locked
ATA setup but no user stats available (besides AD lookup items) RRS feed

  • Question

  • Hi guys,

    We have set up a brand new ATA deployment, all virtual machine (VMware) and everything looks to be working, port mirroring looks fine on <g class="gr_ gr_213 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="213" id="213">netmon</g> and we have had two DNZ recognisance warnings.

    The problem we have is under any user we can not see the recently logged into computers or resources and we have also simulated an attack with no warnings at all.

    We have one error on our Microsoft.Tri.Gateway-Errors.log  I'm wondering if it is related?

    2016-08-26 02:36:16.2187 2828 10  b6cbd964-b248-44a0-8684-733dd3e77459 Error [DirectoryServicesResolver+<GetAccountAsync>d__40] System.ArgumentNullException: Value cannot be null.
    Parameter name: name
       at Microsoft.Tri.Gateway.Resolution.DirectoryServices.DirectoryServicesResolver.<GetAccountAsync>d__40.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Gateway.Resolution.EntityResolver.<ResolveNtlmEventAsync>d__15.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Gateway.Resolution.EntityResolver.<ResolveEventActivityAsync>d__13.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Gateway.Resolution.EntityResolver.<ResolveActivityInternalAsync>d__12.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Infrastructure.Blocks.ActionBlockWrapper`1.<>c__DisplayClass10_0.<<-ctor>b__0>d.MoveNext()

    Friday, August 26, 2016 2:52 AM

All replies

  • I'm working alongside Matt on this.  The simulated attacks I've tried a simple bind, and also a dns transfer. Nothing in ATA. Honeypot works though and alerted.

    Friday, August 26, 2016 4:00 AM