locked
ATA No suspicious activities RRS feed

  • Question

  • I have an ATA Center on a Domain Controller installed (Server 2012 R2) and on the same Server an ATA Lightweight Gateway; (ATA Version is 1.9 with Update 1)

    The Server is a physical server with Windows Nic Teaming enabled;

    I tried from several Clients to create some suspicious activities (with NSLOOKUP and PsExec.exe) but no sesults at all.

    Is windows NIC Teaming supported by ATA ?

    Does the ATA Lightweight Gateway need also port mirroring like an ATA Gateway ?

    What else could be the problem ?


    • Edited by Mr.Orange Thursday, February 28, 2019 12:20 PM RR
    Thursday, February 28, 2019 9:44 AM

Answers

  • I have Updated "Intel Network Connections" from Version 19.1.51.0 to 23.5.2.0 and now everything is working.

    Thanks for your Support.

    • Marked as answer by Mr.Orange Monday, March 4, 2019 11:19 AM
    Monday, March 4, 2019 10:28 AM

All replies

  • Generally installing the center and the gateway on the same machine is not a good idea unless its for a simple test lab.

    make sure in the gateway settings in the console UI that all the teamed nics are selected for capturing.

    besides that it could be many issues, so check the logs for both the GW and the center for clues in the form of error logs...

    https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs 

     
    Thursday, February 28, 2019 12:24 PM
  • Is it not supported to install the gateway and the center on the same machine ? I have in my Test-Lab both on one Domain Controller installed, and its working without problems ?

    I can only select the new Teamed NIC, in UI. (only the virtuelle Team Adapter, the physical Adapter didn't appear) But I tried it without Teaming and it didn't work either.

    Thursday, February 28, 2019 1:39 PM
  • Officially it's not supported, the center needs it's own machine.

    For labs it is "good enough", for real workload it will likely fail.

    Anyway, I don't think this is the cause to the issues you are seeing, just warned about this configuration.

    Given that all visible nics are marked in the UI, next step should be checking the logs for errors.

    Thursday, February 28, 2019 2:04 PM
  • Please give me a hint, which log files ==> (Microsoft.Tri.Gateway-Errors.log) ?  and for what messages I can check the log files.

    for example I have the following errors:

    019-02-27 13:57:13.6197 8116 6   Error [__Error] System.UnauthorizedAccessException: Access to the path 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs\Microsoft.Tri.Gateway.Updater-ExceptionStatistics-20190227121655.log' is denied.

    Thursday, February 28, 2019 5:55 PM
  • 2019-02-27 13:56:54.0234 7840 5   Error [WebClient+<InvokeAsync>d__8`1] System.Net.Http.HttpRequestException: PostAsync failed [requestTypeName=UpdateGatewaySystemProfileRequest] ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it [::1]:443
       at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
       at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
       at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---
       at async Microsoft.Tri.Common.Communication.WebClient.PostAsync[](?)
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       --- End of inner exception stack trace ---
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.GetConfigurationAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.UpdateConfigurationAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.UpdateConfigurationAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.OnInitializeAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.OnInitializeAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?)
       at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)
    2019-02-27 13:57:13.6197 8116 6   Error [__Error] System.UnauthorizedAccessException: Access to the path 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs\Microsoft.Tri.Gateway.Updater-ExceptionStatistics-20190227121655.log' is denied.
       at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.File.InternalDelete(String path, Boolean checkHost)
       at Microsoft.Tri.Infrastructure.Utils.ExceptionHandler.SaveStatistics(String path)
       at Microsoft.Tri.Infrastructure.Extensions.ActionExtension.<>c__DisplayClass0_0.<ToAsync>b__0()
       at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
       at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
    Thursday, February 28, 2019 5:58 PM
  • Looks like you have several issues.

    First, it seems the machine is hardened, so the virtual machine service account cannot write to the logs folder, you should fix that. it should also be able to write to the PEF/cache folder.

    Second issue is that this GW cannot contact the center machine.

    Is the center running? are  you able to browse it from the machine where the GW is installed, or is it all the same one like described earlier?

    Thursday, February 28, 2019 10:18 PM
  • I have installed ATA on an Virtual Environment, with the same Hardening GPOs and everything is working.

