locked
Inconsistency For Alert Generation (Malicious Replication of Directory Services) ATA v1.9.1 RRS feed

  • Question

  • I'm currently testing the workflow we've set up as a response to Malicious Replication of Directory Services detection but ATA doesn't generate the alert consistently.  Specifically I'm seeing the following behavior:

    • If there's an open alert, and I trigger malicious replication ~24hrs later, the open alert is updated with new information and the timestamp of the alert
    • If I trigger malicious replication ~20 minutes later, the open alert isn't updated with new information.  Additional triggering of malicious replication (about 30, 45, and 60 minutes after) also fails to update the open alert.
    • If I close the alert, wait about five minutes, then trigger malicious replication,  ATA does not alert at all.

    What is the expected alerting behavior for ATA...specifically for the Malicious Replication of Directory Services alert?

    ENVIRONMENT:  I'm running ATA v 1.9, Update 1 on 2012 R2 domain controllers.

    Thursday, January 31, 2019 6:34 PM

All replies

  • Are there any health alerts in the console? about the Center or one of the GWs ?

    It sounds like as if you are dropping traffic.

    Thursday, January 31, 2019 8:39 PM
  • Are there any health alerts in the console? about the Center or one of the GWs ?

    It sounds like as if you are dropping traffic.

    No alerts from the gateways or Center during the testing timeframe.
    Friday, February 1, 2019 3:44 PM
  • Then this should be handled under a support case...

    We need to understand the exact details of how the simulations are performed, and collect diagnostics data to check for errors.

     

    Monday, February 4, 2019 9:29 PM
  • Then this should be handled under a support case...

    We need to understand the exact details of how the simulations are performed, and collect diagnostics data to check for errors.

     

    Opened a Premier case yesterday;  I'll update the thread with the results

    Tuesday, February 5, 2019 1:32 PM