locked
No Details being added into TimeLine and Health Report automatically Closing after running script RRS feed

  • Question

  • Hi, 

    I have inherited a Proof of Concept ATA environment which has been currently running for a few months, I have updated to ATA version 1.8.6765.36693 and had alot of  "Reconnaissance using directory services enumeration" in my Timeline which I found this KB KB3191777. In the hope of removing these in bulk I ran the command stated  db.SuspiciousActivity.update({_t: "SamrReconnaissanceSuspiciousActivity"}, {$set: {Status: "Dismissed"}}, {multi: true})

    As I have a good idea of what was causing them. 

    Now whenever I try to close a ticket it says "Failed to update" But if you refresh the browser it does actually close it, But none of the alerts are going into the timeline, everything stays at 0, 

    The Health Center is also closing alerts automatically. If you reopen it, it closes it again. 

    In the logs I have this

    017-11-08 12:33:37.4672 3624 43  42b13e54-3d5f-4551-be7a-8c3f7f3ea965 Debug [AbnormalBehaviorDetector] 
    Found abnormal row [Key=SourceAccountId=1f472f1b-ed04-4a6f-b133-84002e7d3ffb Date=11/08/2017 00:00:00 AttackSimulationType=None Label=0, FeatureVector=0, 0, 67.2323646941996, 0.0220883572856653, 0]

    8c-99f1-04575ae86438 Error [BsonClassMapSerializer`1] System.FormatException: An error occurred while deserializing the Status property of class Microsoft.Tri.Common.Data.Common.Alert: Must specify valid information for parsing in the string. ---> System.ArgumentException: Must specify valid information for parsing in the string.

    I guess something has changed from 1.7 to 1.8 and the command I ran has screwed up the DB. 

    The ATA is detecting ok, just nothing going into the timeline.

    Is there something I can remove or a command to undo the changes. 

    Thanks for any help


    Wednesday, November 8, 2017 1:22 PM

Answers

  • Yes, this mongo command is only applicable to 1.7.

    you can try to revert what you did by running:

    db.SuspiciousActivity.update({_t: "SamrReconnaissanceSuspiciousActivity"}, {$set: {Status: "Open"}}, {multi: true})

    Or, if you want to close them all, you can try:

    db.SuspiciousActivity.update({_t: "SamrReconnaissanceSuspiciousActivity"}, {$set: {Status: "Closed"}}, {multi: true})But I never tested it, so I would not advise on doing that in production.

    in 1.8 you have an option to close or delete from the UI, and if you exclude the resources that trigger the alert, it will allow you to auto close all SAs of this type related to the excluded resources.

    • Marked as answer by Buzliteyear Thursday, November 9, 2017 11:59 AM
    Wednesday, November 8, 2017 3:31 PM

All replies

  • Yes, this mongo command is only applicable to 1.7.

    you can try to revert what you did by running:

    db.SuspiciousActivity.update({_t: "SamrReconnaissanceSuspiciousActivity"}, {$set: {Status: "Open"}}, {multi: true})

    Or, if you want to close them all, you can try:

    db.SuspiciousActivity.update({_t: "SamrReconnaissanceSuspiciousActivity"}, {$set: {Status: "Closed"}}, {multi: true})But I never tested it, so I would not advise on doing that in production.

    in 1.8 you have an option to close or delete from the UI, and if you exclude the resources that trigger the alert, it will allow you to auto close all SAs of this type related to the excluded resources.

    • Marked as answer by Buzliteyear Thursday, November 9, 2017 11:59 AM
    Wednesday, November 8, 2017 3:31 PM
  • Thank you very much, that worked
    Thursday, November 9, 2017 11:59 AM