locked
Complete List of All ATA Alerts? Part 2 RRS feed

  • Question

  • Is there an actual formatted list (csv, txt) of the full detection\alert types that MS ATA has?  The graph is missing a few alert types we've received, so I'm wondering what its full capabilities are so we can be prepared and start writing our IR docs around it.

    Thank you,

    Daniel 


    DB

    And by graph I'm talking about this:

    • Edited by DanielBetz Friday, April 21, 2017 9:41 PM Graph Addition
    Friday, April 21, 2017 9:39 PM

Answers

All replies

  • Hello Daniel,

    The graph you mentioned describes various phases of an advanced attack.

    In each phase, ATA can provide multiple detections, and these detections has been outlined in the following article.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/ata-threats

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 24, 2017 7:29 AM
  • Andy,

    Thank you.  Can you point to me where in the article it shows (or mentions) the "Broken trust between computers and domain" alerts that I'm getting from the MS ATA?  If its not there; Where's a list that details all alerts that can be generated from the Microsoft ATA?  Our SOC cannot always be deciphering MS ATA alerts for technicians (or be prepared at 2am for unknown alerts).  We need to know what the full alert capabilities and descriptions are for our IR documentation and possible incident prep.  From what I gather when reading reading previous posts and responses, it doesn't exist.  If not; Can I get a feature request started for documentation?

    Daniel 


    DB

    Monday, April 24, 2017 7:55 PM
  • Hello Daniel,

    You can get the description for "Broken trust between computers and domain" from the article below.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/understanding-ata-suspicious-activity-alerts/

    I think the link I provided previously is a complete list of the detections, however, for some reason, "Broken trust between computers and domain" is missing in the list.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by DanielBetz Tuesday, April 25, 2017 1:10 PM
    Tuesday, April 25, 2017 6:40 AM
  • Thank you Andy.  I should be able to work with this.

    Daniel


    DB

    Tuesday, April 25, 2017 1:10 PM
  • You are welcome!


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 26, 2017 5:10 AM