerability scans:

    - Reconnaissance Using DNS
    - Remote execution attempt detected
    - Reconnaissance using directory services queries
    - Reconnaissance using SMB Session Enumeration

    Now you can either change the configuration on these scanners and remove the nslookup command or just whitelist certain IP addresses.

    I hope this helped.

    Regards,
    MSSOC
    • Proposed as answer by MSSOC Thursday, November 2, 2017 7:21 AM
    Tuesday, October 31, 2017 6:03 AM