    The folder permission on the PEF/cache folder are equal with the working installation in my test lab. I checked the permissions in the Folder Security tab. How can I fix the virtual machine service account permissions ?

    To the second issue: The center is running and I am able to browse it, it is on the same machine installed. Center and Gateway on the DC.

    Friday, March 1, 2019 8:23 AM
  • I found the problem, the communication between the clients and the DC is Ipsec encrypted and ATA didn't not analyzed Ipsec Traffic.

    Does ATA work with encrypted traffic?

    ATA relies on analyzing multiple network protocols, as well as events collected from the SIEM or via Windows Event Forwarding. Detections based on network protocols with encrypted traffic (for example, LDAPS and IPSEC) will not be analyzed.

    https://docs.microsoft.com/de-de/advanced-threat-analytics/ata-technical-faq

    • Edited by Mr.Orange Saturday, March 2, 2019 11:46 AM
    Saturday, March 2, 2019 11:43 AM
  • Do you still get those errors?

    because they are unrelated to IPSEC...

    If yes, compete the logs folder permissions to a working machine.

    Another option is AV exclusions, if you have AV installed, it might b e blocking writes, seen this before as well...

    Saturday, March 2, 2019 2:56 PM
  • I configured the AV exclusions for the ATA Center as follow explained:

    Set anti-virus exclusions

    After installing the ATA Center, exclude the MongoDB database directory from being continuously scanned by your anti-virus application. The default location in the database is: C:\Program Files\Microsoft Advanced Threat Analytics\Center\MongoDB\bin\data.

    Make sure to also exclude the following folders and processes from AV scanning:

    Folders C:\Program Files\Microsoft Advanced Threat Analytics\Center\ParentKerberosAsBloomFilters
    C:\Program Files\Microsoft Advanced Threat Analytics\Center\ParentKerberosTgsBloomFilters
    C:\Program Files\Microsoft Advanced Threat Analytics\Center\Backup
    C:\Program Files\Microsoft Advanced Threat Analytics\Center\Logs

    Processes
    mongod.exe
    Microsoft.Tri.Center.exe

    If you installed ATA in different directory, make sure to change the folder paths according to your installation.

    Are there additional exlucsion for the ATA lightweight Gateway ?

    I found that there is no activity for ATA Gateway:

    Open Performance Monitor. In the Performance tree, click on Performance Monitor and then click the plus icon to Add a Counter. Expand Microsoft ATA Gateway and scroll down to Network Listener PEF Captured Messages/Sec and add it. Then, make sure you see activity on the graph.

    https://docs.microsoft.com/de-de/advanced-threat-analytics/install-ata-step5

    I made exclusions in IPSEC for a Client to test it with NSLOOKUP and PSexec, in the testinvironment is shows traffic when the NSLOOKUP or PSexec command comes from an IPSEC excluded Client, when its come from an IPSEC encrypted Clients ATA is showing nothing like expected. But on the working machine the is no message at all.

    Sunday, March 3, 2019 11:06 AM
  • Normally there is no need for AV exclusions for the GW , the Center is more sensitive for AV...

    But I have seen issues before where aggressive AV blocked the GW as well, so it's a good idea to exclude it's folder and processes and test again.

    Anyway, in the current state, where the IPSEC issue was resolved, any errors left in the GW or Center log?

