Pass-The-Ticket Exclusion? RRS feed

  • General discussion

  • Hi all,

    This is a question for my own information and knowledge as I'm new to ATA.

    In ATA, I understand the need for DNS Reconnaissance IP exclusions.  There may be machines where legitimate DNS administrative tasks need to be performed, and you don't want these machines triggering alerts in ATA when someone runs the NSLookup command etc.

    What I'm trying to get my head around is why you would want Pass-The-Ticket IP Address exclusions.  What is the scenario where you would add an IP or IP Range to be excluded from PtT alerting?

    Tuesday, October 25, 2016 5:45 AM

All replies

  • Ok so...  I managed to ask someone else at Microsoft and I found some information regarding this.  I thought I would share in case someone else has this same question in the future.

    Sometimes false positive Pass-The-Ticket alerts can happen when automated services are used.  Think of things like a backup solution using a privileged service account in the middle of the night that's hitting a lot of different servers.   Or maybe an automated orchestration that runs etc.

    So when/if you get these false positives from these known sources and known events - this is where you can exclude their IP addresses from alerting in ATA.

    Hopefully that will help someone else in the future...

    Thursday, October 27, 2016 5:42 AM