locked
No activity or recently accessed resources, missing computers logged into information RRS feed

  • Question

  • Hi All,

    We've had MSFT Threat running over 30 days now.  2 virtual VMs, one running console the other gateway.  The gateway has a mirrored network port back to 1 of 2 virtual domain controllers.  I did a packet capture on the mirrored port and traffic is coming through from the domain controller.  I see users, memberships and password info but I'm missing a lot of other stuff.  What could be causing this?  Thank you.

    Some things I can't see are:

    User Activity - No activity
    Computers recently logged onto by this user - None
    Recently accessed resources - None


    • Edited by ambautista Thursday, November 12, 2015 10:43 PM
    Thursday, November 12, 2015 10:42 PM

All replies

  • Hi,

    can you check your log files and paste it here?

    Regards

    Tuesday, November 17, 2015 6:39 AM
  • It is recommended to cover all of your domain controllers with an ATA Gateway, not just some. It doesn't have to be a 1:1 ratio - a single ATA Gateway can be used to cover multiple domain controllers, as long as the Gateway can handle the additional load. If you only monitor some of your domain controllers and not all, then ATA will "miss" activity altogether that occurs against unmonitored DCs. Furthermore, ATA will not report on "past" activity that occurred before ATA was set up. For example, if a user was away on vacation and has not logged in to anything since you started monitoring with ATA, then the console will not display the last computer they logged in to, etc.
    Wednesday, November 25, 2015 6:43 PM