locked
4776 events from non monitored systems RRS feed

  • Question

  • I'm going to be standing up ATA for two separate forests.  However my event collection and therefore forwarding of the 4776 events come from the same system.  Is it a problem if I forward 4776 events from forest B to ATA for forest A?  Will they be ignored or am I going to inflate the ATA database with events not relevant to the forest being monitored by ATA?
    Wednesday, June 14, 2017 1:04 PM

All replies

  • Hello,

    The components for ATA, such as ATA Center, ATA Gateway or ATA Lightweight Gateway, should be deployed on the same domain/forest or workgroup.

    If you want to monitor multiple forests by using ATA, you need to deploy ATA for each forest.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, June 15, 2017 5:47 AM
  • Hi,

    I have some related questions about this topoic and figgured we can use the same thread.

    We have 20 DC in the same domain/forest. We have a mix of Lightweight and portmirror monitored DC´s.

    Is it possible to subscribe events from all DC´s on the same gateway server?
    Regardless of where the portmirror is sent or if lightweight gateway is used. (one place to collect them all. Like in the syslog scenario)

    Is it possible and will it give us any benefits to collect eventlog 4776 from an unmonitored DC?
    We have a couple of DC´s where portmirror is impossible and the Lightweight gateway is to heavy load. They will be replaced soon. But for now they are unmonitored.

    /T-Bone  


    Mr Tbone

    Friday, June 16, 2017 12:20 PM
  • Hello Tbone,

    >>> Is it possible to subscribe events from all DC´s on the same gateway server?

    If you have SIEM, i.e. RSA Security Analytics, HP ArcSight, Splunk, and IBM QRadar, you can collect all the event 4776 from DCs by using SIEM. Then, the SIEM can forward the event 4776 to a single ATA Gateway.

    If you don't have SIEM, you still can collect all DC's event 4776 to a single ATA Gateway. However, this may increase the workload on the ATA Gateway. Thus, it's recommend to DCs with LWGW use a local collector-initiated subscription, and DCs monitored by a GW use a source-initiated subscription.

    You can see the following article.

    https://blogs.technet.microsoft.com/enterprisemobility/2016/11/04/advanced-threat-analytics-event-log-collection/

    >>> Is it possible and will it give us any benefits to collect eventlog 4776 from an unmonitored DC?

    Event log ID 4776 can help to enhance ATA detection of Pass-the-Hash, Brute Force and Honey Tokens, in my opinion, I would recommend to collect event log ID 4776 from an unmonitored DC.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, June 19, 2017 8:55 AM