    Sunday, March 3, 2019 11:11 AM
  • 2019-03-03 10:40:33.3977 7296 5   Error [WebClient+<InvokeAsync>d__8`1] System.Net.Http.HttpRequestException: PostAsync failed [requestTypeName=UpdateGatewaySystemProfileRequest] ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it [::1]:443
       at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
       at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
       at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---
       at async Microsoft.Tri.Common.Communication.WebClient.PostAsync[](?)
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       --- End of inner exception stack trace ---
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.GetConfigurationAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.UpdateConfigurationAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.UpdateConfigurationAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.OnInitializeAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.OnInitializeAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?)
       at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)
    2019-03-03 10:40:41.7528 7948 5   Error [WebClient+<InvokeAsync>d__8`1] System.Net.Http.HttpRequestException: PostAsync failed [requestTypeName=UpdateGatewaySystemProfileRequest] ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it [::1]:443
       at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
       at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
       at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
       --- End of inner exception stack trace ---
       at async Microsoft.Tri.Common.Communication.WebClient.PostAsync[](?)
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       --- End of inner exception stack trace ---
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       at async Microsoft.Tri.Common.Communication.WebClient.InvokeAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.GetConfigurationAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.UpdateConfigurationAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.UpdateConfigurationAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.ConfigurationManager`2.OnInitializeAsync[](?)
       at async Microsoft.Tri.Gateway.Common.Service.GatewayConfigurationManager`1.OnInitializeAsync[](?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.ModuleManager.OnInitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Module.InitializeAsync(?)
       at async Microsoft.Tri.Infrastructure.Framework.Service.OnStartAsync(?)
       at Microsoft.Tri.Infrastructure.Framework.Service.OnStart(String[] args)
    2019-03-03 10:41:00.6856 2228 5   Error [__Error] System.UnauthorizedAccessException: Access to the path 'C:\Program Files\Microsoft Advanced Threat Analytics\Gateway\Logs\Microsoft.Tri.Gateway.Updater-ExceptionStatistics-20190301114526.log' is denied.
       at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
       at System.IO.File.InternalDelete(String path, Boolean checkHost)
       at Microsoft.Tri.Infrastructure.Utils.ExceptionHandler.SaveStatistics(String path)
       at Microsoft.Tri.Infrastructure.Extensions.ActionExtension.<>c__DisplayClass0_0.<ToAsync>b__0()
       at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
       at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
    Sunday, March 3, 2019 12:21 PM
  • Is the center running? Any errors in its log?

    IT seems that the GW can't communicate to the center so it is crashing on start.

    Sunday, March 3, 2019 12:31 PM
  • Center is running;

    Here are the logs from the ATA Center;

    2019-03-01 13:15:48.7430 7908 45  Error [ExceptionFilterStream] System.IO.IOException ---> System.Net.HttpListenerException: The I/O operation has been aborted because of either a thread exit or an application request
       at System.Net.HttpRequestStream.Read(Byte[] buffer, Int32 offset, Int32 size)
       at Microsoft.Owin.Host.HttpListener.RequestProcessing.ExceptionFilterStream.Read(Byte[] buffer, Int32 offset, Int32 count)
       --- End of inner exception stack trace ---
       at Microsoft.Owin.Host.HttpListener.RequestProcessing.ExceptionFilterStream.Read(Byte[] buffer, Int32 offset, Int32 count)
       at System.IO.Compression.DeflateStream.Read(Byte[] array, Int32 offset, Int32 count)
       at ProtoBuf.ProtoReader.Ensure(Int32 count, Boolean strict)
       at ProtoBuf.ProtoReader.TryReadUInt32VariantWithoutMoving(Boolean trimNegative, UInt32& value)
       at ProtoBuf.ProtoReader.TryReadUInt32Variant(UInt32& value)
       at ProtoBuf.ProtoReader.ReadFieldHeader()
       at proto_38(Object , ProtoReader )
       at ProtoBuf.Meta.TypeModel.DeserializeCore(ProtoReader reader, Type type, Object value, Boolean noAutoCreate)
       at ProtoBuf.Meta.TypeModel.Deserialize(Stream source, Object value, Type type, SerializationContext context)
       at Microsoft.Tri.Common.Communication.ProtobufCommunicationSerializer.DeserializeItem[TItem](Stream stream)
       at Microsoft.Tri.Common.Communication.CommunicationSerializer.Deserialize[TItem](Stream stream)
       at async Microsoft.Tri.Common.Communication.CommunicationHandler`2.InvokeAsync[](?)

    Sunday, March 3, 2019 12:50 PM
  • It looks like something is interfering with GW-Center communication, it got a request but it was broken.

    Is there a proxy there or something in between?

    Sunday, March 3, 2019 1:12 PM
  • No Proxy; The ATA GW and Center are on the same Server;

    How did you see that the Server is hardened ?

    It true, but I cannot finde the point what issued this problem.

    Sunday, March 3, 2019 1:23 PM
  • I have Updated "Intel Network Connections" from Version 19.1.51.0 to 23.5.2.0 and now everything is working.

    Thanks for your Support.

    • Marked as answer by Mr.Orange Monday, March 4, 2019 11:19 AM
    Monday, March 4, 2019 10:28 AM