locked
the reasons why the IP addresses cannot be resolved by ATA causing the alerts RRS feed

  • Question

  • Hello,

    Can we assume that once ATA cannot resolve a certain IP address through Netbios, NTLM/RPC or DNS lookup, it's going to create a certain alert?

    If yes then what might be the reasons why those IP addresses cannot be resolved by ATA? Apart from, of course, the obvious ones e.g. device being down.

    Also, what exact kind of alert types can be created this way?

    Regards,
    MSSOC
    Monday, October 9, 2017 6:30 AM

Answers

  • Depends.

    Some detection are unrelated to the machine name.

    It might certainly increase false positives, for example, if this machine is a legit DC and we didn't discover that as we failed to resolve its name.

    Other option, you might have excluded a machine by name only, and if we didn't resolve the name, we will still alert because we can't tell it was excluded.

    We normally fail to resolve if the GW cannot get a response form the target machine on one of the ports TCP135/UDP137.

    • Marked as answer by MSSOC Monday, October 9, 2017 8:42 AM
    Monday, October 9, 2017 7:56 AM